Analysis Overview
SHA256
3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
Threat Level: Known bad
The file 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c was found to be: Known bad.
Malicious Activity Summary
Stealc
Glupteba
Glupteba payload
Socks5Systemz
DcRat
Windows security bypass
SmokeLoader
Lumma Stealer
Downloads MZ/PE file
Stops running service(s)
Creates new service(s)
Modifies Windows Firewall
Reads data files stored by FTP clients
Loads dropped DLL
Windows security modification
Reads user/profile data of web browsers
Executes dropped EXE
Unexpected DNS network traffic destination
UPX packed file
Deletes itself
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious behavior: LoadsDriver
Suspicious behavior: GetForegroundWindowSpam
Modifies system certificate store
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 04:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 04:48
Reported
2024-02-22 04:53
Platform
win7-20240221-en
Max time kernel
298s
Max time network
301s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Socks5Systemz
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 152.89.198.214 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\9BE6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\736C.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2624 set thread context of 2276 | N/A | C:\Users\Admin\AppData\Local\Temp\9BE6.exe | C:\Users\Admin\AppData\Local\Temp\9BE6.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240222045201.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\82A9.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E1ED.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdbcgsh | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdbcgsh | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E1ED.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\E1ED.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdbcgsh | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0b8a6924a65da01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E1ED.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\rdbcgsh | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\71A7.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\71A7.dll
C:\Users\Admin\AppData\Local\Temp\736C.exe
C:\Users\Admin\AppData\Local\Temp\736C.exe
C:\Users\Admin\AppData\Local\Temp\82A9.exe
C:\Users\Admin\AppData\Local\Temp\82A9.exe
C:\Users\Admin\AppData\Local\Temp\8F19.exe
C:\Users\Admin\AppData\Local\Temp\8F19.exe
C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
"C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp" /SL5="$60122,3536428,54272,C:\Users\Admin\AppData\Local\Temp\8F19.exe"
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
C:\Users\Admin\AppData\Local\Temp\A94F.exe
C:\Users\Admin\AppData\Local\Temp\A94F.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 128
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s
C:\Users\Admin\AppData\Local\Temp\D427.exe
C:\Users\Admin\AppData\Local\Temp\D427.exe
C:\Users\Admin\AppData\Local\Temp\E1ED.exe
C:\Users\Admin\AppData\Local\Temp\E1ED.exe
C:\Users\Admin\AppData\Local\Temp\45C.exe
C:\Users\Admin\AppData\Local\Temp\45C.exe
C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp
"C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp" /SL5="$201D2,4081152,54272,C:\Users\Admin\AppData\Local\Temp\45C.exe"
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp
C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\taskeng.exe
taskeng.exe {5CB69B68-B144-45D1-A502-65DD0B912653} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\rdbcgsh
C:\Users\Admin\AppData\Roaming\rdbcgsh
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222045201.log C:\Windows\Logs\CBS\CbsPersist_20240222045201.cab
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MK | 95.86.30.3:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 172.67.171.112:80 | en.bestsup.su | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| AR | 190.195.60.212:80 | sjyey.com | tcp |
| AR | 190.195.60.212:80 | sjyey.com | tcp |
| AR | 190.195.60.212:80 | sjyey.com | tcp |
| AR | 190.195.60.212:80 | sjyey.com | tcp |
| AR | 190.195.60.212:80 | sjyey.com | tcp |
| AR | 190.195.60.212:80 | sjyey.com | tcp |
| RU | 152.89.198.214:53 | bffingb.com | udp |
| IT | 185.196.8.22:80 | bffingb.com | tcp |
| IT | 185.196.8.22:80 | bffingb.com | tcp |
| CA | 198.245.49.18:443 | tcp | |
| DE | 185.220.100.247:9100 | tcp | |
| DE | 46.4.57.75:8443 | tcp | |
| FR | 212.47.233.86:9001 | tcp | |
| N/A | 127.0.0.1:49926 | tcp | |
| US | 8.8.8.8:53 | 952c015b-29fe-4100-8eb7-de4024b78447.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| FR | 212.47.233.86:9001 | tcp | |
| DE | 46.4.57.75:8443 | tcp | |
| IT | 185.196.8.22:80 | bffingb.com | tcp |
| N/A | 127.0.0.1:64211 | tcp | |
| N/A | 195.154.104.174:9001 | tcp |
Files
memory/2940-1-0x0000000002E90000-0x0000000002F90000-memory.dmp
memory/2940-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2940-3-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/1224-4-0x0000000002D40000-0x0000000002D56000-memory.dmp
memory/2940-5-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71A7.dll
| MD5 | ec6878849a30cad1ddb5ab3ff4921124 |
| SHA1 | 0c1208b6d2e153352b8c4ccc345ff30281ab2af9 |
| SHA256 | 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639 |
| SHA512 | 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb |
memory/2596-14-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/2596-16-0x0000000000170000-0x0000000000176000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\736C.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
memory/2596-21-0x00000000025A0000-0x00000000026C4000-memory.dmp
memory/2596-22-0x00000000026D0000-0x00000000027D8000-memory.dmp
memory/2596-25-0x00000000026D0000-0x00000000027D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\82A9.exe
| MD5 | 49608dbbd93509d8b380a26b95fd0e22 |
| SHA1 | c721e50cef31c20dabe7bda1ca711b72e42dcc8e |
| SHA256 | 324cd2784ee56feab35c1829b56618b75307ef261ac2e81ae0dc1860d630c4f8 |
| SHA512 | 4938f7c7aa505c1db4abb08025373d6ef5d9f57d4d5a74736ba840f319211480cb1138048bdf33043afd8769b2b7a658a6df66271318204bd0f90b242c488852 |
memory/2216-30-0x00000000008A0000-0x0000000001377000-memory.dmp
memory/2216-35-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2216-36-0x00000000008A0000-0x0000000001377000-memory.dmp
memory/2216-38-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2216-41-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2216-40-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-42-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2216-44-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2216-46-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2216-47-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2216-49-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2216-51-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2216-53-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2216-52-0x0000000077BD0000-0x0000000077BD1000-memory.dmp
memory/2216-55-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2216-60-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2216-59-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-58-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1984-67-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2216-65-0x0000000000180000-0x0000000000181000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8F19.exe
| MD5 | e1a8ab826ea29f8f32a84cb4ca6f50a7 |
| SHA1 | 22a8acfbbc687f1b3ce9d717205eefae2e540df4 |
| SHA256 | e56159aa2ef592286e937eb698af2579aeb4868c43c11425b4d8f7b170cd6920 |
| SHA512 | ae7b1a19f680f9bba8dd0e858aeab387e852d299fa22f988137653856823c128ca0a38bb32f34d6b6bafce3e71206a39cb64ffd5fa728b086ed5c02a5a6ef91f |
memory/2216-72-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2216-73-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-74-0x0000000000190000-0x0000000000191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8F19.exe
| MD5 | 9d94c8a214ffdb9de808b00e61975da1 |
| SHA1 | b489adc10775fa35bdddbe0fa9c6dfb04eebfbaa |
| SHA256 | b9a90ead06412ea4e3c455d17f9f634c1fd1230586c30f138b05893debeabc2e |
| SHA512 | cb26cb3f5e0621d2425b0a0d56a1791e63d4afa4a51c4c9b7c3b3075c326ffba39f2d29cbce335debefe995e5f2f7fb0ae143f2fce5aff1fbe99df4dc42d6534 |
memory/2216-76-0x0000000000190000-0x0000000000191000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
| MD5 | 1ba055823154222509be8b1cb57f0d49 |
| SHA1 | a11bdd1f4106f1de2dd075801987965f97c5c2b2 |
| SHA256 | c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841 |
| SHA512 | 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a |
memory/2216-82-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2216-84-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2216-83-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-3UI2P.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2772-96-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2216-97-0x00000000001A0000-0x00000000001A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-3UI2P.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2216-105-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2216-107-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2216-106-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-130-0x00000000002B0000-0x00000000002B1000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | ff5a180388a510c6676371f4d9b2044a |
| SHA1 | 3f50ebf4b803f61b2510b431f6ed7d5515b38304 |
| SHA256 | 0feda44f964c38fd6ab029483e4928c448c4782573fd8f02748ea3a1ac3707df |
| SHA512 | e9758a4f715773545ae0a3d66e522e6581a15320d96cde7fa8cb50d575aca0bcee88da522264fbddd4389fe06f26a443cf68b391b1de283880266d471a41d9c5 |
memory/2216-140-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2772-147-0x00000000034E0000-0x0000000003816000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | c723d8f98ea6aee2a3bb9207c0ad0756 |
| SHA1 | 884b20e05dd3cf3e8eb77fcbeb261ecff629cd46 |
| SHA256 | 162364d752758e1743962ae44ad58cc0db546741dfa598536006b9f2b9dc7d7c |
| SHA512 | c1e225dde0cc6bb6d6a060023e9c0dff4da25ad0f0e6bb5df967bfe499e69d98618f8ed5c2f01c378540ce2a424ba6773521b7e0e57a5eada8dfe73e744f350f |
memory/2216-137-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/1720-150-0x0000000000400000-0x0000000000736000-memory.dmp
memory/2216-149-0x00000000002C0000-0x00000000002C1000-memory.dmp
\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 344a760c2777f4bf07311fb956f11685 |
| SHA1 | 12bda6db311abef44838f5479fedb3e95e77bb59 |
| SHA256 | 37806ba861d54958d091c7ea286dcf8082d29c6966ecadf5bcfc5e19e02b5ae5 |
| SHA512 | 6e5598ac49ca7bbc85e212fb49bb74301a8e5ef3c7ab9b520af3cd28236398900d934a7375c9bd7262d3cc5a43fc60a4a8ae38d97e31bd8e853e1c587bf3eb74 |
memory/2216-136-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2216-152-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2596-153-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/2216-155-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-161-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
| MD5 | 4747e2f3642706b27dfbc28a301a89ad |
| SHA1 | f208fdc35cf02083029dac18df73776540647c00 |
| SHA256 | 1696262dd12b5ed1460b9dd25376f8ce55cae2f1bbb555387d8496fb0edabcac |
| SHA512 | 4db4fffa3701935fa3b9843f5a972e31fcb3f223bd04f8662aa14aa644368c0c9371274e035820eb08c2aa1f8581b6d9bc05d98c3bbe154b0a6489a504f2a4dc |
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
| MD5 | 119a178d50840d09c06731afe3dc119e |
| SHA1 | 790e2491c68639c0b1899f57be2f13b40745b446 |
| SHA256 | d4805a4f0f69a0bb524f38cbd9b7bafcef591be20dcbcf759c6137e21e3c02bf |
| SHA512 | 1a3fcf4edc07597a31219726a1671aeec13c5d11d929672d128b4373b54ad271c4a43d46d477c33cb75f6301b93762aee6a4afb0d1ae39904ae04a555071ea38 |
memory/1984-172-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2216-178-0x0000000077BD0000-0x0000000077BD1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9BE6.exe
| MD5 | 6f6acad159c227395d99e3e777afe1bf |
| SHA1 | c50b629119f2a842f5926d1be2886a502bdae0f9 |
| SHA256 | 9c69bc44be42ab3766f48caf1de6b7ef8ee6849453e08af589b5879d8421ff08 |
| SHA512 | bdc7dfa1c78f11d66ce49ababb5f61e78514a8b7cfd4a0e0859d628d3ac92f8887a4b73eb80e99a9b75eb4e06b64455dcae05f47f0afc58a17a050af45b5dc67 |
\Users\Admin\AppData\Local\Temp\9BE6.exe
| MD5 | 147f5f5bbc80b2ad753993e15f3f32c2 |
| SHA1 | 16d73b4abeef12cf76414338901eb7bbef46775f |
| SHA256 | 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990 |
| SHA512 | 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6 |
memory/2624-175-0x0000000004900000-0x0000000004AB7000-memory.dmp
memory/2624-173-0x0000000004740000-0x00000000048F8000-memory.dmp
memory/2276-188-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2216-190-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2276-194-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2772-199-0x00000000034E0000-0x0000000003816000-memory.dmp
memory/2216-200-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A94F.exe
| MD5 | 072dbb69fe6ddfdadbd663f3b792b9a9 |
| SHA1 | de348487969deca900b9162b4cc2cc7fb2666f6b |
| SHA256 | 97b30cb95b924b30f6b143f5555c9fca7453249a8dad6f625eede036e57c7041 |
| SHA512 | a4a5806345c3f6db94a8c4f66e58851e9176336b9d0fc16c2b9004271390e196f822bac187745da119ea78db277a70a8f31f644365cc35ad717a5bab56102c39 |
C:\Users\Admin\AppData\Local\Temp\A94F.exe
| MD5 | 835c882e0af6ca0ed24c23c46b1a26f2 |
| SHA1 | 1b042d777ce1a563585b746e176e00567d7da273 |
| SHA256 | 943c8fb5f44cf04f77b5734a0027f50f1251e2baefdaf4a331d7f9773e9e99a2 |
| SHA512 | 78b116ca9c150ebd2fe0d2350d67412b8f6b36cd5b11de85e2731ba56b310094ea4bbd9ebca0c966013dddec8c37e559ffdfd9f77dc939439a2d75307502f083 |
memory/2216-210-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
\Users\Admin\AppData\Local\Temp\71A7.dll
| MD5 | 18926f85c5bc4e9e96f9bebfeaf6dd5d |
| SHA1 | 329ced720e2c377f036887dc5412ecfbf6a460fc |
| SHA256 | 6b4b2b13978c408a6a9fd29e47efbe62cd02cc34b2043307b3111d1d4a55e5c4 |
| SHA512 | 9f8ff747f8f61bc078ce45fedf259fc03ff0b99ef895bc4228b70e83a8b3903a3a73829ea260a78f18b11c48ee9fc8f9dfe468f3a8c57c82651906a3b784a39f |
memory/1720-217-0x0000000000400000-0x0000000000736000-memory.dmp
memory/2276-219-0x0000000000260000-0x0000000000266000-memory.dmp
memory/2216-222-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-228-0x0000000077BCF000-0x0000000077BD0000-memory.dmp
memory/2216-231-0x0000000000340000-0x0000000000341000-memory.dmp
memory/1720-232-0x0000000000400000-0x0000000000736000-memory.dmp
\Users\Admin\AppData\Local\Temp\82A9.exe
| MD5 | c14e37b962abf0187890ecaf1e9ba297 |
| SHA1 | 5eb4051bec82052a52560b75d946623b522c0ace |
| SHA256 | 645cd7d7d72740e02fa0660a6961e6e68f7de68a002dd2f0e26e9ffa622526bb |
| SHA512 | a095eada15b74b8af35ce1741cc29fb8a288ec4445b486c1e6d8e8b3f0642d54786b4fd842cff1a118ca16724e88ecfc4d063727052923ff03615a42071fffbe |
\Users\Admin\AppData\Local\Temp\82A9.exe
| MD5 | 0d5f374fa1c2fac7376928989cfea6f0 |
| SHA1 | 46ed00f7c83da010550b837d6707e8fe1daa4624 |
| SHA256 | e048e1f884d872128067c35dc1662077111eae7f8af502159a018ffa3588033a |
| SHA512 | 7693b6827301313093780c46823d59e314461875e3f90dad298dee8302f61a8aa7efc1aa345ad84df91e29594410eac49c60bc138c4ee3df7b88519e6f5fa83a |
\Users\Admin\AppData\Local\Temp\82A9.exe
| MD5 | 3e20597b095b7a9ec311e3b400b7de46 |
| SHA1 | b491811b3f8ba87355a5bd9f62f92a8d3ad38065 |
| SHA256 | 0ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc |
| SHA512 | 9d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202 |
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | bb486db60f46546a48a5f1aae6e0827a |
| SHA1 | 7b42ffca2385ecc9d4cc78c65c7c2523a57be083 |
| SHA256 | fb5fb059056015482a4a26e724534a6145b393eff15d88d3cd7646d0ad6f500f |
| SHA512 | e788127b8d3e12b598a25eedecef7ed66b1f4fc24ac2fa16c7cb467369d087441c1405876a7a8e4a881785389e65b1af628dd4a43d9137a097147ed594499d53 |
memory/1720-240-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 3b66557b08111e0f88d2929a0f912d54 |
| SHA1 | 395d4d43ffb7de91181c2def0ca7df444ba7d20f |
| SHA256 | d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d |
| SHA512 | e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd |
memory/1664-244-0x0000000000400000-0x0000000000736000-memory.dmp
memory/2276-245-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1664-250-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D427.exe
| MD5 | 6337ae180de93ab9d39151602bf74bbf |
| SHA1 | 8d52f389699d4e1601ccbbec82fd620e75a7ada2 |
| SHA256 | 7f7955c19aad191a94fdb51d950b1b98bb66a9fcf9f086c4acc8154621dc212e |
| SHA512 | 34c061ee4b93e74ea37a49ae187849da81684fb26ef14f9d08be6bb9fbcade0f1e76d50b492d7b675cdfd7778d18f075bfe4c4fabbbe271bd41e6ec5aa2877cf |
C:\Users\Admin\AppData\Local\Temp\D427.exe
| MD5 | 0866b1a679c5089c802afca72bb3a57f |
| SHA1 | 2a2810c95ebebfb258947574c3eb1089a606a118 |
| SHA256 | 50a8268fd89cba268a210c6f96ac6f342dbcd7b988ab6498c2df9e608097b02a |
| SHA512 | ed3c22ace7add1e7d374b44a49c28969cb49c83459652955415d5d3eac26d43d63bf8720cb86536f29a3f9e44f7f3b352d4376112e6484ff3cf262e6ec057a66 |
memory/2840-256-0x0000000001200000-0x0000000001AB6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E1ED.exe
| MD5 | 3dd02e3a7d6552f6312e29bc4189c06a |
| SHA1 | c52bb026df26445a1e4ccf66baf61d99ecd1ff8a |
| SHA256 | cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70 |
| SHA512 | 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485 |
memory/2840-264-0x00000000738D0000-0x0000000073FBE000-memory.dmp
memory/2000-268-0x00000000002A0000-0x00000000002AB000-memory.dmp
memory/2000-270-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/2000-271-0x0000000002DB0000-0x0000000002EB0000-memory.dmp
\Users\Admin\AppData\Local\Temp\82A9.exe
| MD5 | 6ac48873f3053963255fd1c9bfa6fc52 |
| SHA1 | 385f778fb0abf8b2fb3699940b192e0c02d454cc |
| SHA256 | 8b0ee35ed3d795c078ca345cf7007489bde9a9ef358318bfb39f8809707930da |
| SHA512 | dff1e929775f9d9cd797d84cb95b1d6ed5ec2d3b4b44128eab76ce186a16c3090d48965b83a979a3c99f0bfa4174ca150d3bc59778c6cdd334da66efed405d24 |
C:\Users\Admin\AppData\Local\Temp\45C.exe
| MD5 | dd5a32a7f2fab74f19a49e2c37798ab8 |
| SHA1 | 925b6abd47bfe2ee9cfa3aa06702cc38779c6f4d |
| SHA256 | f087a526570e1c5af6ec0cf3a6b30ef13a0d1cbb49ad25353b00a7f9860053ac |
| SHA512 | 397004ede888de708b751aa6ffb1309d48ed8e0048f40e64d4666d9361bee967003cb6a9ad438f671b2117701f3e6e1997487f498e0d1a67af93cd2d1e7ec705 |
C:\Users\Admin\AppData\Local\Temp\45C.exe
| MD5 | 4ccae7375cb42d61a39b54ba85c7b496 |
| SHA1 | a77211f398f4bd7aa1c2d25a5126a8998c3e6768 |
| SHA256 | 1ea4758e2af060bf5a0923a6a6cdbbb41a26a8c91b125135773438267ad7658f |
| SHA512 | 4ab5fea2dc4c2d072f84572826f7782fb655a86aa1592e170f1a9b3bca617cb2326ba7275ec4da12c32cb0f90091b439165cb19cde735408b1e9e88bc7440f19 |
C:\Users\Admin\AppData\Local\Temp\45C.exe
| MD5 | 562599d4dd56fc758c0698e17200e7a7 |
| SHA1 | 39e8dc6c69406658b312ec71cbbbcc16d62e50de |
| SHA256 | 2a4b7e8b4a51d6dc7ddd3ffb49fe8424c2112b461892f8853171d69037081d69 |
| SHA512 | d5bf4bea1bb1a2f4d9dabb9554719be681563dd0325a8e95facfc0b6c81bf22b0d241ab9b446a87a08d65368913e0b928f313c5693930602e7eb90d5341d4ad4 |
memory/2344-293-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2000-294-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp
| MD5 | b11909d5e4e08b1a6da220eca474d49f |
| SHA1 | b42582ab65d400f3450907ddc0857092c4daa4a8 |
| SHA256 | 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff |
| SHA512 | 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab |
memory/2288-315-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-1BB56.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
\Users\Admin\AppData\Local\Temp\is-40U8B.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | fc38310973cf92ef5d0eaf23758c5420 |
| SHA1 | f67e38d66151d77eb528dd37e9c492dfeb913011 |
| SHA256 | b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b |
| SHA512 | a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 003c4a6cb61927efc72075cf82eb01be |
| SHA1 | a99a44c6408c27aea06815df86363b33f811f852 |
| SHA256 | 9fa5ede9244c2e90dd3170b8181744aad307c2dae70f4a95881a3e0f99a061fc |
| SHA512 | 345e66fd8b959aa1daeaac3fdf139ffe084115e64f3e98108b6069c6d2d4927cfdd79d9045f8b5b92b5800c9cb72025223154991ec691494a66f629fa8aabc3f |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 89848a95cf00ff11f64f2f17b36cf096 |
| SHA1 | 0b457b1790674539c7c8309ef7ed1c9751fbfdbb |
| SHA256 | 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9 |
| SHA512 | 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab |
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 4b0c012a59404fe817f1f6b79b83aa74 |
| SHA1 | 645324aa66bc9b7b7074d6d0be8f917e05e0095e |
| SHA256 | 9f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44 |
| SHA512 | 8821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 8964d20ad832e50ab1ebeeb4896f00ca |
| SHA1 | fb2406a9d3066349937987a87f67253d0e82a87a |
| SHA256 | 17947e1227e767b6ddd00884eab28ecaffc7c97591a141912c12f165733a673c |
| SHA512 | 50e5554a1d9329d22894e9693231aff91ebdc87964fd3d69b633b0265273242b31c4cad25d674fb6acd823ff0996136d6f96a4851cd2850917c99d309c267366 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 4626175ba0623cc4880048b3ae8d8031 |
| SHA1 | f7ef48364340de4aa3602ab4eb2fa046b88d3b26 |
| SHA256 | 172ae6a6a9f1e4b95d037c612ed5214497eee330bb4b9261148ec39cf6f43c36 |
| SHA512 | 3895eeec818b8b8ba966a21f00d1a4da6350ada9749ff35bc337d50c7daabe72f368d756d8eecf3526cd4890374901a0cefcb4f27c8b2ebcf6818bb451c6ecd9 |
memory/2740-349-0x0000000002B50000-0x000000000343B000-memory.dmp
memory/2740-350-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2740-346-0x0000000002750000-0x0000000002B48000-memory.dmp
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b29cd31f15d37cebbe2804adc62ce2e9 |
| SHA1 | e036f370e3b9a849609823c1cf295c07968b91a0 |
| SHA256 | 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2 |
| SHA512 | 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | ec4d8aac8488a649f67226d75195dc37 |
| SHA1 | f7ec802e35df103763914c8f4f2dd4ae6ed2e630 |
| SHA256 | 48f86f927f57af901b0151176d45425f1d2b65dc61df150d2ad05c77cf15660f |
| SHA512 | 234bd4cd0e1712f99296ef0a4340d994864843238ce8b58a0c7bb8184f7b711e0c1aea9ad23b6f1479fe9dcadd4bf6a4f2182bfbbfde312cd683b4f9c519b8af |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | b13e7afed63a0124c4a11def76536012 |
| SHA1 | 935fb2c98361f6f0bea9b214d1995d8d405acfbd |
| SHA256 | edd5213e9d59e8ca71a2563f2bfbbc903a16830630f4d3ffe1ab19a7c0e03306 |
| SHA512 | dde6e74644a35009d267ae0e10b440d4ec90c911108f04bbe634c5766500cd26c29fed0b9a00211ed298b19010d4174ec0c71278b39c5db5cfd74b19de741179 |
\Users\Admin\AppData\Local\Temp\nso1DFD.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2840-363-0x00000000738D0000-0x0000000073FBE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | df5467f5507da73eec6838c209fdd2fc |
| SHA1 | 2cdc2f5eceaede0dc87493187c1caff51ab61a53 |
| SHA256 | 54fbd7979fab9d25b55aa67dfc1e532bac8d62638d9363603213d385bcb7aa15 |
| SHA512 | 3badb2bfff5db281e9d01667eb2f82b1c3a842cc5589cbfe2fbc9bb0dcca8f29412d0e5139b75430373297885d16bd1b0ec96cc1107bf347414562cdfa4bf476 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | cda03a2814a5374a41390ea28da94400 |
| SHA1 | 846cd8dc546accdba445aa724b5a8ebf240d46a1 |
| SHA256 | e0d1d7cae3c1c4cb2860839e59d068e1b4890ff173d4e6024f8e0bb6b30c112d |
| SHA512 | 6089aa7e78ab8bf28134b366fec3c13c87ae0aa706ae1f86075de608fd567674ac1517d29f3b2e0d4dff2886afa3fad58cd7a570561c2602222188362d458d2c |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 930c01374aef1f140168059d062e1637 |
| SHA1 | 1dd2d3fb415bb36852c700b68a34194552b305e0 |
| SHA256 | 13fcd3bbcf047c57995083501db7c0aaaf9a429931b918a9001cb2b7c51f8214 |
| SHA512 | 8cce9edbf63f9478df0daab3e5121d6c94aa443ac8f7ba2c1d85a87e4110ce527bc02e3f0891b55f34e239cde7a8877eaf58a298874cbdcbb3b08fa63ae674e1 |
memory/2704-367-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp
| MD5 | 1d264333dd61f6b795e8b5583203ff9e |
| SHA1 | 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6 |
| SHA256 | 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2 |
| SHA512 | d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7 |
memory/2844-401-0x0000000002E10000-0x0000000002F10000-memory.dmp
memory/2844-402-0x0000000000220000-0x0000000000254000-memory.dmp
memory/2844-403-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/1664-404-0x0000000000400000-0x0000000000736000-memory.dmp
memory/1664-418-0x0000000000400000-0x0000000000736000-memory.dmp
memory/1720-439-0x000000001B490000-0x000000001B772000-memory.dmp
memory/2344-438-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1720-440-0x0000000001DE0000-0x0000000001DE8000-memory.dmp
memory/1720-441-0x00000000027C4000-0x00000000027C7000-memory.dmp
memory/1720-442-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp
memory/1720-445-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp
memory/1720-451-0x00000000027CB000-0x0000000002832000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d5ac8347ec7fe6b3267af60cf71255a7 |
| SHA1 | f8258729ec532f3161b0affd5082fbb5b194805d |
| SHA256 | ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27 |
| SHA512 | 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296 |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 527892d24e299272a39583fe739ec0af |
| SHA1 | 4cf673bd3bf661962136fe49435ec3188a9ba0e6 |
| SHA256 | 525509489b7a77dd42523f6aef3aaa90577aa50f0e032ce320c9de3563dcf9a2 |
| SHA512 | 0bf75b3a5d431b3653be862904ebcdaf5345d2200036b0fd57919062aa9258299010040baf3606d6ebce28e40ba63ac6b2b03380bd49417ef524864143577a68 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 8bbd17268553afbc04023cc63aef85eb |
| SHA1 | a8f53690f84ce08aae9743517f4596eae4bbd7fc |
| SHA256 | 3ce243722a96761fa4e0a144aec00bd2c59164a41711e35f150fccc7cfc6c496 |
| SHA512 | c421e2a960bcc572c87007e1f0780c05f7121a7623f7e1cc8c06b18d005e699a57d77a7fd57bec30bb5913effa9c3e57b34a597f75079716278e845dd594dbaa |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | f35939be721e0d38e4ab57965311694b |
| SHA1 | 39daa2054d6591e6802db5e168930c56013ce2dd |
| SHA256 | 49c8acc88a566de72465addf1d462e99af855ecd54d2a96ea89372ad3371682c |
| SHA512 | 4b10bf68a8c832436107c63aecee845402748dda2e898e6bd9d8bf7d0bede1b83733b9342d6139359d358c967f42c79df0d61346f5d6ea90b906b0ad41be5a64 |
memory/2616-470-0x0000000019E30000-0x000000001A112000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 5139053d024a9da330ff0e32a495a045 |
| SHA1 | 96abc8f721e48e6b6c9e3525a8937a3475722401 |
| SHA256 | f7eeaeb642f4e3b5403d71ca019f7e9d8483aa4d53b8bbd77501ae3d2d8aa9cf |
| SHA512 | 20a0c673f82dc7cc918300e6ffb9384b9e2fa3a3f2cc866421de6e426ca1a26922a381722c385cdcb9b703570b11bfbbcce0c4ba5146d6afc13ede6203fcf95a |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Roaming\rdbcgsh
| MD5 | beea0c962def411b794fe5fd33f4e5b9 |
| SHA1 | 2c4743812c810d05d42ab11bb9beda423bdd7d2a |
| SHA256 | 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c |
| SHA512 | bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 405fe91c736dfd5d67770881bb147272 |
| SHA1 | be8f088b303dc625dbecad44264bdf4a7ee8c691 |
| SHA256 | 35cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c |
| SHA512 | 665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | f64d53ca3c3cde35f3f37619d4bddbe2 |
| SHA1 | 43d7b4d48e54c24e83f819f02d1d4f2c79293202 |
| SHA256 | 267078352f349687ef4e8bb4faf28d1be0751e649525f4a4aac36103bdcb8c04 |
| SHA512 | c78ccd2cd756be518883987ad0cc2aecb85dc1260b4da38eeed4f15712f4c4bde5630ef0ab5a9b7e89e86d4f40fff2ac15805b5ed9feec4d616ebaeb84121b2b |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 170d66f9d75e64f50a295116ca704c25 |
| SHA1 | db0854fd1c8c705d62411aa8f13be7d2ebe2e476 |
| SHA256 | f6de5ced2a6adeb6c8422030a373c0a25756c5c79c5b066d9999a03ad9c04fd7 |
| SHA512 | d51b5ae12e52adf56941e8c4fadedaa6683fc013f6aa6a8c431db72fbf882d74ae75a940f53e7b793bf11e0740cc68eee3715e33eb526c4bdef42b51b74062c9 |
C:\Users\Admin\AppData\Local\Temp\Cab93AA.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar94F4.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 04:48
Reported
2024-02-22 04:53
Platform
win10-20240221-en
Max time kernel
113s
Max time network
305s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\47E5.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Socks5Systemz
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\47E5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 45.155.250.90 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\47E5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\2641.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4600 set thread context of 4292 | N/A | C:\Windows\System32\Conhost.exe | C:\Users\Admin\AppData\Local\Temp\47E5.exe |
| PID 3976 set thread context of 4636 | N/A | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | C:\Windows\system32\conhost.exe |
| PID 3976 set thread context of 2340 | N/A | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\sjcrrev |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\47E5.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe
"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\249A.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\249A.dll
C:\Users\Admin\AppData\Local\Temp\2641.exe
C:\Users\Admin\AppData\Local\Temp\2641.exe
C:\Users\Admin\AppData\Local\Temp\3219.exe
C:\Users\Admin\AppData\Local\Temp\3219.exe
C:\Users\Admin\AppData\Local\Temp\3D26.exe
C:\Users\Admin\AppData\Local\Temp\3D26.exe
C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp" /SL5="$8007A,3536428,54272,C:\Users\Admin\AppData\Local\Temp\3D26.exe"
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i
C:\Users\Admin\AppData\Local\Temp\47E5.exe
C:\Users\Admin\AppData\Local\Temp\47E5.exe
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s
C:\Users\Admin\AppData\Local\Temp\47E5.exe
C:\Users\Admin\AppData\Local\Temp\47E5.exe
C:\Users\Admin\AppData\Local\Temp\4FF5.exe
C:\Users\Admin\AppData\Local\Temp\4FF5.exe
C:\Users\Admin\AppData\Local\Temp\7715.exe
C:\Users\Admin\AppData\Local\Temp\7715.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\7EF6.exe
C:\Users\Admin\AppData\Local\Temp\7EF6.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp
C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\9D3D.exe
C:\Users\Admin\AppData\Local\Temp\9D3D.exe
C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp
"C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp" /SL5="$B02DE,4081152,54272,C:\Users\Admin\AppData\Local\Temp\9D3D.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Roaming\tdcrrev
C:\Users\Admin\AppData\Roaming\tdcrrev
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Roaming\sjcrrev
C:\Users\Admin\AppData\Roaming\sjcrrev
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 476
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 42840
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 104.21.10.242:443 | tcp | |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| BA | 185.12.79.25:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 172.67.171.112:80 | en.bestsup.su | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| RU | 213.158.31.231:22711 | tcp | |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| UA | 62.216.54.29:9001 | tcp | |
| DE | 185.220.101.206:30206 | tcp | |
| FR | 46.105.227.109:443 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 147.135.64.217:443 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| US | 8.8.8.8:53 | 217.64.135.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.21.59.86.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| CA | 149.56.38.170:9001 | tcp | |
| DE | 144.76.43.199:9001 | tcp | |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 199.43.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.38.56.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 251.39.40.211.in-addr.arpa | udp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| KR | 211.40.39.251:80 | sjyey.com | tcp |
| DE | 144.76.43.199:9001 | tcp | |
| CA | 149.56.38.170:9001 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| NL | 51.15.89.13:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 13.89.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ferexzews.bg | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ferexzews.bg | udp |
| US | 8.8.8.8:53 | eobs.erg | udp |
| US | 8.8.8.8:53 | eobs.erg | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eobs.erg | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | myybhee.cem | udp |
| US | 8.8.8.8:53 | myybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | jbcebs-blumzo.de | udp |
| US | 8.8.8.8:53 | jbcebs-blumzo.de | udp |
| US | 8.8.8.8:53 | ybhee.cem.hk | udp |
| US | 8.8.8.8:53 | ybhee.cem.hk | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | greupluzbr.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | greupluzbr.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.hk | udp |
| US | 8.8.8.8:53 | ybhee.cem.hk | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | e-mbol.cem.jr | udp |
| US | 8.8.8.8:53 | ybhee.cem.hk | udp |
| US | 8.8.8.8:53 | e-mbol.cem.jr | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ferexzews.bg | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sju.plkcfs.edu.hk | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | sju.plkcfs.edu.hk | udp |
| US | 8.8.8.8:53 | eobs.erg | udp |
| US | 8.8.8.8:53 | embol.cem | udp |
| US | 8.8.8.8:53 | embol.cem | udp |
| US | 8.8.8.8:53 | cbsozjerbcjove.cem | udp |
| US | 8.8.8.8:53 | cbsozjerbcjove.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujekumpu.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eujekumpu.cem | udp |
| US | 8.8.8.8:53 | eobs.erg | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | bkybkbgrup.cem | udp |
| US | 8.8.8.8:53 | bkybkbgrup.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bmebole.jj.blbckberry.cem | udp |
| US | 8.8.8.8:53 | bmebole.jj.blbckberry.cem | udp |
| US | 8.8.8.8:53 | bsjbbeys.edu.jj | udp |
| US | 8.8.8.8:53 | bsjbbeys.edu.jj | udp |
| US | 8.8.8.8:53 | chzezergy.cem.cz | udp |
| US | 8.8.8.8:53 | chzezergy.cem.cz | udp |
| US | 8.8.8.8:53 | 363.cem | udp |
| US | 8.8.8.8:53 | 363.cem | udp |
| US | 8.8.8.8:53 | fujurebroghj.cem.jr | udp |
| US | 8.8.8.8:53 | fujurebroghj.cem.jr | udp |
| US | 8.8.8.8:53 | bp.cem | udp |
| US | 8.8.8.8:53 | myybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | jbcebs-blumzo.de | udp |
| US | 8.8.8.8:53 | ybhee.cem.hk | udp |
| US | 8.8.8.8:53 | greupluzbr.cem | udp |
| US | 8.8.8.8:53 | e-mbol.cem.jr | udp |
| US | 8.8.8.8:53 | sju.plkcfs.edu.hk | udp |
| US | 8.8.8.8:53 | eobs.erg | udp |
| US | 8.8.8.8:53 | embol.cem | udp |
| US | 8.8.8.8:53 | cbsozjerbcjove.cem | udp |
| US | 8.8.8.8:53 | eujekumpu.cem | udp |
| US | 8.8.8.8:53 | bkybkbgrup.cem | udp |
| US | 8.8.8.8:53 | ab4b5d12-7209-4f8c-b886-5578dd04dd60.uuid.statsexplorer.org | udp |
| SE | 45.155.250.90:53 | bozrhoc.com | udp |
| IT | 185.196.8.22:80 | bozrhoc.com | tcp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.5.a.f.b.9.d.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | 96.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.8.196.185.in-addr.arpa | udp |
| N/A | 127.0.0.1:50033 | tcp | |
| US | 8.8.8.8:53 | server4.statsexplorer.org | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| JP | 74.125.27.12:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 12.27.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
| N/A | 127.0.0.1:32233 | tcp | |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
| N/A | 127.0.0.1:32233 | tcp | |
| N/A | 127.0.0.1:32233 | tcp | |
| N/A | 127.0.0.1:32233 | tcp | |
| N/A | 127.0.0.1:32233 | tcp | |
| N/A | 127.0.0.1:51545 | tcp | |
| N/A | 127.0.0.1:51550 | tcp | |
| N/A | 127.0.0.1:51554 | tcp | |
| N/A | 127.0.0.1:51559 | tcp | |
| N/A | 127.0.0.1:51562 | tcp | |
| N/A | 127.0.0.1:51567 | tcp | |
| N/A | 127.0.0.1:51574 | tcp | |
| N/A | 127.0.0.1:51576 | tcp | |
| N/A | 127.0.0.1:51579 | tcp | |
| N/A | 127.0.0.1:51585 | tcp | |
| N/A | 127.0.0.1:51588 | tcp | |
| N/A | 127.0.0.1:51592 | tcp | |
| N/A | 127.0.0.1:51595 | tcp | |
| N/A | 127.0.0.1:51601 | tcp | |
| N/A | 127.0.0.1:51606 | tcp | |
| N/A | 127.0.0.1:51610 | tcp | |
| N/A | 127.0.0.1:51613 | tcp | |
| N/A | 127.0.0.1:51618 | tcp | |
| N/A | 127.0.0.1:51621 | tcp | |
| N/A | 127.0.0.1:51623 | tcp | |
| N/A | 127.0.0.1:51626 | tcp | |
| N/A | 127.0.0.1:51630 | tcp | |
| N/A | 127.0.0.1:51636 | tcp | |
| N/A | 127.0.0.1:51638 | tcp | |
| N/A | 127.0.0.1:51643 | tcp | |
| N/A | 127.0.0.1:51652 | tcp | |
| N/A | 127.0.0.1:51655 | tcp | |
| N/A | 127.0.0.1:51657 | tcp | |
| N/A | 127.0.0.1:51661 | tcp | |
| N/A | 127.0.0.1:51663 | tcp | |
| N/A | 127.0.0.1:51671 | tcp | |
| N/A | 127.0.0.1:51674 | tcp | |
| N/A | 127.0.0.1:51677 | tcp | |
| N/A | 127.0.0.1:51681 | tcp | |
| N/A | 127.0.0.1:51685 | tcp | |
| N/A | 127.0.0.1:51689 | tcp | |
| N/A | 127.0.0.1:51692 | tcp | |
| N/A | 127.0.0.1:51698 | tcp | |
| N/A | 127.0.0.1:51702 | tcp | |
| IT | 185.196.8.22:80 | bozrhoc.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| N/A | 127.0.0.1:51709 | tcp | |
| N/A | 127.0.0.1:51712 | tcp | |
| N/A | 127.0.0.1:51715 | tcp | |
| N/A | 127.0.0.1:51721 | tcp | |
| N/A | 127.0.0.1:51729 | tcp | |
| N/A | 127.0.0.1:51733 | tcp | |
| N/A | 127.0.0.1:51736 | tcp | |
| N/A | 127.0.0.1:51741 | tcp | |
| N/A | 127.0.0.1:51744 | tcp | |
| N/A | 127.0.0.1:51747 | tcp | |
| N/A | 127.0.0.1:51751 | tcp | |
| N/A | 127.0.0.1:51754 | tcp | |
| N/A | 127.0.0.1:51756 | tcp | |
| N/A | 127.0.0.1:51764 | tcp | |
| N/A | 127.0.0.1:51767 | tcp | |
| N/A | 127.0.0.1:51773 | tcp | |
| N/A | 127.0.0.1:51777 | tcp | |
| N/A | 127.0.0.1:51780 | tcp | |
| N/A | 127.0.0.1:51789 | tcp | |
| N/A | 127.0.0.1:51793 | tcp | |
| N/A | 127.0.0.1:51797 | tcp | |
| N/A | 127.0.0.1:51803 | tcp | |
| N/A | 127.0.0.1:51807 | tcp | |
| N/A | 127.0.0.1:51810 | tcp | |
| N/A | 127.0.0.1:51813 | tcp | |
| N/A | 127.0.0.1:51817 | tcp | |
| N/A | 127.0.0.1:51820 | tcp | |
| N/A | 127.0.0.1:51825 | tcp | |
| N/A | 127.0.0.1:51830 | tcp | |
| N/A | 127.0.0.1:51832 | tcp | |
| N/A | 127.0.0.1:51838 | tcp | |
| N/A | 127.0.0.1:51842 | tcp | |
| N/A | 127.0.0.1:51845 | tcp | |
| N/A | 127.0.0.1:51850 | tcp | |
| N/A | 127.0.0.1:51854 | tcp | |
| N/A | 127.0.0.1:51860 | tcp | |
| N/A | 127.0.0.1:51866 | tcp | |
| N/A | 127.0.0.1:51868 | tcp | |
| N/A | 127.0.0.1:51870 | tcp | |
| N/A | 127.0.0.1:51872 | tcp | |
| N/A | 127.0.0.1:51876 | tcp | |
| N/A | 127.0.0.1:51879 | tcp | |
| N/A | 127.0.0.1:51886 | tcp | |
| N/A | 127.0.0.1:51894 | tcp | |
| N/A | 127.0.0.1:51897 | tcp | |
| N/A | 127.0.0.1:51900 | tcp | |
| N/A | 127.0.0.1:51906 | tcp | |
| N/A | 127.0.0.1:51909 | tcp | |
| N/A | 127.0.0.1:51912 | tcp | |
| N/A | 127.0.0.1:51916 | tcp | |
| N/A | 127.0.0.1:51919 | tcp | |
| N/A | 127.0.0.1:51921 | tcp | |
| N/A | 127.0.0.1:51927 | tcp | |
| N/A | 127.0.0.1:51932 | tcp | |
| N/A | 127.0.0.1:51937 | tcp | |
| N/A | 127.0.0.1:51940 | tcp | |
| N/A | 127.0.0.1:51943 | tcp | |
| N/A | 127.0.0.1:51947 | tcp | |
| N/A | 127.0.0.1:51955 | tcp | |
| N/A | 127.0.0.1:51958 | tcp | |
| N/A | 127.0.0.1:51962 | tcp | |
| N/A | 127.0.0.1:51970 | tcp | |
| N/A | 127.0.0.1:51972 | tcp | |
| N/A | 127.0.0.1:51975 | tcp | |
| N/A | 127.0.0.1:51979 | tcp | |
| N/A | 127.0.0.1:51981 | tcp | |
| N/A | 127.0.0.1:51984 | tcp |
Files
memory/4768-1-0x0000000002ED0000-0x0000000002FD0000-memory.dmp
memory/4768-2-0x00000000001F0000-0x00000000001FB000-memory.dmp
memory/4768-3-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/3360-4-0x00000000007C0000-0x00000000007D6000-memory.dmp
memory/4768-5-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\249A.dll
| MD5 | ec6878849a30cad1ddb5ab3ff4921124 |
| SHA1 | 0c1208b6d2e153352b8c4ccc345ff30281ab2af9 |
| SHA256 | 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639 |
| SHA512 | 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb |
memory/2300-14-0x00000000005D0000-0x00000000005D6000-memory.dmp
memory/2300-16-0x0000000010000000-0x00000000101A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2641.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
C:\Users\Admin\AppData\Local\Temp\3219.exe
| MD5 | 232abffd9cbf87bdac05b7d6edebe8a9 |
| SHA1 | 3b641ba2ff63568f1e7cfa3c3eb5faa2e35fc7d7 |
| SHA256 | dec50a8977b5fc2a35f3af2d41679370953fdd6221a69b225ff461235868456b |
| SHA512 | f785aacf824c51f1a7733548ed0b4e04ad10e6d65d46ab34456700d75db256bc0c1cf54a0ea539075cc18ffb586afd9ec0dd6fca8cc806a15b1ad3a02b70f08c |
memory/3724-24-0x0000000000170000-0x0000000000C47000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3D26.exe
| MD5 | 5cdbf483bec791e4e84fe61cfcfb0c05 |
| SHA1 | 784b1f289c5a52a69e2d008dc63af9febbed0e2e |
| SHA256 | 682ef3750452953a8a43c753a61d99fbc68795be3a58efed57bcfc0e5e6fe0f5 |
| SHA512 | 9f9fd3ba30788bfe29242d1b5b7467f4d06350cbce9455063a52bb293142791c40790c247a5ebc3f0e7b04bf545322d71bc582356f5954a58f6ccb169e19bd91 |
C:\Users\Admin\AppData\Local\Temp\3D26.exe
| MD5 | 0535fe8ba27e4ccb2b457f56ca846192 |
| SHA1 | 9f94ed3a45be67320c5a2ba9c9e675d05d05b907 |
| SHA256 | aa7cd8ecaef01f8a678715ddebb21575213caf156ff80990f3a20552f625c3b8 |
| SHA512 | 2146f91ce4787797c7697006193adf9b812e54ec6824b978becdd41592cd82651b984319eaae7c8ff731e9e9871d82bc84273d727af1814dde5da148d2485d4b |
memory/2428-33-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3724-36-0x0000000000160000-0x0000000000161000-memory.dmp
memory/3724-37-0x0000000001040000-0x0000000001041000-memory.dmp
memory/3724-40-0x0000000001050000-0x0000000001051000-memory.dmp
memory/3724-38-0x0000000000170000-0x0000000000C47000-memory.dmp
memory/3724-43-0x0000000002C20000-0x0000000002C21000-memory.dmp
memory/3724-44-0x0000000002C30000-0x0000000002C31000-memory.dmp
memory/3724-45-0x0000000002C40000-0x0000000002C41000-memory.dmp
memory/3724-47-0x0000000002C50000-0x0000000002C51000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp
| MD5 | dfc7d4964a5e3066d6792023d68c0b62 |
| SHA1 | 08dbee6af776d8eef98eb944cbcddd03670b6774 |
| SHA256 | a240cbe746d636de6f3826bbafbb57c65c1762f33719cbea68e3f95e8b696333 |
| SHA512 | 67e3b8b040ab5fd10e6c3d1e25f70ea14a4976d752ab5115c2b9680d3aeebec73eaaee17a7bfc57079e321ee8d3220ef0cf3dba00425b59a96d6fc3b73f6ab30 |
memory/3724-48-0x0000000002C60000-0x0000000002C61000-memory.dmp
memory/3724-49-0x0000000002C70000-0x0000000002C71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp
| MD5 | 1ba055823154222509be8b1cb57f0d49 |
| SHA1 | a11bdd1f4106f1de2dd075801987965f97c5c2b2 |
| SHA256 | c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841 |
| SHA512 | 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a |
memory/4728-50-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3724-59-0x0000000002C80000-0x0000000002C81000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-1FH2I.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/3724-60-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/3724-61-0x0000000002CA0000-0x0000000002CA1000-memory.dmp
memory/3724-62-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
memory/3724-63-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
memory/3724-74-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/3724-79-0x0000000002D00000-0x0000000002D01000-memory.dmp
memory/3724-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp
memory/3724-90-0x0000000000170000-0x0000000000C47000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3219.exe
| MD5 | 95c0d1b353b4bc5167e63279dc4a16bb |
| SHA1 | f1810c1ea7b4c083cf4f06f44d3358f8c9ce1731 |
| SHA256 | 43632cc12be12b6c6a17b452b1ea19fd92782d509bb1e2ab46d2233d29f6ad9b |
| SHA512 | 5b29ec3bc89b7a1f7e717ce34a89f594d38fd613364213d5c45e3019afe6eb8e14aceafb8033287c69d2a47d3045f74e56c01da930a0b11cb990f8fc1f5a73e4 |
memory/3724-104-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/3724-107-0x0000000002D10000-0x0000000002D50000-memory.dmp
memory/3724-109-0x0000000002D10000-0x0000000002D50000-memory.dmp
memory/2300-105-0x0000000004720000-0x0000000004844000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 13063052d2e1c6b4026e52a0e483978a |
| SHA1 | aefe9c9cb5601a6498345fa2b17601454cec10f4 |
| SHA256 | 9ebd7dc00d9a4a085bd7c5a4210761f003fc677b165541a213392c79f77017b1 |
| SHA512 | c16a5eeefe66284c1f0437a5a0059eae7678ffad20f867e2e19824070bdb19b91e354a54b8f5e2a2a068667c676eb1a49955034b5d66bd7a14bbd09237334acd |
memory/4288-113-0x0000000000400000-0x0000000000736000-memory.dmp
memory/3724-119-0x0000000002D10000-0x0000000002D50000-memory.dmp
memory/3724-121-0x0000000002D10000-0x0000000002D50000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 93da943fa112947bf879d7566b7a2795 |
| SHA1 | 127aba37d388a133728017fa51d7704e4f220d0f |
| SHA256 | a9dbe8ef5e57ce97ab1fa67cbce4bbcfbacf4fb725e33be5b1544ee52fd76309 |
| SHA512 | 5aa4d9713e47709cd749631e3b76f7af509f35a53864d43cc5754c59a1f3486c37eb86a5b3b853951bc81a4b9f1a0539261802f94b261c94aa1d03a4e3339475 |
memory/4288-120-0x0000000000400000-0x0000000000736000-memory.dmp
memory/1548-123-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4600-124-0x0000000004CC0000-0x0000000004E77000-memory.dmp
memory/4600-125-0x00000000049B0000-0x0000000004B77000-memory.dmp
memory/1548-130-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4292-129-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\47E5.exe
| MD5 | b6195c664fdb215225768aefa41678a8 |
| SHA1 | 85a2de5701abb134ecc07dd75d4ec10a99311c90 |
| SHA256 | 4f5ead078d01127b5f7b5f6fdaa7ad08b14d267f50cb3ea5ee297020a224ad35 |
| SHA512 | 0c5055e962b9e2447da9f402e595a54f39f3c177f41850e2ddca706028e84fd8cdc85875a0c72b9ee126c46ed7b9158f4a8ebf71f8fc72462bc4054cc3d87fc9 |
memory/4292-127-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4292-131-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2300-132-0x0000000010000000-0x00000000101A5000-memory.dmp
C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe
| MD5 | 42870ea4c7b464290729691737e3b256 |
| SHA1 | dbb1b0709affe264a656c922054f2d5fd208884a |
| SHA256 | a2750e34f7fd50611d606b002de3bcc9bc2ac1307c5dc581e53015d20832fc31 |
| SHA512 | 938baecccbeae6551dc72eb0f3215a13f67e575f2e52fc2f64b7105df929139d551f6b1d1bd46d3435dd005a3d88baa29b34017895b2f82d91e49e9bc408bd5d |
memory/2300-134-0x0000000004850000-0x0000000004958000-memory.dmp
memory/4292-133-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4292-135-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4292-136-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\249A.dll
| MD5 | 0220f5312066470d86d6a0ed23328929 |
| SHA1 | d350259cb0f33e39c68ee4116ea2ac5007c2bd65 |
| SHA256 | ac4ebfedbe8965d8de63f2b7c2614e28b91f8a5eebad729776bace368d8b2bbd |
| SHA512 | 41bc6151caa482856a20df47658c953a34d34d7d30ec980dda5c92de71d4974c409afcc8fe9ed9e0861d0c59e3e1e4850ba39c5f6ae6f06f2e54f91ed7ab176c |
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | eb692d15442e1eddba6f143c36b0f15c |
| SHA1 | a1b16b0a75c924eee50c451c5b691b84ff2ec86a |
| SHA256 | fa5d1dd178b3ecf6971c3d05dfa5b5e5f9fb1ffd70bf0eaf2d7c2fe7102ef6d0 |
| SHA512 | c3c61c8614670b7b4a15fe839071edace9f50341647ca786d998fde554f581ef1564329e1565e3313c056e80ded3c0513a3c4d7cda2b29f08807c2dcf4e437e2 |
memory/2428-141-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4292-142-0x0000000000D00000-0x0000000000D06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FF5.exe
| MD5 | c3d415ee0c331f933cab4402870f8ca7 |
| SHA1 | 231b32c871ff581f45082d9cee9524d08dee2ea5 |
| SHA256 | ecd68efdc5090f4c4e7914983bcb314d147d0a8af8901450e62882b824d31ed9 |
| SHA512 | 24846d6f5abe93814d5376623e5f257f8b787d1ce4749f8325b4327df13699323131b2f2dcc9e9b290d00afc2b2295f7d2f35e65522fbb75fe803b0074a3b59c |
memory/2300-146-0x0000000004850000-0x0000000004958000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4FF5.exe
| MD5 | 7c9afe07cb22b9e9029cc4e06bf0af0b |
| SHA1 | 991256dae3d62ce9d3f12af4de37c7372c3815af |
| SHA256 | 2dec0d15a4d7976cbfd0c9c088e79b24d2f5f4d8f2dbcc3a002e3a17842be6e0 |
| SHA512 | 766edc161c0d161c7345fa8495aac5a3f34cabd0da04a3d4b777db22d60b9bba56b3af1cdaee5e5839148bed425acbc8c16f3743365f47bb3dff352e4dec035e |
C:\Users\Admin\AppData\Local\Temp\47E5.exe
| MD5 | 2897b7b03b8d44a7b58abc96dce48601 |
| SHA1 | da49015003403edf89cb3fceda9e14d106f7560d |
| SHA256 | b0a8c7df8d459cfe5e96ab6d8664838d44ee544915ea578467a547c87ef3b8d4 |
| SHA512 | de7fb2b2babf6628b2c603a54b847eb2135dee3c2f457448bd39fde42fbaf32417977013fa3cd168e87c916e569f09103e2677d0d17f29b455994d500abee940 |
C:\Users\Admin\AppData\Local\Temp\47E5.exe
| MD5 | ac783a7c1ecee3d02e896bc7c8a99b15 |
| SHA1 | 032d0bf9a240cc452827f28a562a55bff6379881 |
| SHA256 | f57310dfb74ab0ffb54e788854860b7ec80dc656cbecfd32f83c10cceaf68206 |
| SHA512 | 75e74256c08662e42b674bed1a614c8da74f33232fe0c15931c4550d08214d12785b877d8603a5e6e6d3d1f910415adeb7246e4ccf9732ddd850728ed9de6881 |
memory/3724-110-0x0000000002D10000-0x0000000002D50000-memory.dmp
memory/2300-149-0x0000000004850000-0x0000000004958000-memory.dmp
memory/3724-150-0x0000000000170000-0x0000000000C47000-memory.dmp
memory/4728-152-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7715.exe
| MD5 | 92a71f3efd8ccc6ec1a330556ede4255 |
| SHA1 | 9c8c6e20b2a3bd1d42bacd982ed0153601a97e6e |
| SHA256 | 5188d984bca835999078297c9e5581e851733bd21122a316e74423036e1701ba |
| SHA512 | 3713a941a3bfe0de41f750658ff8f37ec5a092dde875d3a639f8a3b73ee83afa8f2028a6d3a1a0704e0451ca056cd909c6b7edcd68222e56d19b8749274df15b |
C:\Users\Admin\AppData\Local\Temp\7715.exe
| MD5 | 2e9265e28463535a5a1047975999a3be |
| SHA1 | f733834d0500f78b68a0026a56224275cb7efe06 |
| SHA256 | c6f34c930576cebc98dc989b9476f75ca7bc6a7a9f01dbd7d8207fdc46fc14bc |
| SHA512 | 27fcee40384b9616e2b48b40ea13042137616c546ed8bf03dea3998a258806bbf328a097307ee80e812095e7ae23fdf2dc56f3b14b3575d577c9b11d20732793 |
memory/1548-157-0x0000000000400000-0x0000000000736000-memory.dmp
memory/1364-160-0x0000000000790000-0x0000000001046000-memory.dmp
memory/4728-161-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/4292-162-0x0000000002CD0000-0x0000000002DF4000-memory.dmp
memory/1364-163-0x0000000071CC0000-0x00000000723AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | fd90364365583c6eb8e380650f58e325 |
| SHA1 | 3f3323d7583c215b563aa8f98452d9d950b1a2e5 |
| SHA256 | 2a91f83ebe875f7dfb8980655a4257f1bd31c3aa8496e5001772ac539b2d6593 |
| SHA512 | 03e0471cf8e2e0a927d99cb1afeb5488a053ebf0ccb95e3af7b78001b4453d5e939403de88df97202e8f54c5d11d39b089bf12b288eb08c8565b362f00e7e83d |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d3c015d761ac4697c31779ebd67685fe |
| SHA1 | 6eda243187265592a404feca52bf612ddc66e396 |
| SHA256 | 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea |
| SHA512 | 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | a5cff547a0b21ea2b83973e448b9cde4 |
| SHA1 | 1ce21af16fc7990a6482813d5da8a01da6128c3d |
| SHA256 | 71c401cd7cdfb7c753c85656e4b2c14541b4ce56a919ec20882928c97bca8ac7 |
| SHA512 | d1314a37ed9ef07411c4c4e7b15078bec4c3e1a94823c3ef4e13e1f8958a2a21cce909aec9d5f5ff896b4a6035953f8c2fcdd498dfdf33a469894ea501a37825 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b29cd31f15d37cebbe2804adc62ce2e9 |
| SHA1 | e036f370e3b9a849609823c1cf295c07968b91a0 |
| SHA256 | 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2 |
| SHA512 | 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | cb7421612a3bcbe7383b7fe36e871536 |
| SHA1 | 2d4912c42710c582867fc523e9330ad0511038e7 |
| SHA256 | f68b77cbd91e16a2d4006c9b8ce8b0a947059ca0ebea225cd1f782a67f217fdc |
| SHA512 | a9f4c3e8bf72d82b9483cedc1dbdbf9f1c8d96c51182aa34b42bf2909dada433d64538d58c6981ccbee5211c3c33846431a33fd063bbbfba96a0b1ac498f7436 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 1da1905a1662537c520f84a5ee807ac7 |
| SHA1 | b316b8479287911b1c6d986c6785562807671230 |
| SHA256 | 338adab2312e5fa65591312e4d54ee983f02311e887e998dab215fafd4c7e8e5 |
| SHA512 | 088b50b19910515b2d58c1dca0e8c9001a1905decb9cf8475487bf87c74313cf016ba575beab06083d7c3d17430388f3987d62acfcff8b2befecd9c22369304e |
memory/4292-183-0x0000000002E00000-0x0000000002F08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EF6.exe
| MD5 | 58a39dd0defffab93ee366092ca07d8e |
| SHA1 | da039d807b3788beaaa896c83aa1be2d089c57e5 |
| SHA256 | 76b005f9436387ee73f08bb5bd0b5da594501d294a0faf5e01f9286356381621 |
| SHA512 | fd7d0c6485315183934c7799fee0388bd97c88b67f091720b996905b37405adadc5581eddebc2fb81557cb5ecb449668b8a97901da12ff2ad8ea3faa515be7b1 |
memory/4292-191-0x0000000002E00000-0x0000000002F08000-memory.dmp
memory/324-192-0x0000000002DF0000-0x0000000002EF0000-memory.dmp
memory/324-198-0x0000000002D70000-0x0000000002D7B000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso80C5.tmp\INetC.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1364-180-0x0000000071CC0000-0x00000000723AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1490dc87ce122929847fec13c1c8c77c |
| SHA1 | 93d524c764ddf535522df890ad1ee056981e912e |
| SHA256 | 97da444e1fb45d7abcbd32ba08cb712e99a8141bf3c171b71b38113508e1dabc |
| SHA512 | be1adaca3d0025830a63c88fbbbfcaa761bca3fcb003c5078ba24edaaab429d368a3cf34f656775c5d064caabc625db0cf0c994522dfe6fabfcc9b49ffe21ee0 |
memory/324-200-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/1548-201-0x0000000000400000-0x0000000000736000-memory.dmp
memory/2036-202-0x0000000002560000-0x0000000002561000-memory.dmp
memory/4292-203-0x0000000002E00000-0x0000000002F08000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso80C5.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp
| MD5 | 1d264333dd61f6b795e8b5583203ff9e |
| SHA1 | 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6 |
| SHA256 | 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2 |
| SHA512 | d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7 |
memory/4196-222-0x0000000002EB0000-0x0000000002FB0000-memory.dmp
memory/4196-223-0x0000000004850000-0x0000000004884000-memory.dmp
memory/4196-225-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/3360-224-0x00000000028A0000-0x00000000028B6000-memory.dmp
memory/5036-229-0x0000000002940000-0x0000000002D3B000-memory.dmp
memory/5036-230-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1548-231-0x0000000000400000-0x0000000000736000-memory.dmp
memory/5036-233-0x0000000002D40000-0x000000000362B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/324-236-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9D3D.exe
| MD5 | d87b0a821f638d77a01f216c1ea870fa |
| SHA1 | 6ec5d82bb5493cfc977f48517306df28b18144c6 |
| SHA256 | 12f7cad34b46c4620e3eb13080577d77fdf25b928f1a7564c8517401a1eb56df |
| SHA512 | d872a6cb9a28070e9bb40b7b855007460da5766e47c5f1a7057e71bce4d250f7fcb0b6b2836c16fda5a947b6670241705ea405dcb5d3880b976882008f91c9da |
C:\Users\Admin\AppData\Local\Temp\9D3D.exe
| MD5 | 1b532637c0d2f2f00e6ea7f82f55f707 |
| SHA1 | 912302374fc906daac44e632ec9a590b03c5adb7 |
| SHA256 | 52952d29764033d5834e627d1dade08a44990a327ba8706d2903086ad6a4aaa3 |
| SHA512 | 7320b2d3fe8b849b2a0176c3e08902556fb016ba029923f94900a0d022b0a39dd8017f62bd2d893b1782c39093726ec2a65cdc8e51921c0e0c2f6a9c9be0523b |
memory/4292-242-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4368-244-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp
| MD5 | a9c6a57c83236d705d75178400d337e4 |
| SHA1 | 380c7778f48ff1ec2f0f42d3677f4a6484d77698 |
| SHA256 | d61ba0eb06a23d3c5d2225e17012f789f9d6fbadc9186f7131949c0fcf7452dd |
| SHA512 | f406ace0aed2e83bd31c3c3a5ba77b4d7ee97311b56fc93fa79f77eefe91e86c733a86c7fb20ee644ac78d76ebe3b16db62b4eec426f6293030a2405ade2e933 |
C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp
| MD5 | 1e9951fc53b8f55cab2eb59c9a3e3f76 |
| SHA1 | ddf3dfc37f76a1471208e24fed623183fc9faa80 |
| SHA256 | 6a33a0db6017947fea77a3ea6e569e8823a2d38c4b9f13a8ed7615861d226ea8 |
| SHA512 | aadfe9b10191431debe10ae9aaafeb327006d9128f407a245827198b9ab75dc9a41972654b48e6378838761fa6ac293314d0033e086ac97315576b35f8d3b49f |
memory/4292-265-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3940-267-0x00000000001F0000-0x00000000001F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-2NJV7.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-2NJV7.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-KG85M.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
memory/4816-307-0x00000000046F0000-0x0000000004726000-memory.dmp
memory/4816-308-0x00000000713D0000-0x0000000071ABE000-memory.dmp
memory/4816-309-0x0000000004770000-0x0000000004780000-memory.dmp
memory/4816-311-0x0000000004770000-0x0000000004780000-memory.dmp
memory/4816-310-0x0000000006DE0000-0x0000000007408000-memory.dmp
memory/4816-315-0x0000000007450000-0x0000000007472000-memory.dmp
memory/4816-317-0x00000000077B0000-0x0000000007816000-memory.dmp
memory/4816-316-0x00000000076D0000-0x0000000007736000-memory.dmp
memory/4816-318-0x0000000007820000-0x0000000007B70000-memory.dmp
memory/4816-322-0x0000000007780000-0x000000000779C000-memory.dmp
memory/4816-323-0x0000000007BF0000-0x0000000007C3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wc2t4125.xph.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/4816-348-0x00000000080E0000-0x000000000811C000-memory.dmp
memory/4816-384-0x0000000008D70000-0x0000000008DE6000-memory.dmp
\ProgramData\nss3.dll
| MD5 | f6c8c59463bec74c26722cf9a042e6f5 |
| SHA1 | cef467955d5a48fb2998de5bd2f9f6c2199bd4c2 |
| SHA256 | bb5cfc4b998fc7cd18def15b23115214c98e42227d811ec9d9791daab04887b3 |
| SHA512 | 4656978e4dc0ba285e0a1a4b24c9a6747c505461b0080a47834e13795d56d51a0b77ab4e009d349f2b4860dd402af96b8f894ae2746530dab60f87ad38de0d4d |
C:\ProgramData\mozglue.dll
| MD5 | 85705bfc92a9de320abc2a7eeca9b6f6 |
| SHA1 | 68e5a21c5799b9d8aa6bf3dc6d0596c04be46a4e |
| SHA256 | 5adcd26ca73bf19e9b992b1ee743acb43ba2d9ce5c6e043950c278b13b63d5d6 |
| SHA512 | 44b0d68ac9425ba5b368c05131772660e6fe3e1184a87a89145435d2bcd87f812d353b9e69f4678d84cfbb825b5729171a3a4e09df4e00e730b011f91728b5f6 |
\ProgramData\mozglue.dll
| MD5 | a0956ba2ea37ffb5e8c7efc8b391a36b |
| SHA1 | 8ae731438fef748f3a3c17443f87b22c2dccefd6 |
| SHA256 | 7c141d543bbc197ed5ad0e8ff9e074f871522364b8254a3dda65948ac1f17043 |
| SHA512 | b62d41a36b944c3381e0d1f4ed397d2abe0194c80dc35708ad213d11cbe4c626044d6965981b91dd56212c24dde282525f56e0388d5e2882377638cdf19c944a |
memory/4816-409-0x000000006F3E0000-0x000000006F42B000-memory.dmp
memory/4816-411-0x000000006DF00000-0x000000006E250000-memory.dmp
memory/4816-412-0x0000000009B30000-0x0000000009B4E000-memory.dmp
memory/4816-408-0x0000000009B50000-0x0000000009B83000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4816-421-0x000000007EB90000-0x000000007EBA0000-memory.dmp
memory/4816-420-0x0000000009B90000-0x0000000009C35000-memory.dmp
memory/2036-422-0x0000000002560000-0x0000000002561000-memory.dmp
memory/4816-424-0x0000000009DB0000-0x0000000009E44000-memory.dmp
memory/4196-426-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/4196-514-0x0000000000400000-0x0000000002D38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 67131bc3915234d08dd8b254bc38667b |
| SHA1 | d1c81e5a0aa2bdc793ce16b757138dd27786f42b |
| SHA256 | 1d32f5d069729d5f49c4b70c9b2cf90d46369f4caa7e9f6f034074a01bf40038 |
| SHA512 | 6b2a35896e1e742b946b9450b1784e386dfdea0317c74e4151ac14e898211d475b7a741479888f8de905e3618ccf23c7ccc68620f8a1b866d25c66c1763595c2 |
C:\Users\Admin\AppData\Roaming\sjcrrev
| MD5 | 3dd02e3a7d6552f6312e29bc4189c06a |
| SHA1 | c52bb026df26445a1e4ccf66baf61d99ecd1ff8a |
| SHA256 | cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70 |
| SHA512 | 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 405fe91c736dfd5d67770881bb147272 |
| SHA1 | be8f088b303dc625dbecad44264bdf4a7ee8c691 |
| SHA256 | 35cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c |
| SHA512 | 665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | db01a2c1c7e70b2b038edf8ad5ad9826 |
| SHA1 | 540217c647a73bad8d8a79e3a0f3998b5abd199b |
| SHA256 | 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d |
| SHA512 | c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 7f53a30b86e351be84714936785454e8 |
| SHA1 | f8deb6132eb76741fe787518b9ce72a73bfe8b3b |
| SHA256 | 2c265655979b7865d4281d932ab5c86c4c6d4cb28397637086167e14a1d3f093 |
| SHA512 | f9a62b16a9c7bb1a18d133b7e98f6b1f69f896af674292c8674f15c7a99e3d291351dfe30cae551784d6ff4b8e5c1f8f8dc6ab49b6a08900ff20fbeff9a3e727 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | e6afdb718aa8f64a3832d3ca92bf3ce3 |
| SHA1 | c6a742286efdd5606e1dfdc52826f0cb68fca1a2 |
| SHA256 | e3d9f8c6b953ba08e398a1b083988a6e2c3c10c6e9e36c0ded05854d9fd7d99d |
| SHA512 | d328c5fb691a6a2ac2d1dcade81f164ca14335c6f25cc043c828b9a313a132664407aeecff3217717ef73a038037598b594673077d3be04fd155d046ade7ead6 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 994a37c1d4d49c372714e582110d452f |
| SHA1 | 95b0c0c799eb7582cb45155539c22389e8367685 |
| SHA256 | f263f92ce7128e7662ad9b3bf853b2ef7a242677012818316e4fd16108e6aa3b |
| SHA512 | 43b25fc53c5ebb278324574d2bd536e74e381ffd535831fe2081582ae0c7bc9221d6f9d8b2e31dc172eee66dc4eaf3d83a3f85eea4a94b803c8457083c79f676 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 93289e445ff3af1e6627a3141e9db982 |
| SHA1 | d7a82fc9a4ea4bf231707f67f6185907c16576cb |
| SHA256 | 929ae1d5d1aee5c152b2329df9c3651be64c6067faba03daab74c806ac65a5e1 |
| SHA512 | eeca8206efc2db87e9616a88365e0ebe1c64ebb1bf0d7119a2113d07aefbb76c35ba282229b324755690e26805654f647fab7214ff7322d8e7a1790285dbf341 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2877a4e4eb0819ecbd0f140d1a29867e |
| SHA1 | d076b5f98933f562e963712d5d5d2b17a702fe06 |
| SHA256 | 47f124c600483667209fa56d8382d9ff8068fc346ef8d886783101473722893e |
| SHA512 | f2d149b04b251758b77a6b85b2415f8d5675d494ebf8590d4d9d201c189e15b56b17b9e1950ba42b2b78514c6d7e72e130ca05bb0da0b05cad68cad96179b058 |
C:\Windows\rss\csrss.exe
| MD5 | 8c9607a8c8359d15ec05a327be0b80a8 |
| SHA1 | 645ef703da82d57f169789d42c5c88625548bcc1 |
| SHA256 | 924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233 |
| SHA512 | 60880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1 |
C:\Windows\rss\csrss.exe
| MD5 | 89848a95cf00ff11f64f2f17b36cf096 |
| SHA1 | 0b457b1790674539c7c8309ef7ed1c9751fbfdbb |
| SHA256 | 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9 |
| SHA512 | 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab |
C:\Windows\rss\csrss.exe
| MD5 | b8c50d741d429e4cd6210293c0f0d881 |
| SHA1 | 059f1aa663f344b66b7ab96bd092bfd08ef6b091 |
| SHA256 | 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b |
| SHA512 | b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096 |
C:\Users\Admin\AppData\Roaming\tdcrrev
| MD5 | beea0c962def411b794fe5fd33f4e5b9 |
| SHA1 | 2c4743812c810d05d42ab11bb9beda423bdd7d2a |
| SHA256 | 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c |
| SHA512 | bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5a6bda02c47cf53ac56c9570b4074698 |
| SHA1 | 3ca4cf6e9e1895533ac2eb742eaadd554db947d1 |
| SHA256 | 0d544a206afa92b2f6a2987d9bce16121b9d0b2b15a3c97fef10f315a9b29ece |
| SHA512 | dbdb26d36c150cbe1a5bfadf47f1ddf5d204b4043f256c53ee420aa1c5dd38218db8986045b727cc659ea2f603f1756c2fe03da74485f80b1d6d4b4549094b9b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 0f38a17bbaa7b6f75f51c671be981097 |
| SHA1 | ee95e5225cfb623b6ddd58902bf72504993e2030 |
| SHA256 | 03f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39 |
| SHA512 | 429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 8d7120c0fbb2fc8602af6ff0b29581fb |
| SHA1 | 236ad775679b5ab4a3f07d4975ae425f4fb9b17e |
| SHA256 | 772bce5d2257a888ff9757aaf1090a731e6b73e7b717b6b9660d9fea616a5380 |
| SHA512 | 43bd0a38f4efd0f31d1a0a5bfda973625d162a265caf66a37aa563a60c304382c23f6f6f01936767d58a2460995db2ba76b9e2cb60a7ae52a74982afaa22c67c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 50156ab4a98e3b965f35358e7e588ea6 |
| SHA1 | ea5ba4d72b6326e25fdafe7b9f57e4a5e31f1f98 |
| SHA256 | 62111f6d8637db96f7688fd40470899e372d3f4ab01308b8710794651c3657d4 |
| SHA512 | 9f33b1ef77d1c808d967fbef5455898c2053f0a21f77e9add5f507eab5cd349b906fbf70c3a498cb7433bd25ed86120af95d483066fc4292757e0dcd466c13da |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |