Malware Analysis Report

2024-11-30 04:48

Sample ID 240222-fe4btabg4t
Target 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
SHA256 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
Tags
dcrat glupteba smokeloader socks5systemz stealc pub1 backdoor bootkit botnet discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c

Threat Level: Known bad

The file 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader socks5systemz stealc pub1 backdoor bootkit botnet discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma

Stealc

Glupteba

Glupteba payload

Socks5Systemz

DcRat

Windows security bypass

SmokeLoader

Lumma Stealer

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Modifies Windows Firewall

Reads data files stored by FTP clients

Loads dropped DLL

Windows security modification

Reads user/profile data of web browsers

Executes dropped EXE

Unexpected DNS network traffic destination

UPX packed file

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: LoadsDriver

Suspicious behavior: GetForegroundWindowSpam

Modifies system certificate store

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 04:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 04:48

Reported

2024-02-22 04:53

Platform

win7-20240221-en

Max time kernel

298s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\736C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A94F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E1ED.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\rdbcgsh N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\45C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 152.89.198.214 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9BE6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\736C.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240222045201.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\82A9.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E1ED.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rdbcgsh N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rdbcgsh N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E1ED.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E1ED.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\rdbcgsh N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0b8a6924a65da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 2824 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2824 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2824 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2824 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1224 wrote to memory of 2824 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2824 wrote to memory of 2596 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1224 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\736C.exe
PID 1224 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\736C.exe
PID 1224 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\736C.exe
PID 1224 wrote to memory of 2572 N/A N/A C:\Users\Admin\AppData\Local\Temp\736C.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe
PID 1224 wrote to memory of 2216 N/A N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1224 wrote to memory of 1984 N/A N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 1984 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\8F19.exe C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp
PID 2772 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
PID 1224 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 1224 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 1224 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 1224 wrote to memory of 2624 N/A N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 2624 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\9BE6.exe C:\Users\Admin\AppData\Local\Temp\9BE6.exe
PID 1224 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\A94F.exe
PID 1224 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\A94F.exe
PID 1224 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\A94F.exe
PID 1224 wrote to memory of 3000 N/A N/A C:\Users\Admin\AppData\Local\Temp\A94F.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2216 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\82A9.exe C:\Windows\SysWOW64\WerFault.exe
PID 2772 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2772 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2772 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2772 wrote to memory of 1664 N/A C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1224 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\D427.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe

"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\71A7.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\71A7.dll

C:\Users\Admin\AppData\Local\Temp\736C.exe

C:\Users\Admin\AppData\Local\Temp\736C.exe

C:\Users\Admin\AppData\Local\Temp\82A9.exe

C:\Users\Admin\AppData\Local\Temp\82A9.exe

C:\Users\Admin\AppData\Local\Temp\8F19.exe

C:\Users\Admin\AppData\Local\Temp\8F19.exe

C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp" /SL5="$60122,3536428,54272,C:\Users\Admin\AppData\Local\Temp\8F19.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

C:\Users\Admin\AppData\Local\Temp\A94F.exe

C:\Users\Admin\AppData\Local\Temp\A94F.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 128

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\D427.exe

C:\Users\Admin\AppData\Local\Temp\D427.exe

C:\Users\Admin\AppData\Local\Temp\E1ED.exe

C:\Users\Admin\AppData\Local\Temp\E1ED.exe

C:\Users\Admin\AppData\Local\Temp\45C.exe

C:\Users\Admin\AppData\Local\Temp\45C.exe

C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp

"C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp" /SL5="$201D2,4081152,54272,C:\Users\Admin\AppData\Local\Temp\45C.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp

C:\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\taskeng.exe

taskeng.exe {5CB69B68-B144-45D1-A502-65DD0B912653} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\rdbcgsh

C:\Users\Admin\AppData\Roaming\rdbcgsh

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222045201.log C:\Windows\Logs\CBS\CbsPersist_20240222045201.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
MK 95.86.30.3:80 trmpc.com tcp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 sjyey.com udp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
RU 152.89.198.214:53 bffingb.com udp
IT 185.196.8.22:80 bffingb.com tcp
IT 185.196.8.22:80 bffingb.com tcp
CA 198.245.49.18:443 tcp
DE 185.220.100.247:9100 tcp
DE 46.4.57.75:8443 tcp
FR 212.47.233.86:9001 tcp
N/A 127.0.0.1:49926 tcp
US 8.8.8.8:53 952c015b-29fe-4100-8eb7-de4024b78447.uuid.statsexplorer.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
FR 212.47.233.86:9001 tcp
DE 46.4.57.75:8443 tcp
IT 185.196.8.22:80 bffingb.com tcp
N/A 127.0.0.1:64211 tcp
N/A 195.154.104.174:9001 tcp

Files

memory/2940-1-0x0000000002E90000-0x0000000002F90000-memory.dmp

memory/2940-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2940-3-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/1224-4-0x0000000002D40000-0x0000000002D56000-memory.dmp

memory/2940-5-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71A7.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/2596-14-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/2596-16-0x0000000000170000-0x0000000000176000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\736C.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2596-21-0x00000000025A0000-0x00000000026C4000-memory.dmp

memory/2596-22-0x00000000026D0000-0x00000000027D8000-memory.dmp

memory/2596-25-0x00000000026D0000-0x00000000027D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\82A9.exe

MD5 49608dbbd93509d8b380a26b95fd0e22
SHA1 c721e50cef31c20dabe7bda1ca711b72e42dcc8e
SHA256 324cd2784ee56feab35c1829b56618b75307ef261ac2e81ae0dc1860d630c4f8
SHA512 4938f7c7aa505c1db4abb08025373d6ef5d9f57d4d5a74736ba840f319211480cb1138048bdf33043afd8769b2b7a658a6df66271318204bd0f90b242c488852

memory/2216-30-0x00000000008A0000-0x0000000001377000-memory.dmp

memory/2216-35-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2216-36-0x00000000008A0000-0x0000000001377000-memory.dmp

memory/2216-38-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2216-41-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2216-40-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-42-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2216-44-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2216-46-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2216-47-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2216-49-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2216-51-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2216-53-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2216-52-0x0000000077BD0000-0x0000000077BD1000-memory.dmp

memory/2216-55-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2216-60-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2216-59-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-58-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1984-67-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-65-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F19.exe

MD5 e1a8ab826ea29f8f32a84cb4ca6f50a7
SHA1 22a8acfbbc687f1b3ce9d717205eefae2e540df4
SHA256 e56159aa2ef592286e937eb698af2579aeb4868c43c11425b4d8f7b170cd6920
SHA512 ae7b1a19f680f9bba8dd0e858aeab387e852d299fa22f988137653856823c128ca0a38bb32f34d6b6bafce3e71206a39cb64ffd5fa728b086ed5c02a5a6ef91f

memory/2216-72-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2216-73-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-74-0x0000000000190000-0x0000000000191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F19.exe

MD5 9d94c8a214ffdb9de808b00e61975da1
SHA1 b489adc10775fa35bdddbe0fa9c6dfb04eebfbaa
SHA256 b9a90ead06412ea4e3c455d17f9f634c1fd1230586c30f138b05893debeabc2e
SHA512 cb26cb3f5e0621d2425b0a0d56a1791e63d4afa4a51c4c9b7c3b3075c326ffba39f2d29cbce335debefe995e5f2f7fb0ae143f2fce5aff1fbe99df4dc42d6534

memory/2216-76-0x0000000000190000-0x0000000000191000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-1DLA1.tmp\8F19.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/2216-82-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2216-84-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2216-83-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3UI2P.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2772-96-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2216-97-0x00000000001A0000-0x00000000001A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-3UI2P.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2216-105-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2216-107-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2216-106-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-130-0x00000000002B0000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 ff5a180388a510c6676371f4d9b2044a
SHA1 3f50ebf4b803f61b2510b431f6ed7d5515b38304
SHA256 0feda44f964c38fd6ab029483e4928c448c4782573fd8f02748ea3a1ac3707df
SHA512 e9758a4f715773545ae0a3d66e522e6581a15320d96cde7fa8cb50d575aca0bcee88da522264fbddd4389fe06f26a443cf68b391b1de283880266d471a41d9c5

memory/2216-140-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2772-147-0x00000000034E0000-0x0000000003816000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 c723d8f98ea6aee2a3bb9207c0ad0756
SHA1 884b20e05dd3cf3e8eb77fcbeb261ecff629cd46
SHA256 162364d752758e1743962ae44ad58cc0db546741dfa598536006b9f2b9dc7d7c
SHA512 c1e225dde0cc6bb6d6a060023e9c0dff4da25ad0f0e6bb5df967bfe499e69d98618f8ed5c2f01c378540ce2a424ba6773521b7e0e57a5eada8dfe73e744f350f

memory/2216-137-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/1720-150-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2216-149-0x00000000002C0000-0x00000000002C1000-memory.dmp

\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 344a760c2777f4bf07311fb956f11685
SHA1 12bda6db311abef44838f5479fedb3e95e77bb59
SHA256 37806ba861d54958d091c7ea286dcf8082d29c6966ecadf5bcfc5e19e02b5ae5
SHA512 6e5598ac49ca7bbc85e212fb49bb74301a8e5ef3c7ab9b520af3cd28236398900d934a7375c9bd7262d3cc5a43fc60a4a8ae38d97e31bd8e853e1c587bf3eb74

memory/2216-136-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2216-152-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2596-153-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/2216-155-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-161-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

MD5 4747e2f3642706b27dfbc28a301a89ad
SHA1 f208fdc35cf02083029dac18df73776540647c00
SHA256 1696262dd12b5ed1460b9dd25376f8ce55cae2f1bbb555387d8496fb0edabcac
SHA512 4db4fffa3701935fa3b9843f5a972e31fcb3f223bd04f8662aa14aa644368c0c9371274e035820eb08c2aa1f8581b6d9bc05d98c3bbe154b0a6489a504f2a4dc

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

MD5 119a178d50840d09c06731afe3dc119e
SHA1 790e2491c68639c0b1899f57be2f13b40745b446
SHA256 d4805a4f0f69a0bb524f38cbd9b7bafcef591be20dcbcf759c6137e21e3c02bf
SHA512 1a3fcf4edc07597a31219726a1671aeec13c5d11d929672d128b4373b54ad271c4a43d46d477c33cb75f6301b93762aee6a4afb0d1ae39904ae04a555071ea38

memory/1984-172-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2216-178-0x0000000077BD0000-0x0000000077BD1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9BE6.exe

MD5 6f6acad159c227395d99e3e777afe1bf
SHA1 c50b629119f2a842f5926d1be2886a502bdae0f9
SHA256 9c69bc44be42ab3766f48caf1de6b7ef8ee6849453e08af589b5879d8421ff08
SHA512 bdc7dfa1c78f11d66ce49ababb5f61e78514a8b7cfd4a0e0859d628d3ac92f8887a4b73eb80e99a9b75eb4e06b64455dcae05f47f0afc58a17a050af45b5dc67

\Users\Admin\AppData\Local\Temp\9BE6.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2624-175-0x0000000004900000-0x0000000004AB7000-memory.dmp

memory/2624-173-0x0000000004740000-0x00000000048F8000-memory.dmp

memory/2276-188-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2216-190-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2276-194-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2772-199-0x00000000034E0000-0x0000000003816000-memory.dmp

memory/2216-200-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A94F.exe

MD5 072dbb69fe6ddfdadbd663f3b792b9a9
SHA1 de348487969deca900b9162b4cc2cc7fb2666f6b
SHA256 97b30cb95b924b30f6b143f5555c9fca7453249a8dad6f625eede036e57c7041
SHA512 a4a5806345c3f6db94a8c4f66e58851e9176336b9d0fc16c2b9004271390e196f822bac187745da119ea78db277a70a8f31f644365cc35ad717a5bab56102c39

C:\Users\Admin\AppData\Local\Temp\A94F.exe

MD5 835c882e0af6ca0ed24c23c46b1a26f2
SHA1 1b042d777ce1a563585b746e176e00567d7da273
SHA256 943c8fb5f44cf04f77b5734a0027f50f1251e2baefdaf4a331d7f9773e9e99a2
SHA512 78b116ca9c150ebd2fe0d2350d67412b8f6b36cd5b11de85e2731ba56b310094ea4bbd9ebca0c966013dddec8c37e559ffdfd9f77dc939439a2d75307502f083

memory/2216-210-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

\Users\Admin\AppData\Local\Temp\71A7.dll

MD5 18926f85c5bc4e9e96f9bebfeaf6dd5d
SHA1 329ced720e2c377f036887dc5412ecfbf6a460fc
SHA256 6b4b2b13978c408a6a9fd29e47efbe62cd02cc34b2043307b3111d1d4a55e5c4
SHA512 9f8ff747f8f61bc078ce45fedf259fc03ff0b99ef895bc4228b70e83a8b3903a3a73829ea260a78f18b11c48ee9fc8f9dfe468f3a8c57c82651906a3b784a39f

memory/1720-217-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2276-219-0x0000000000260000-0x0000000000266000-memory.dmp

memory/2216-222-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-228-0x0000000077BCF000-0x0000000077BD0000-memory.dmp

memory/2216-231-0x0000000000340000-0x0000000000341000-memory.dmp

memory/1720-232-0x0000000000400000-0x0000000000736000-memory.dmp

\Users\Admin\AppData\Local\Temp\82A9.exe

MD5 c14e37b962abf0187890ecaf1e9ba297
SHA1 5eb4051bec82052a52560b75d946623b522c0ace
SHA256 645cd7d7d72740e02fa0660a6961e6e68f7de68a002dd2f0e26e9ffa622526bb
SHA512 a095eada15b74b8af35ce1741cc29fb8a288ec4445b486c1e6d8e8b3f0642d54786b4fd842cff1a118ca16724e88ecfc4d063727052923ff03615a42071fffbe

\Users\Admin\AppData\Local\Temp\82A9.exe

MD5 0d5f374fa1c2fac7376928989cfea6f0
SHA1 46ed00f7c83da010550b837d6707e8fe1daa4624
SHA256 e048e1f884d872128067c35dc1662077111eae7f8af502159a018ffa3588033a
SHA512 7693b6827301313093780c46823d59e314461875e3f90dad298dee8302f61a8aa7efc1aa345ad84df91e29594410eac49c60bc138c4ee3df7b88519e6f5fa83a

\Users\Admin\AppData\Local\Temp\82A9.exe

MD5 3e20597b095b7a9ec311e3b400b7de46
SHA1 b491811b3f8ba87355a5bd9f62f92a8d3ad38065
SHA256 0ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc
SHA512 9d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 bb486db60f46546a48a5f1aae6e0827a
SHA1 7b42ffca2385ecc9d4cc78c65c7c2523a57be083
SHA256 fb5fb059056015482a4a26e724534a6145b393eff15d88d3cd7646d0ad6f500f
SHA512 e788127b8d3e12b598a25eedecef7ed66b1f4fc24ac2fa16c7cb467369d087441c1405876a7a8e4a881785389e65b1af628dd4a43d9137a097147ed594499d53

memory/1720-240-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 3b66557b08111e0f88d2929a0f912d54
SHA1 395d4d43ffb7de91181c2def0ca7df444ba7d20f
SHA256 d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d
SHA512 e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd

memory/1664-244-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2276-245-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1664-250-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D427.exe

MD5 6337ae180de93ab9d39151602bf74bbf
SHA1 8d52f389699d4e1601ccbbec82fd620e75a7ada2
SHA256 7f7955c19aad191a94fdb51d950b1b98bb66a9fcf9f086c4acc8154621dc212e
SHA512 34c061ee4b93e74ea37a49ae187849da81684fb26ef14f9d08be6bb9fbcade0f1e76d50b492d7b675cdfd7778d18f075bfe4c4fabbbe271bd41e6ec5aa2877cf

C:\Users\Admin\AppData\Local\Temp\D427.exe

MD5 0866b1a679c5089c802afca72bb3a57f
SHA1 2a2810c95ebebfb258947574c3eb1089a606a118
SHA256 50a8268fd89cba268a210c6f96ac6f342dbcd7b988ab6498c2df9e608097b02a
SHA512 ed3c22ace7add1e7d374b44a49c28969cb49c83459652955415d5d3eac26d43d63bf8720cb86536f29a3f9e44f7f3b352d4376112e6484ff3cf262e6ec057a66

memory/2840-256-0x0000000001200000-0x0000000001AB6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E1ED.exe

MD5 3dd02e3a7d6552f6312e29bc4189c06a
SHA1 c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256 cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA512 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485

memory/2840-264-0x00000000738D0000-0x0000000073FBE000-memory.dmp

memory/2000-268-0x00000000002A0000-0x00000000002AB000-memory.dmp

memory/2000-270-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/2000-271-0x0000000002DB0000-0x0000000002EB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\82A9.exe

MD5 6ac48873f3053963255fd1c9bfa6fc52
SHA1 385f778fb0abf8b2fb3699940b192e0c02d454cc
SHA256 8b0ee35ed3d795c078ca345cf7007489bde9a9ef358318bfb39f8809707930da
SHA512 dff1e929775f9d9cd797d84cb95b1d6ed5ec2d3b4b44128eab76ce186a16c3090d48965b83a979a3c99f0bfa4174ca150d3bc59778c6cdd334da66efed405d24

C:\Users\Admin\AppData\Local\Temp\45C.exe

MD5 dd5a32a7f2fab74f19a49e2c37798ab8
SHA1 925b6abd47bfe2ee9cfa3aa06702cc38779c6f4d
SHA256 f087a526570e1c5af6ec0cf3a6b30ef13a0d1cbb49ad25353b00a7f9860053ac
SHA512 397004ede888de708b751aa6ffb1309d48ed8e0048f40e64d4666d9361bee967003cb6a9ad438f671b2117701f3e6e1997487f498e0d1a67af93cd2d1e7ec705

C:\Users\Admin\AppData\Local\Temp\45C.exe

MD5 4ccae7375cb42d61a39b54ba85c7b496
SHA1 a77211f398f4bd7aa1c2d25a5126a8998c3e6768
SHA256 1ea4758e2af060bf5a0923a6a6cdbbb41a26a8c91b125135773438267ad7658f
SHA512 4ab5fea2dc4c2d072f84572826f7782fb655a86aa1592e170f1a9b3bca617cb2326ba7275ec4da12c32cb0f90091b439165cb19cde735408b1e9e88bc7440f19

C:\Users\Admin\AppData\Local\Temp\45C.exe

MD5 562599d4dd56fc758c0698e17200e7a7
SHA1 39e8dc6c69406658b312ec71cbbbcc16d62e50de
SHA256 2a4b7e8b4a51d6dc7ddd3ffb49fe8424c2112b461892f8853171d69037081d69
SHA512 d5bf4bea1bb1a2f4d9dabb9554719be681563dd0325a8e95facfc0b6c81bf22b0d241ab9b446a87a08d65368913e0b928f313c5693930602e7eb90d5341d4ad4

memory/2344-293-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2000-294-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RFKM0.tmp\45C.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

memory/2288-315-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-1BB56.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

\Users\Admin\AppData\Local\Temp\is-40U8B.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fc38310973cf92ef5d0eaf23758c5420
SHA1 f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256 b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512 a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 003c4a6cb61927efc72075cf82eb01be
SHA1 a99a44c6408c27aea06815df86363b33f811f852
SHA256 9fa5ede9244c2e90dd3170b8181744aad307c2dae70f4a95881a3e0f99a061fc
SHA512 345e66fd8b959aa1daeaac3fdf139ffe084115e64f3e98108b6069c6d2d4927cfdd79d9045f8b5b92b5800c9cb72025223154991ec691494a66f629fa8aabc3f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 89848a95cf00ff11f64f2f17b36cf096
SHA1 0b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA256 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA512 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 4b0c012a59404fe817f1f6b79b83aa74
SHA1 645324aa66bc9b7b7074d6d0be8f917e05e0095e
SHA256 9f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44
SHA512 8821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 8964d20ad832e50ab1ebeeb4896f00ca
SHA1 fb2406a9d3066349937987a87f67253d0e82a87a
SHA256 17947e1227e767b6ddd00884eab28ecaffc7c97591a141912c12f165733a673c
SHA512 50e5554a1d9329d22894e9693231aff91ebdc87964fd3d69b633b0265273242b31c4cad25d674fb6acd823ff0996136d6f96a4851cd2850917c99d309c267366

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 4626175ba0623cc4880048b3ae8d8031
SHA1 f7ef48364340de4aa3602ab4eb2fa046b88d3b26
SHA256 172ae6a6a9f1e4b95d037c612ed5214497eee330bb4b9261148ec39cf6f43c36
SHA512 3895eeec818b8b8ba966a21f00d1a4da6350ada9749ff35bc337d50c7daabe72f368d756d8eecf3526cd4890374901a0cefcb4f27c8b2ebcf6818bb451c6ecd9

memory/2740-349-0x0000000002B50000-0x000000000343B000-memory.dmp

memory/2740-350-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2740-346-0x0000000002750000-0x0000000002B48000-memory.dmp

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b29cd31f15d37cebbe2804adc62ce2e9
SHA1 e036f370e3b9a849609823c1cf295c07968b91a0
SHA256 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA512 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ec4d8aac8488a649f67226d75195dc37
SHA1 f7ec802e35df103763914c8f4f2dd4ae6ed2e630
SHA256 48f86f927f57af901b0151176d45425f1d2b65dc61df150d2ad05c77cf15660f
SHA512 234bd4cd0e1712f99296ef0a4340d994864843238ce8b58a0c7bb8184f7b711e0c1aea9ad23b6f1479fe9dcadd4bf6a4f2182bfbbfde312cd683b4f9c519b8af

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 b13e7afed63a0124c4a11def76536012
SHA1 935fb2c98361f6f0bea9b214d1995d8d405acfbd
SHA256 edd5213e9d59e8ca71a2563f2bfbbc903a16830630f4d3ffe1ab19a7c0e03306
SHA512 dde6e74644a35009d267ae0e10b440d4ec90c911108f04bbe634c5766500cd26c29fed0b9a00211ed298b19010d4174ec0c71278b39c5db5cfd74b19de741179

\Users\Admin\AppData\Local\Temp\nso1DFD.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2840-363-0x00000000738D0000-0x0000000073FBE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 df5467f5507da73eec6838c209fdd2fc
SHA1 2cdc2f5eceaede0dc87493187c1caff51ab61a53
SHA256 54fbd7979fab9d25b55aa67dfc1e532bac8d62638d9363603213d385bcb7aa15
SHA512 3badb2bfff5db281e9d01667eb2f82b1c3a842cc5589cbfe2fbc9bb0dcca8f29412d0e5139b75430373297885d16bd1b0ec96cc1107bf347414562cdfa4bf476

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 cda03a2814a5374a41390ea28da94400
SHA1 846cd8dc546accdba445aa724b5a8ebf240d46a1
SHA256 e0d1d7cae3c1c4cb2860839e59d068e1b4890ff173d4e6024f8e0bb6b30c112d
SHA512 6089aa7e78ab8bf28134b366fec3c13c87ae0aa706ae1f86075de608fd567674ac1517d29f3b2e0d4dff2886afa3fad58cd7a570561c2602222188362d458d2c

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 930c01374aef1f140168059d062e1637
SHA1 1dd2d3fb415bb36852c700b68a34194552b305e0
SHA256 13fcd3bbcf047c57995083501db7c0aaaf9a429931b918a9001cb2b7c51f8214
SHA512 8cce9edbf63f9478df0daab3e5121d6c94aa443ac8f7ba2c1d85a87e4110ce527bc02e3f0891b55f34e239cde7a8877eaf58a298874cbdcbb3b08fa63ae674e1

memory/2704-367-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

\Users\Admin\AppData\Local\Temp\nsj3FB1.tmp

MD5 1d264333dd61f6b795e8b5583203ff9e
SHA1 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA256 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512 d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7

memory/2844-401-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/2844-402-0x0000000000220000-0x0000000000254000-memory.dmp

memory/2844-403-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/1664-404-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1664-418-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1720-439-0x000000001B490000-0x000000001B772000-memory.dmp

memory/2344-438-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1720-440-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/1720-441-0x00000000027C4000-0x00000000027C7000-memory.dmp

memory/1720-442-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

memory/1720-445-0x000007FEF5DC0000-0x000007FEF675D000-memory.dmp

memory/1720-451-0x00000000027CB000-0x0000000002832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d5ac8347ec7fe6b3267af60cf71255a7
SHA1 f8258729ec532f3161b0affd5082fbb5b194805d
SHA256 ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA512 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 527892d24e299272a39583fe739ec0af
SHA1 4cf673bd3bf661962136fe49435ec3188a9ba0e6
SHA256 525509489b7a77dd42523f6aef3aaa90577aa50f0e032ce320c9de3563dcf9a2
SHA512 0bf75b3a5d431b3653be862904ebcdaf5345d2200036b0fd57919062aa9258299010040baf3606d6ebce28e40ba63ac6b2b03380bd49417ef524864143577a68

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 8bbd17268553afbc04023cc63aef85eb
SHA1 a8f53690f84ce08aae9743517f4596eae4bbd7fc
SHA256 3ce243722a96761fa4e0a144aec00bd2c59164a41711e35f150fccc7cfc6c496
SHA512 c421e2a960bcc572c87007e1f0780c05f7121a7623f7e1cc8c06b18d005e699a57d77a7fd57bec30bb5913effa9c3e57b34a597f75079716278e845dd594dbaa

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 f35939be721e0d38e4ab57965311694b
SHA1 39daa2054d6591e6802db5e168930c56013ce2dd
SHA256 49c8acc88a566de72465addf1d462e99af855ecd54d2a96ea89372ad3371682c
SHA512 4b10bf68a8c832436107c63aecee845402748dda2e898e6bd9d8bf7d0bede1b83733b9342d6139359d358c967f42c79df0d61346f5d6ea90b906b0ad41be5a64

memory/2616-470-0x0000000019E30000-0x000000001A112000-memory.dmp

\ProgramData\nss3.dll

MD5 5139053d024a9da330ff0e32a495a045
SHA1 96abc8f721e48e6b6c9e3525a8937a3475722401
SHA256 f7eeaeb642f4e3b5403d71ca019f7e9d8483aa4d53b8bbd77501ae3d2d8aa9cf
SHA512 20a0c673f82dc7cc918300e6ffb9384b9e2fa3a3f2cc866421de6e426ca1a26922a381722c385cdcb9b703570b11bfbbcce0c4ba5146d6afc13ede6203fcf95a

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\rdbcgsh

MD5 beea0c962def411b794fe5fd33f4e5b9
SHA1 2c4743812c810d05d42ab11bb9beda423bdd7d2a
SHA256 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
SHA512 bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 405fe91c736dfd5d67770881bb147272
SHA1 be8f088b303dc625dbecad44264bdf4a7ee8c691
SHA256 35cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c
SHA512 665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 f64d53ca3c3cde35f3f37619d4bddbe2
SHA1 43d7b4d48e54c24e83f819f02d1d4f2c79293202
SHA256 267078352f349687ef4e8bb4faf28d1be0751e649525f4a4aac36103bdcb8c04
SHA512 c78ccd2cd756be518883987ad0cc2aecb85dc1260b4da38eeed4f15712f4c4bde5630ef0ab5a9b7e89e86d4f40fff2ac15805b5ed9feec4d616ebaeb84121b2b

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 170d66f9d75e64f50a295116ca704c25
SHA1 db0854fd1c8c705d62411aa8f13be7d2ebe2e476
SHA256 f6de5ced2a6adeb6c8422030a373c0a25756c5c79c5b066d9999a03ad9c04fd7
SHA512 d51b5ae12e52adf56941e8c4fadedaa6683fc013f6aa6a8c431db72fbf882d74ae75a940f53e7b793bf11e0740cc68eee3715e33eb526c4bdef42b51b74062c9

C:\Users\Admin\AppData\Local\Temp\Cab93AA.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar94F4.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 04:48

Reported

2024-02-22 04:53

Platform

win10-20240221-en

Max time kernel

113s

Max time network

305s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\47E5.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 45.155.250.90 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\47E5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\2641.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4600 set thread context of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 3976 set thread context of 4636 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\system32\conhost.exe
PID 3976 set thread context of 2340 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2321 = "Sakhalin Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3360 wrote to memory of 2080 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3360 wrote to memory of 2080 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2080 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2080 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2080 wrote to memory of 2300 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3360 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\2641.exe
PID 3360 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\2641.exe
PID 3360 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\2641.exe
PID 3360 wrote to memory of 3724 N/A N/A C:\Users\Admin\AppData\Local\Temp\3219.exe
PID 3360 wrote to memory of 3724 N/A N/A C:\Users\Admin\AppData\Local\Temp\3219.exe
PID 3360 wrote to memory of 3724 N/A N/A C:\Users\Admin\AppData\Local\Temp\3219.exe
PID 3360 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D26.exe
PID 3360 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D26.exe
PID 3360 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\3D26.exe
PID 2428 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\3D26.exe C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp
PID 2428 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\3D26.exe C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp
PID 2428 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\3D26.exe C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp
PID 4728 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 4288 N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3360 wrote to memory of 4600 N/A N/A C:\Windows\System32\Conhost.exe
PID 3360 wrote to memory of 4600 N/A N/A C:\Windows\System32\Conhost.exe
PID 3360 wrote to memory of 4600 N/A N/A C:\Windows\System32\Conhost.exe
PID 4728 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 4728 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 4728 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 4600 wrote to memory of 4292 N/A C:\Windows\System32\Conhost.exe C:\Users\Admin\AppData\Local\Temp\47E5.exe
PID 3360 wrote to memory of 3772 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FF5.exe
PID 3360 wrote to memory of 3772 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FF5.exe
PID 3360 wrote to memory of 3772 N/A N/A C:\Users\Admin\AppData\Local\Temp\4FF5.exe
PID 3360 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\Temp\7715.exe
PID 3360 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\Temp\7715.exe
PID 3360 wrote to memory of 1364 N/A N/A C:\Users\Admin\AppData\Local\Temp\7715.exe
PID 1364 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1364 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1364 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1364 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1364 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1364 wrote to memory of 4736 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1364 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1364 wrote to memory of 5048 N/A C:\Users\Admin\AppData\Local\Temp\7715.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3360 wrote to memory of 324 N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3360 wrote to memory of 324 N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3360 wrote to memory of 324 N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4736 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4736 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4736 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4736 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp
PID 4736 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp
PID 4736 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp
PID 2036 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4372 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4372 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4372 wrote to memory of 308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4372 wrote to memory of 4744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe

"C:\Users\Admin\AppData\Local\Temp\3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\249A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\249A.dll

C:\Users\Admin\AppData\Local\Temp\2641.exe

C:\Users\Admin\AppData\Local\Temp\2641.exe

C:\Users\Admin\AppData\Local\Temp\3219.exe

C:\Users\Admin\AppData\Local\Temp\3219.exe

C:\Users\Admin\AppData\Local\Temp\3D26.exe

C:\Users\Admin\AppData\Local\Temp\3D26.exe

C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp" /SL5="$8007A,3536428,54272,C:\Users\Admin\AppData\Local\Temp\3D26.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\Temp\47E5.exe

C:\Users\Admin\AppData\Local\Temp\47E5.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\47E5.exe

C:\Users\Admin\AppData\Local\Temp\47E5.exe

C:\Users\Admin\AppData\Local\Temp\4FF5.exe

C:\Users\Admin\AppData\Local\Temp\4FF5.exe

C:\Users\Admin\AppData\Local\Temp\7715.exe

C:\Users\Admin\AppData\Local\Temp\7715.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\7EF6.exe

C:\Users\Admin\AppData\Local\Temp\7EF6.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp

C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\9D3D.exe

C:\Users\Admin\AppData\Local\Temp\9D3D.exe

C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp

"C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp" /SL5="$B02DE,4081152,54272,C:\Users\Admin\AppData\Local\Temp\9D3D.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Roaming\tdcrrev

C:\Users\Admin\AppData\Roaming\tdcrrev

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Roaming\sjcrrev

C:\Users\Admin\AppData\Roaming\sjcrrev

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4292 -s 42840

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
BA 185.12.79.25:80 trmpc.com tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
RU 213.158.31.231:22711 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
UA 62.216.54.29:9001 tcp
DE 185.220.101.206:30206 tcp
FR 46.105.227.109:443 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 147.135.64.217:443 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 217.64.135.147.in-addr.arpa udp
US 8.8.8.8:53 38.21.59.86.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
CA 149.56.38.170:9001 tcp
DE 144.76.43.199:9001 tcp
US 8.8.8.8:53 sjyey.com udp
KR 211.40.39.251:80 sjyey.com tcp
US 8.8.8.8:53 199.43.76.144.in-addr.arpa udp
US 8.8.8.8:53 170.38.56.149.in-addr.arpa udp
US 8.8.8.8:53 251.39.40.211.in-addr.arpa udp
KR 211.40.39.251:80 sjyey.com tcp
KR 211.40.39.251:80 sjyey.com tcp
KR 211.40.39.251:80 sjyey.com tcp
KR 211.40.39.251:80 sjyey.com tcp
KR 211.40.39.251:80 sjyey.com tcp
DE 144.76.43.199:9001 tcp
CA 149.56.38.170:9001 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.89.13:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 13.89.15.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ferexzews.bg udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ferexzews.bg udp
US 8.8.8.8:53 eobs.erg udp
US 8.8.8.8:53 eobs.erg udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eobs.erg udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 myybhee.cem udp
US 8.8.8.8:53 myybhee.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 jbcebs-blumzo.de udp
US 8.8.8.8:53 jbcebs-blumzo.de udp
US 8.8.8.8:53 ybhee.cem.hk udp
US 8.8.8.8:53 ybhee.cem.hk udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 greupluzbr.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 greupluzbr.cem udp
US 8.8.8.8:53 ybhee.cem.hk udp
US 8.8.8.8:53 ybhee.cem.hk udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 e-mbol.cem.jr udp
US 8.8.8.8:53 ybhee.cem.hk udp
US 8.8.8.8:53 e-mbol.cem.jr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ferexzews.bg udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sju.plkcfs.edu.hk udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 sju.plkcfs.edu.hk udp
US 8.8.8.8:53 eobs.erg udp
US 8.8.8.8:53 embol.cem udp
US 8.8.8.8:53 embol.cem udp
US 8.8.8.8:53 cbsozjerbcjove.cem udp
US 8.8.8.8:53 cbsozjerbcjove.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujekumpu.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujekumpu.cem udp
US 8.8.8.8:53 eobs.erg udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bkybkbgrup.cem udp
US 8.8.8.8:53 bkybkbgrup.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bmebole.jj.blbckberry.cem udp
US 8.8.8.8:53 bmebole.jj.blbckberry.cem udp
US 8.8.8.8:53 bsjbbeys.edu.jj udp
US 8.8.8.8:53 bsjbbeys.edu.jj udp
US 8.8.8.8:53 chzezergy.cem.cz udp
US 8.8.8.8:53 chzezergy.cem.cz udp
US 8.8.8.8:53 363.cem udp
US 8.8.8.8:53 363.cem udp
US 8.8.8.8:53 fujurebroghj.cem.jr udp
US 8.8.8.8:53 fujurebroghj.cem.jr udp
US 8.8.8.8:53 bp.cem udp
US 8.8.8.8:53 myybhee.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 jbcebs-blumzo.de udp
US 8.8.8.8:53 ybhee.cem.hk udp
US 8.8.8.8:53 greupluzbr.cem udp
US 8.8.8.8:53 e-mbol.cem.jr udp
US 8.8.8.8:53 sju.plkcfs.edu.hk udp
US 8.8.8.8:53 eobs.erg udp
US 8.8.8.8:53 embol.cem udp
US 8.8.8.8:53 cbsozjerbcjove.cem udp
US 8.8.8.8:53 eujekumpu.cem udp
US 8.8.8.8:53 bkybkbgrup.cem udp
US 8.8.8.8:53 ab4b5d12-7209-4f8c-b886-5578dd04dd60.uuid.statsexplorer.org udp
SE 45.155.250.90:53 bozrhoc.com udp
IT 185.196.8.22:80 bozrhoc.com tcp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.a.5.a.f.b.9.d.2.ip6.arpa udp
US 8.8.8.8:53 96.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 22.8.196.185.in-addr.arpa udp
N/A 127.0.0.1:50033 tcp
US 8.8.8.8:53 server4.statsexplorer.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
JP 74.125.27.12:19302 stun4.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 12.27.125.74.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
N/A 127.0.0.1:32233 tcp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
N/A 127.0.0.1:32233 tcp
N/A 127.0.0.1:32233 tcp
N/A 127.0.0.1:32233 tcp
N/A 127.0.0.1:32233 tcp
N/A 127.0.0.1:51545 tcp
N/A 127.0.0.1:51550 tcp
N/A 127.0.0.1:51554 tcp
N/A 127.0.0.1:51559 tcp
N/A 127.0.0.1:51562 tcp
N/A 127.0.0.1:51567 tcp
N/A 127.0.0.1:51574 tcp
N/A 127.0.0.1:51576 tcp
N/A 127.0.0.1:51579 tcp
N/A 127.0.0.1:51585 tcp
N/A 127.0.0.1:51588 tcp
N/A 127.0.0.1:51592 tcp
N/A 127.0.0.1:51595 tcp
N/A 127.0.0.1:51601 tcp
N/A 127.0.0.1:51606 tcp
N/A 127.0.0.1:51610 tcp
N/A 127.0.0.1:51613 tcp
N/A 127.0.0.1:51618 tcp
N/A 127.0.0.1:51621 tcp
N/A 127.0.0.1:51623 tcp
N/A 127.0.0.1:51626 tcp
N/A 127.0.0.1:51630 tcp
N/A 127.0.0.1:51636 tcp
N/A 127.0.0.1:51638 tcp
N/A 127.0.0.1:51643 tcp
N/A 127.0.0.1:51652 tcp
N/A 127.0.0.1:51655 tcp
N/A 127.0.0.1:51657 tcp
N/A 127.0.0.1:51661 tcp
N/A 127.0.0.1:51663 tcp
N/A 127.0.0.1:51671 tcp
N/A 127.0.0.1:51674 tcp
N/A 127.0.0.1:51677 tcp
N/A 127.0.0.1:51681 tcp
N/A 127.0.0.1:51685 tcp
N/A 127.0.0.1:51689 tcp
N/A 127.0.0.1:51692 tcp
N/A 127.0.0.1:51698 tcp
N/A 127.0.0.1:51702 tcp
IT 185.196.8.22:80 bozrhoc.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
N/A 127.0.0.1:51709 tcp
N/A 127.0.0.1:51712 tcp
N/A 127.0.0.1:51715 tcp
N/A 127.0.0.1:51721 tcp
N/A 127.0.0.1:51729 tcp
N/A 127.0.0.1:51733 tcp
N/A 127.0.0.1:51736 tcp
N/A 127.0.0.1:51741 tcp
N/A 127.0.0.1:51744 tcp
N/A 127.0.0.1:51747 tcp
N/A 127.0.0.1:51751 tcp
N/A 127.0.0.1:51754 tcp
N/A 127.0.0.1:51756 tcp
N/A 127.0.0.1:51764 tcp
N/A 127.0.0.1:51767 tcp
N/A 127.0.0.1:51773 tcp
N/A 127.0.0.1:51777 tcp
N/A 127.0.0.1:51780 tcp
N/A 127.0.0.1:51789 tcp
N/A 127.0.0.1:51793 tcp
N/A 127.0.0.1:51797 tcp
N/A 127.0.0.1:51803 tcp
N/A 127.0.0.1:51807 tcp
N/A 127.0.0.1:51810 tcp
N/A 127.0.0.1:51813 tcp
N/A 127.0.0.1:51817 tcp
N/A 127.0.0.1:51820 tcp
N/A 127.0.0.1:51825 tcp
N/A 127.0.0.1:51830 tcp
N/A 127.0.0.1:51832 tcp
N/A 127.0.0.1:51838 tcp
N/A 127.0.0.1:51842 tcp
N/A 127.0.0.1:51845 tcp
N/A 127.0.0.1:51850 tcp
N/A 127.0.0.1:51854 tcp
N/A 127.0.0.1:51860 tcp
N/A 127.0.0.1:51866 tcp
N/A 127.0.0.1:51868 tcp
N/A 127.0.0.1:51870 tcp
N/A 127.0.0.1:51872 tcp
N/A 127.0.0.1:51876 tcp
N/A 127.0.0.1:51879 tcp
N/A 127.0.0.1:51886 tcp
N/A 127.0.0.1:51894 tcp
N/A 127.0.0.1:51897 tcp
N/A 127.0.0.1:51900 tcp
N/A 127.0.0.1:51906 tcp
N/A 127.0.0.1:51909 tcp
N/A 127.0.0.1:51912 tcp
N/A 127.0.0.1:51916 tcp
N/A 127.0.0.1:51919 tcp
N/A 127.0.0.1:51921 tcp
N/A 127.0.0.1:51927 tcp
N/A 127.0.0.1:51932 tcp
N/A 127.0.0.1:51937 tcp
N/A 127.0.0.1:51940 tcp
N/A 127.0.0.1:51943 tcp
N/A 127.0.0.1:51947 tcp
N/A 127.0.0.1:51955 tcp
N/A 127.0.0.1:51958 tcp
N/A 127.0.0.1:51962 tcp
N/A 127.0.0.1:51970 tcp
N/A 127.0.0.1:51972 tcp
N/A 127.0.0.1:51975 tcp
N/A 127.0.0.1:51979 tcp
N/A 127.0.0.1:51981 tcp
N/A 127.0.0.1:51984 tcp

Files

memory/4768-1-0x0000000002ED0000-0x0000000002FD0000-memory.dmp

memory/4768-2-0x00000000001F0000-0x00000000001FB000-memory.dmp

memory/4768-3-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/3360-4-0x00000000007C0000-0x00000000007D6000-memory.dmp

memory/4768-5-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\249A.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/2300-14-0x00000000005D0000-0x00000000005D6000-memory.dmp

memory/2300-16-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2641.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

C:\Users\Admin\AppData\Local\Temp\3219.exe

MD5 232abffd9cbf87bdac05b7d6edebe8a9
SHA1 3b641ba2ff63568f1e7cfa3c3eb5faa2e35fc7d7
SHA256 dec50a8977b5fc2a35f3af2d41679370953fdd6221a69b225ff461235868456b
SHA512 f785aacf824c51f1a7733548ed0b4e04ad10e6d65d46ab34456700d75db256bc0c1cf54a0ea539075cc18ffb586afd9ec0dd6fca8cc806a15b1ad3a02b70f08c

memory/3724-24-0x0000000000170000-0x0000000000C47000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3D26.exe

MD5 5cdbf483bec791e4e84fe61cfcfb0c05
SHA1 784b1f289c5a52a69e2d008dc63af9febbed0e2e
SHA256 682ef3750452953a8a43c753a61d99fbc68795be3a58efed57bcfc0e5e6fe0f5
SHA512 9f9fd3ba30788bfe29242d1b5b7467f4d06350cbce9455063a52bb293142791c40790c247a5ebc3f0e7b04bf545322d71bc582356f5954a58f6ccb169e19bd91

C:\Users\Admin\AppData\Local\Temp\3D26.exe

MD5 0535fe8ba27e4ccb2b457f56ca846192
SHA1 9f94ed3a45be67320c5a2ba9c9e675d05d05b907
SHA256 aa7cd8ecaef01f8a678715ddebb21575213caf156ff80990f3a20552f625c3b8
SHA512 2146f91ce4787797c7697006193adf9b812e54ec6824b978becdd41592cd82651b984319eaae7c8ff731e9e9871d82bc84273d727af1814dde5da148d2485d4b

memory/2428-33-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3724-36-0x0000000000160000-0x0000000000161000-memory.dmp

memory/3724-37-0x0000000001040000-0x0000000001041000-memory.dmp

memory/3724-40-0x0000000001050000-0x0000000001051000-memory.dmp

memory/3724-38-0x0000000000170000-0x0000000000C47000-memory.dmp

memory/3724-43-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/3724-44-0x0000000002C30000-0x0000000002C31000-memory.dmp

memory/3724-45-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/3724-47-0x0000000002C50000-0x0000000002C51000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp

MD5 dfc7d4964a5e3066d6792023d68c0b62
SHA1 08dbee6af776d8eef98eb944cbcddd03670b6774
SHA256 a240cbe746d636de6f3826bbafbb57c65c1762f33719cbea68e3f95e8b696333
SHA512 67e3b8b040ab5fd10e6c3d1e25f70ea14a4976d752ab5115c2b9680d3aeebec73eaaee17a7bfc57079e321ee8d3220ef0cf3dba00425b59a96d6fc3b73f6ab30

memory/3724-48-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/3724-49-0x0000000002C70000-0x0000000002C71000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KIRF6.tmp\3D26.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/4728-50-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3724-59-0x0000000002C80000-0x0000000002C81000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-1FH2I.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3724-60-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/3724-61-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/3724-62-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/3724-63-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/3724-74-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/3724-79-0x0000000002D00000-0x0000000002D01000-memory.dmp

memory/3724-68-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/3724-90-0x0000000000170000-0x0000000000C47000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3219.exe

MD5 95c0d1b353b4bc5167e63279dc4a16bb
SHA1 f1810c1ea7b4c083cf4f06f44d3358f8c9ce1731
SHA256 43632cc12be12b6c6a17b452b1ea19fd92782d509bb1e2ab46d2233d29f6ad9b
SHA512 5b29ec3bc89b7a1f7e717ce34a89f594d38fd613364213d5c45e3019afe6eb8e14aceafb8033287c69d2a47d3045f74e56c01da930a0b11cb990f8fc1f5a73e4

memory/3724-104-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3724-107-0x0000000002D10000-0x0000000002D50000-memory.dmp

memory/3724-109-0x0000000002D10000-0x0000000002D50000-memory.dmp

memory/2300-105-0x0000000004720000-0x0000000004844000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 13063052d2e1c6b4026e52a0e483978a
SHA1 aefe9c9cb5601a6498345fa2b17601454cec10f4
SHA256 9ebd7dc00d9a4a085bd7c5a4210761f003fc677b165541a213392c79f77017b1
SHA512 c16a5eeefe66284c1f0437a5a0059eae7678ffad20f867e2e19824070bdb19b91e354a54b8f5e2a2a068667c676eb1a49955034b5d66bd7a14bbd09237334acd

memory/4288-113-0x0000000000400000-0x0000000000736000-memory.dmp

memory/3724-119-0x0000000002D10000-0x0000000002D50000-memory.dmp

memory/3724-121-0x0000000002D10000-0x0000000002D50000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 93da943fa112947bf879d7566b7a2795
SHA1 127aba37d388a133728017fa51d7704e4f220d0f
SHA256 a9dbe8ef5e57ce97ab1fa67cbce4bbcfbacf4fb725e33be5b1544ee52fd76309
SHA512 5aa4d9713e47709cd749631e3b76f7af509f35a53864d43cc5754c59a1f3486c37eb86a5b3b853951bc81a4b9f1a0539261802f94b261c94aa1d03a4e3339475

memory/4288-120-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1548-123-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4600-124-0x0000000004CC0000-0x0000000004E77000-memory.dmp

memory/4600-125-0x00000000049B0000-0x0000000004B77000-memory.dmp

memory/1548-130-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4292-129-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\47E5.exe

MD5 b6195c664fdb215225768aefa41678a8
SHA1 85a2de5701abb134ecc07dd75d4ec10a99311c90
SHA256 4f5ead078d01127b5f7b5f6fdaa7ad08b14d267f50cb3ea5ee297020a224ad35
SHA512 0c5055e962b9e2447da9f402e595a54f39f3c177f41850e2ddca706028e84fd8cdc85875a0c72b9ee126c46ed7b9158f4a8ebf71f8fc72462bc4054cc3d87fc9

memory/4292-127-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-131-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2300-132-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 42870ea4c7b464290729691737e3b256
SHA1 dbb1b0709affe264a656c922054f2d5fd208884a
SHA256 a2750e34f7fd50611d606b002de3bcc9bc2ac1307c5dc581e53015d20832fc31
SHA512 938baecccbeae6551dc72eb0f3215a13f67e575f2e52fc2f64b7105df929139d551f6b1d1bd46d3435dd005a3d88baa29b34017895b2f82d91e49e9bc408bd5d

memory/2300-134-0x0000000004850000-0x0000000004958000-memory.dmp

memory/4292-133-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-135-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-136-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\249A.dll

MD5 0220f5312066470d86d6a0ed23328929
SHA1 d350259cb0f33e39c68ee4116ea2ac5007c2bd65
SHA256 ac4ebfedbe8965d8de63f2b7c2614e28b91f8a5eebad729776bace368d8b2bbd
SHA512 41bc6151caa482856a20df47658c953a34d34d7d30ec980dda5c92de71d4974c409afcc8fe9ed9e0861d0c59e3e1e4850ba39c5f6ae6f06f2e54f91ed7ab176c

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 eb692d15442e1eddba6f143c36b0f15c
SHA1 a1b16b0a75c924eee50c451c5b691b84ff2ec86a
SHA256 fa5d1dd178b3ecf6971c3d05dfa5b5e5f9fb1ffd70bf0eaf2d7c2fe7102ef6d0
SHA512 c3c61c8614670b7b4a15fe839071edace9f50341647ca786d998fde554f581ef1564329e1565e3313c056e80ded3c0513a3c4d7cda2b29f08807c2dcf4e437e2

memory/2428-141-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4292-142-0x0000000000D00000-0x0000000000D06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4FF5.exe

MD5 c3d415ee0c331f933cab4402870f8ca7
SHA1 231b32c871ff581f45082d9cee9524d08dee2ea5
SHA256 ecd68efdc5090f4c4e7914983bcb314d147d0a8af8901450e62882b824d31ed9
SHA512 24846d6f5abe93814d5376623e5f257f8b787d1ce4749f8325b4327df13699323131b2f2dcc9e9b290d00afc2b2295f7d2f35e65522fbb75fe803b0074a3b59c

memory/2300-146-0x0000000004850000-0x0000000004958000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4FF5.exe

MD5 7c9afe07cb22b9e9029cc4e06bf0af0b
SHA1 991256dae3d62ce9d3f12af4de37c7372c3815af
SHA256 2dec0d15a4d7976cbfd0c9c088e79b24d2f5f4d8f2dbcc3a002e3a17842be6e0
SHA512 766edc161c0d161c7345fa8495aac5a3f34cabd0da04a3d4b777db22d60b9bba56b3af1cdaee5e5839148bed425acbc8c16f3743365f47bb3dff352e4dec035e

C:\Users\Admin\AppData\Local\Temp\47E5.exe

MD5 2897b7b03b8d44a7b58abc96dce48601
SHA1 da49015003403edf89cb3fceda9e14d106f7560d
SHA256 b0a8c7df8d459cfe5e96ab6d8664838d44ee544915ea578467a547c87ef3b8d4
SHA512 de7fb2b2babf6628b2c603a54b847eb2135dee3c2f457448bd39fde42fbaf32417977013fa3cd168e87c916e569f09103e2677d0d17f29b455994d500abee940

C:\Users\Admin\AppData\Local\Temp\47E5.exe

MD5 ac783a7c1ecee3d02e896bc7c8a99b15
SHA1 032d0bf9a240cc452827f28a562a55bff6379881
SHA256 f57310dfb74ab0ffb54e788854860b7ec80dc656cbecfd32f83c10cceaf68206
SHA512 75e74256c08662e42b674bed1a614c8da74f33232fe0c15931c4550d08214d12785b877d8603a5e6e6d3d1f910415adeb7246e4ccf9732ddd850728ed9de6881

memory/3724-110-0x0000000002D10000-0x0000000002D50000-memory.dmp

memory/2300-149-0x0000000004850000-0x0000000004958000-memory.dmp

memory/3724-150-0x0000000000170000-0x0000000000C47000-memory.dmp

memory/4728-152-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7715.exe

MD5 92a71f3efd8ccc6ec1a330556ede4255
SHA1 9c8c6e20b2a3bd1d42bacd982ed0153601a97e6e
SHA256 5188d984bca835999078297c9e5581e851733bd21122a316e74423036e1701ba
SHA512 3713a941a3bfe0de41f750658ff8f37ec5a092dde875d3a639f8a3b73ee83afa8f2028a6d3a1a0704e0451ca056cd909c6b7edcd68222e56d19b8749274df15b

C:\Users\Admin\AppData\Local\Temp\7715.exe

MD5 2e9265e28463535a5a1047975999a3be
SHA1 f733834d0500f78b68a0026a56224275cb7efe06
SHA256 c6f34c930576cebc98dc989b9476f75ca7bc6a7a9f01dbd7d8207fdc46fc14bc
SHA512 27fcee40384b9616e2b48b40ea13042137616c546ed8bf03dea3998a258806bbf328a097307ee80e812095e7ae23fdf2dc56f3b14b3575d577c9b11d20732793

memory/1548-157-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1364-160-0x0000000000790000-0x0000000001046000-memory.dmp

memory/4728-161-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4292-162-0x0000000002CD0000-0x0000000002DF4000-memory.dmp

memory/1364-163-0x0000000071CC0000-0x00000000723AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fd90364365583c6eb8e380650f58e325
SHA1 3f3323d7583c215b563aa8f98452d9d950b1a2e5
SHA256 2a91f83ebe875f7dfb8980655a4257f1bd31c3aa8496e5001772ac539b2d6593
SHA512 03e0471cf8e2e0a927d99cb1afeb5488a053ebf0ccb95e3af7b78001b4453d5e939403de88df97202e8f54c5d11d39b089bf12b288eb08c8565b362f00e7e83d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a5cff547a0b21ea2b83973e448b9cde4
SHA1 1ce21af16fc7990a6482813d5da8a01da6128c3d
SHA256 71c401cd7cdfb7c753c85656e4b2c14541b4ce56a919ec20882928c97bca8ac7
SHA512 d1314a37ed9ef07411c4c4e7b15078bec4c3e1a94823c3ef4e13e1f8958a2a21cce909aec9d5f5ff896b4a6035953f8c2fcdd498dfdf33a469894ea501a37825

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b29cd31f15d37cebbe2804adc62ce2e9
SHA1 e036f370e3b9a849609823c1cf295c07968b91a0
SHA256 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA512 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 cb7421612a3bcbe7383b7fe36e871536
SHA1 2d4912c42710c582867fc523e9330ad0511038e7
SHA256 f68b77cbd91e16a2d4006c9b8ce8b0a947059ca0ebea225cd1f782a67f217fdc
SHA512 a9f4c3e8bf72d82b9483cedc1dbdbf9f1c8d96c51182aa34b42bf2909dada433d64538d58c6981ccbee5211c3c33846431a33fd063bbbfba96a0b1ac498f7436

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 1da1905a1662537c520f84a5ee807ac7
SHA1 b316b8479287911b1c6d986c6785562807671230
SHA256 338adab2312e5fa65591312e4d54ee983f02311e887e998dab215fafd4c7e8e5
SHA512 088b50b19910515b2d58c1dca0e8c9001a1905decb9cf8475487bf87c74313cf016ba575beab06083d7c3d17430388f3987d62acfcff8b2befecd9c22369304e

memory/4292-183-0x0000000002E00000-0x0000000002F08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7EF6.exe

MD5 58a39dd0defffab93ee366092ca07d8e
SHA1 da039d807b3788beaaa896c83aa1be2d089c57e5
SHA256 76b005f9436387ee73f08bb5bd0b5da594501d294a0faf5e01f9286356381621
SHA512 fd7d0c6485315183934c7799fee0388bd97c88b67f091720b996905b37405adadc5581eddebc2fb81557cb5ecb449668b8a97901da12ff2ad8ea3faa515be7b1

memory/4292-191-0x0000000002E00000-0x0000000002F08000-memory.dmp

memory/324-192-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/324-198-0x0000000002D70000-0x0000000002D7B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso80C5.tmp\INetC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1364-180-0x0000000071CC0000-0x00000000723AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1490dc87ce122929847fec13c1c8c77c
SHA1 93d524c764ddf535522df890ad1ee056981e912e
SHA256 97da444e1fb45d7abcbd32ba08cb712e99a8141bf3c171b71b38113508e1dabc
SHA512 be1adaca3d0025830a63c88fbbbfcaa761bca3fcb003c5078ba24edaaab429d368a3cf34f656775c5d064caabc625db0cf0c994522dfe6fabfcc9b49ffe21ee0

memory/324-200-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/1548-201-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2036-202-0x0000000002560000-0x0000000002561000-memory.dmp

memory/4292-203-0x0000000002E00000-0x0000000002F08000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso80C5.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nsi8B84.tmp

MD5 1d264333dd61f6b795e8b5583203ff9e
SHA1 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA256 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512 d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7

memory/4196-222-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/4196-223-0x0000000004850000-0x0000000004884000-memory.dmp

memory/4196-225-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/3360-224-0x00000000028A0000-0x00000000028B6000-memory.dmp

memory/5036-229-0x0000000002940000-0x0000000002D3B000-memory.dmp

memory/5036-230-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1548-231-0x0000000000400000-0x0000000000736000-memory.dmp

memory/5036-233-0x0000000002D40000-0x000000000362B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/324-236-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9D3D.exe

MD5 d87b0a821f638d77a01f216c1ea870fa
SHA1 6ec5d82bb5493cfc977f48517306df28b18144c6
SHA256 12f7cad34b46c4620e3eb13080577d77fdf25b928f1a7564c8517401a1eb56df
SHA512 d872a6cb9a28070e9bb40b7b855007460da5766e47c5f1a7057e71bce4d250f7fcb0b6b2836c16fda5a947b6670241705ea405dcb5d3880b976882008f91c9da

C:\Users\Admin\AppData\Local\Temp\9D3D.exe

MD5 1b532637c0d2f2f00e6ea7f82f55f707
SHA1 912302374fc906daac44e632ec9a590b03c5adb7
SHA256 52952d29764033d5834e627d1dade08a44990a327ba8706d2903086ad6a4aaa3
SHA512 7320b2d3fe8b849b2a0176c3e08902556fb016ba029923f94900a0d022b0a39dd8017f62bd2d893b1782c39093726ec2a65cdc8e51921c0e0c2f6a9c9be0523b

memory/4292-242-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4368-244-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp

MD5 a9c6a57c83236d705d75178400d337e4
SHA1 380c7778f48ff1ec2f0f42d3677f4a6484d77698
SHA256 d61ba0eb06a23d3c5d2225e17012f789f9d6fbadc9186f7131949c0fcf7452dd
SHA512 f406ace0aed2e83bd31c3c3a5ba77b4d7ee97311b56fc93fa79f77eefe91e86c733a86c7fb20ee644ac78d76ebe3b16db62b4eec426f6293030a2405ade2e933

C:\Users\Admin\AppData\Local\Temp\is-8DV8J.tmp\9D3D.tmp

MD5 1e9951fc53b8f55cab2eb59c9a3e3f76
SHA1 ddf3dfc37f76a1471208e24fed623183fc9faa80
SHA256 6a33a0db6017947fea77a3ea6e569e8823a2d38c4b9f13a8ed7615861d226ea8
SHA512 aadfe9b10191431debe10ae9aaafeb327006d9128f407a245827198b9ab75dc9a41972654b48e6378838761fa6ac293314d0033e086ac97315576b35f8d3b49f

memory/4292-265-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3940-267-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-2NJV7.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-2NJV7.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-KG85M.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/4816-307-0x00000000046F0000-0x0000000004726000-memory.dmp

memory/4816-308-0x00000000713D0000-0x0000000071ABE000-memory.dmp

memory/4816-309-0x0000000004770000-0x0000000004780000-memory.dmp

memory/4816-311-0x0000000004770000-0x0000000004780000-memory.dmp

memory/4816-310-0x0000000006DE0000-0x0000000007408000-memory.dmp

memory/4816-315-0x0000000007450000-0x0000000007472000-memory.dmp

memory/4816-317-0x00000000077B0000-0x0000000007816000-memory.dmp

memory/4816-316-0x00000000076D0000-0x0000000007736000-memory.dmp

memory/4816-318-0x0000000007820000-0x0000000007B70000-memory.dmp

memory/4816-322-0x0000000007780000-0x000000000779C000-memory.dmp

memory/4816-323-0x0000000007BF0000-0x0000000007C3B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wc2t4125.xph.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4816-348-0x00000000080E0000-0x000000000811C000-memory.dmp

memory/4816-384-0x0000000008D70000-0x0000000008DE6000-memory.dmp

\ProgramData\nss3.dll

MD5 f6c8c59463bec74c26722cf9a042e6f5
SHA1 cef467955d5a48fb2998de5bd2f9f6c2199bd4c2
SHA256 bb5cfc4b998fc7cd18def15b23115214c98e42227d811ec9d9791daab04887b3
SHA512 4656978e4dc0ba285e0a1a4b24c9a6747c505461b0080a47834e13795d56d51a0b77ab4e009d349f2b4860dd402af96b8f894ae2746530dab60f87ad38de0d4d

C:\ProgramData\mozglue.dll

MD5 85705bfc92a9de320abc2a7eeca9b6f6
SHA1 68e5a21c5799b9d8aa6bf3dc6d0596c04be46a4e
SHA256 5adcd26ca73bf19e9b992b1ee743acb43ba2d9ce5c6e043950c278b13b63d5d6
SHA512 44b0d68ac9425ba5b368c05131772660e6fe3e1184a87a89145435d2bcd87f812d353b9e69f4678d84cfbb825b5729171a3a4e09df4e00e730b011f91728b5f6

\ProgramData\mozglue.dll

MD5 a0956ba2ea37ffb5e8c7efc8b391a36b
SHA1 8ae731438fef748f3a3c17443f87b22c2dccefd6
SHA256 7c141d543bbc197ed5ad0e8ff9e074f871522364b8254a3dda65948ac1f17043
SHA512 b62d41a36b944c3381e0d1f4ed397d2abe0194c80dc35708ad213d11cbe4c626044d6965981b91dd56212c24dde282525f56e0388d5e2882377638cdf19c944a

memory/4816-409-0x000000006F3E0000-0x000000006F42B000-memory.dmp

memory/4816-411-0x000000006DF00000-0x000000006E250000-memory.dmp

memory/4816-412-0x0000000009B30000-0x0000000009B4E000-memory.dmp

memory/4816-408-0x0000000009B50000-0x0000000009B83000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4816-421-0x000000007EB90000-0x000000007EBA0000-memory.dmp

memory/4816-420-0x0000000009B90000-0x0000000009C35000-memory.dmp

memory/2036-422-0x0000000002560000-0x0000000002561000-memory.dmp

memory/4816-424-0x0000000009DB0000-0x0000000009E44000-memory.dmp

memory/4196-426-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/4196-514-0x0000000000400000-0x0000000002D38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 67131bc3915234d08dd8b254bc38667b
SHA1 d1c81e5a0aa2bdc793ce16b757138dd27786f42b
SHA256 1d32f5d069729d5f49c4b70c9b2cf90d46369f4caa7e9f6f034074a01bf40038
SHA512 6b2a35896e1e742b946b9450b1784e386dfdea0317c74e4151ac14e898211d475b7a741479888f8de905e3618ccf23c7ccc68620f8a1b866d25c66c1763595c2

C:\Users\Admin\AppData\Roaming\sjcrrev

MD5 3dd02e3a7d6552f6312e29bc4189c06a
SHA1 c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256 cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA512 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 405fe91c736dfd5d67770881bb147272
SHA1 be8f088b303dc625dbecad44264bdf4a7ee8c691
SHA256 35cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c
SHA512 665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7f53a30b86e351be84714936785454e8
SHA1 f8deb6132eb76741fe787518b9ce72a73bfe8b3b
SHA256 2c265655979b7865d4281d932ab5c86c4c6d4cb28397637086167e14a1d3f093
SHA512 f9a62b16a9c7bb1a18d133b7e98f6b1f69f896af674292c8674f15c7a99e3d291351dfe30cae551784d6ff4b8e5c1f8f8dc6ab49b6a08900ff20fbeff9a3e727

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 e6afdb718aa8f64a3832d3ca92bf3ce3
SHA1 c6a742286efdd5606e1dfdc52826f0cb68fca1a2
SHA256 e3d9f8c6b953ba08e398a1b083988a6e2c3c10c6e9e36c0ded05854d9fd7d99d
SHA512 d328c5fb691a6a2ac2d1dcade81f164ca14335c6f25cc043c828b9a313a132664407aeecff3217717ef73a038037598b594673077d3be04fd155d046ade7ead6

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 994a37c1d4d49c372714e582110d452f
SHA1 95b0c0c799eb7582cb45155539c22389e8367685
SHA256 f263f92ce7128e7662ad9b3bf853b2ef7a242677012818316e4fd16108e6aa3b
SHA512 43b25fc53c5ebb278324574d2bd536e74e381ffd535831fe2081582ae0c7bc9221d6f9d8b2e31dc172eee66dc4eaf3d83a3f85eea4a94b803c8457083c79f676

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 93289e445ff3af1e6627a3141e9db982
SHA1 d7a82fc9a4ea4bf231707f67f6185907c16576cb
SHA256 929ae1d5d1aee5c152b2329df9c3651be64c6067faba03daab74c806ac65a5e1
SHA512 eeca8206efc2db87e9616a88365e0ebe1c64ebb1bf0d7119a2113d07aefbb76c35ba282229b324755690e26805654f647fab7214ff7322d8e7a1790285dbf341

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2877a4e4eb0819ecbd0f140d1a29867e
SHA1 d076b5f98933f562e963712d5d5d2b17a702fe06
SHA256 47f124c600483667209fa56d8382d9ff8068fc346ef8d886783101473722893e
SHA512 f2d149b04b251758b77a6b85b2415f8d5675d494ebf8590d4d9d201c189e15b56b17b9e1950ba42b2b78514c6d7e72e130ca05bb0da0b05cad68cad96179b058

C:\Windows\rss\csrss.exe

MD5 8c9607a8c8359d15ec05a327be0b80a8
SHA1 645ef703da82d57f169789d42c5c88625548bcc1
SHA256 924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA512 60880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1

C:\Windows\rss\csrss.exe

MD5 89848a95cf00ff11f64f2f17b36cf096
SHA1 0b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA256 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA512 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab

C:\Windows\rss\csrss.exe

MD5 b8c50d741d429e4cd6210293c0f0d881
SHA1 059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512 b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096

C:\Users\Admin\AppData\Roaming\tdcrrev

MD5 beea0c962def411b794fe5fd33f4e5b9
SHA1 2c4743812c810d05d42ab11bb9beda423bdd7d2a
SHA256 3ec3ae64bc9b435d1a5dc63e98b3a7d0205a87afbf61ee2e47d06289fe06ee2c
SHA512 bfff88b479bf97ad6878f1c90197263d9c0cc9485eda0ba5f9ef5bf39b0f02e3236ee31e7ac581348da5497e805cff56853965797b778e01a73c852f6479c6ac

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5a6bda02c47cf53ac56c9570b4074698
SHA1 3ca4cf6e9e1895533ac2eb742eaadd554db947d1
SHA256 0d544a206afa92b2f6a2987d9bce16121b9d0b2b15a3c97fef10f315a9b29ece
SHA512 dbdb26d36c150cbe1a5bfadf47f1ddf5d204b4043f256c53ee420aa1c5dd38218db8986045b727cc659ea2f603f1756c2fe03da74485f80b1d6d4b4549094b9b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 0f38a17bbaa7b6f75f51c671be981097
SHA1 ee95e5225cfb623b6ddd58902bf72504993e2030
SHA256 03f4d293b34e18f429d34282179a04a705d448f3b88b88982486997f6cd51f39
SHA512 429100ae213ea857fa3fefea7b512bb616219f76cf2a55a4735776650806d42582ff886cd4779a1406d2bc9d0f514c93e40c3d12d9e764ffa8b880067bd704a2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 8d7120c0fbb2fc8602af6ff0b29581fb
SHA1 236ad775679b5ab4a3f07d4975ae425f4fb9b17e
SHA256 772bce5d2257a888ff9757aaf1090a731e6b73e7b717b6b9660d9fea616a5380
SHA512 43bd0a38f4efd0f31d1a0a5bfda973625d162a265caf66a37aa563a60c304382c23f6f6f01936767d58a2460995db2ba76b9e2cb60a7ae52a74982afaa22c67c

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 50156ab4a98e3b965f35358e7e588ea6
SHA1 ea5ba4d72b6326e25fdafe7b9f57e4a5e31f1f98
SHA256 62111f6d8637db96f7688fd40470899e372d3f4ab01308b8710794651c3657d4
SHA512 9f33b1ef77d1c808d967fbef5455898c2053f0a21f77e9add5f507eab5cd349b906fbf70c3a498cb7433bd25ed86120af95d483066fc4292757e0dcd466c13da

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5