Analysis Overview
SHA256
f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1
Threat Level: Known bad
The file f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1 was found to be: Known bad.
Malicious Activity Summary
Glupteba
Detect Socks5Systemz Payload
Windows security bypass
SmokeLoader
Stealc
Lumma Stealer
Socks5Systemz
Glupteba payload
DcRat
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Modifies Windows Firewall
UPX packed file
Reads data files stored by FTP clients
Windows security modification
Unexpected DNS network traffic destination
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Manipulates WinMonFS driver.
Writes to the Master Boot Record (MBR)
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-22 04:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-22 04:52
Reported
2024-02-22 04:57
Platform
win7-20240221-en
Max time kernel
66s
Max time network
301s
Command Line
Signatures
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\789A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7F9D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8FA7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E11.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F859.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8894.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8E11.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\789A.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2480 set thread context of 2980 | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | C:\Users\Admin\AppData\Local\Temp\8E11.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\cmd.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe
"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7733.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7733.dll
C:\Users\Admin\AppData\Local\Temp\789A.exe
C:\Users\Admin\AppData\Local\Temp\789A.exe
C:\Users\Admin\AppData\Local\Temp\7F9D.exe
C:\Users\Admin\AppData\Local\Temp\7F9D.exe
C:\Users\Admin\AppData\Local\Temp\8894.exe
C:\Users\Admin\AppData\Local\Temp\8894.exe
C:\Users\Admin\AppData\Local\Temp\8E11.exe
C:\Users\Admin\AppData\Local\Temp\8E11.exe
C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp" /SL5="$60122,3536428,54272,C:\Users\Admin\AppData\Local\Temp\8894.exe"
C:\Users\Admin\AppData\Local\Temp\8E11.exe
C:\Users\Admin\AppData\Local\Temp\8E11.exe
C:\Users\Admin\AppData\Local\Temp\F859.exe
C:\Users\Admin\AppData\Local\Temp\F859.exe
C:\Users\Admin\AppData\Local\Temp\178D.exe
C:\Users\Admin\AppData\Local\Temp\178D.exe
C:\Users\Admin\AppData\Local\Temp\2EC6.exe
C:\Users\Admin\AppData\Local\Temp\2EC6.exe
C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp" /SL5="$7011E,4081152,54272,C:\Users\Admin\AppData\Local\Temp\2EC6.exe"
C:\Users\Admin\AppData\Local\Temp\8FA7.exe
C:\Users\Admin\AppData\Local\Temp\8FA7.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\nsp30F.tmp
C:\Users\Admin\AppData\Local\Temp\nsp30F.tmp
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
"C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| UZ | 195.158.3.162:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 104.21.29.103:80 | en.bestsup.su | tcp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| PA | 190.219.136.87:80 | sjyey.com | tcp |
| PA | 190.219.136.87:80 | sjyey.com | tcp |
| PA | 190.219.136.87:80 | sjyey.com | tcp |
| PA | 190.219.136.87:80 | sjyey.com | tcp |
| PA | 190.219.136.87:80 | sjyey.com | tcp |
| PA | 190.219.136.87:80 | sjyey.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 93.186.202.32:9001 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| DE | 142.93.169.197:9001 | tcp | |
| DE | 134.209.224.96:443 | tcp | |
| NL | 188.93.233.49:443 | tcp | |
| CA | 51.222.15.200:9001 | tcp | |
| CA | 51.222.15.200:9001 | tcp | |
| NL | 188.93.233.49:443 | tcp | |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
Files
memory/2220-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp
memory/2220-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2220-3-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/2220-5-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/1204-4-0x0000000002E90000-0x0000000002EA6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7733.dll
| MD5 | ec6878849a30cad1ddb5ab3ff4921124 |
| SHA1 | 0c1208b6d2e153352b8c4ccc345ff30281ab2af9 |
| SHA256 | 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639 |
| SHA512 | 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb |
memory/1996-16-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/1996-14-0x0000000010000000-0x00000000101A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\789A.exe
| MD5 | c72686776ff597a19516cf988cbf966f |
| SHA1 | fb879d0ca1893d3c3473c1804538a1ec278ea350 |
| SHA256 | 7daf6b4fb7d961668e2c0a52becadd016e71bfed6cb6ab188bcdd87dc80966fd |
| SHA512 | 8d9ccb8b0d7cd478d1844b22eea2201b6ef069fadeaf5c030f839868556b881cd5f163516e3a1c69c10dec80efea5e34935e0d55b5005aba55726d4114461972 |
C:\Users\Admin\AppData\Local\Temp\7F9D.exe
| MD5 | 75d947e89ff1fc9a84378a9e82129300 |
| SHA1 | 8187e15e129a2607eca4184f52ac62abe65cccb0 |
| SHA256 | 2ccc350959dd154a8ca6f319ab1d7417e981c631aaf9c42155cf6892a7f52dd8 |
| SHA512 | d717060fd27e85d2977a0646653cd370b1691ff4bb4d7ca3d44914291d01ce8286aeeb762e529c674422a70110e1c4bd075c02e76133c95726280bb7c6e8e8f7 |
memory/2876-25-0x0000000000990000-0x0000000001467000-memory.dmp
memory/1996-26-0x00000000024E0000-0x0000000002604000-memory.dmp
memory/1996-28-0x0000000002610000-0x0000000002718000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8894.exe
| MD5 | 47bd0dc2e444e5264ef55968ad6a5213 |
| SHA1 | 83f142ad6ddd0f47ec79e60e3a4b995d9a1bd441 |
| SHA256 | a4fbad2ee40733993fd10b6e4389e167dff19661baaf93868f6d227fe3e81aae |
| SHA512 | e1e8aef2d2c20b7146cad4b1eb69b88a1f153bc65471949df3082f6304992633fafbf70e47519d591ac122a7a10131f5f2445011f87680d762b1b42a13919b84 |
memory/2592-40-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8894.exe
| MD5 | d78279852521ab500d93eb9c73aaa88e |
| SHA1 | 432f1c9f5c217ba40ba72e1d219a90113fe4ff0e |
| SHA256 | 0b9e7ba7c189d2aa1fc687a103c9c1464078e133a828c10d082ed0b16d3bf01f |
| SHA512 | 501714b2a68e8a801e7a3ed04522f3bbbb58152a07c25ad761a2be2a1e26eed1490de8e91fa0d362dc2aab0367dcf840e52ed855f6d9efd8a848f0fb1b738f22 |
C:\Users\Admin\AppData\Local\Temp\8E11.exe
| MD5 | 7df0a37ea93e9676049adbb35ab47097 |
| SHA1 | 30acbdb5d4a02237a0dca2bf5f688c07738bde8a |
| SHA256 | 43112b96efddcca1f5ab3da79a8d169a9888490c4dbb5ef3c05783bd078f9537 |
| SHA512 | 1bf08983c99fbfa12e2319e41cfa9af3341859cd6b65da1fd7778db447e0f7c078c97246a77ea512751f398599452afed6d09c983cac66aff91d6d58d117a6ed |
memory/1996-36-0x0000000002610000-0x0000000002718000-memory.dmp
memory/2876-52-0x00000000000F0000-0x00000000000F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
| MD5 | 1ba055823154222509be8b1cb57f0d49 |
| SHA1 | a11bdd1f4106f1de2dd075801987965f97c5c2b2 |
| SHA256 | c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841 |
| SHA512 | 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a |
C:\Users\Admin\AppData\Local\Temp\8FA7.exe
| MD5 | 6b2363ef5f4c29a951f2bdcd3b0296d7 |
| SHA1 | d8515c7d27c8032139ab80bd04db8e7ecea6a503 |
| SHA256 | c795a9e5b9aebc6f67feb60076ca2100ebff12a0c9bcc466fdfbac6903f9d08e |
| SHA512 | ed47012a67aae58c297397027dbe84d7c658b1a25634799f7ad0464726df18212913a64e2c99c676cc9a0fe146b4a84df1d46f3d198655434da20d4fe4bb65f6 |
memory/2480-62-0x00000000049D0000-0x0000000004B88000-memory.dmp
memory/2876-86-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2876-92-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2876-96-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2980-99-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2876-102-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2980-103-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2876-106-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2876-108-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2552-107-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2876-110-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2980-105-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2876-112-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2876-114-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2592-100-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2980-117-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\7733.dll
| MD5 | cc5c115968f748943b48d1b0571dad07 |
| SHA1 | ec7c0e714b8b33b3cd45cea2f8c4386e2db497d9 |
| SHA256 | bbdba277d404b57611b7485a8e36a206618e9df9620a2f5b9b96461ca316201e |
| SHA512 | 7240bbdde66e74fccdbdcb082788d7c227fda8a4f97e1dc6d11cedbbc4b999825b28dbad7ac7543c0fac2173f1889826a1da4eeed70cea3016b3ddd39477ebf2 |
memory/2980-123-0x0000000000390000-0x0000000000396000-memory.dmp
memory/2876-125-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2876-127-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2876-126-0x0000000077DBF000-0x0000000077DC0000-memory.dmp
memory/2876-129-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2876-119-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2876-131-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2876-133-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2876-118-0x0000000077DC0000-0x0000000077DC1000-memory.dmp
memory/2876-137-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2876-97-0x0000000077DBF000-0x0000000077DC0000-memory.dmp
memory/2980-95-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2876-142-0x0000000077DBF000-0x0000000077DC0000-memory.dmp
memory/2064-151-0x0000000000EF0000-0x00000000017A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F859.exe
| MD5 | 245f4402e033c84c44d4ca89d7ccd300 |
| SHA1 | 9cde8b3799efbcaa5d79fea62ca2b437f90f2b55 |
| SHA256 | 1e0ba2c32b881ea138c8cdab825d831a8efc45c4738bc84c8748ccc2fefffd18 |
| SHA512 | c4511047b7dd45077a3894b61f5ae98ed824c26585acc01a3426e2742d34fc01d8f1cfb2e102661ee281118d43be124e285fb0064e77467f23bd938272ea9f7c |
C:\Users\Admin\AppData\Local\Temp\F859.exe
| MD5 | d5bd59ffb0abb7b697eccef01a93ecee |
| SHA1 | 4e00a88b2eec458dd84f4968dc679adce1f850a6 |
| SHA256 | aab767a6a82386eae52a47e22ce6e1b47f1f4ff09ff33c79d48fbac7b6b658de |
| SHA512 | caa556ff630aeea89a2154a02535a315682f49bef19d735e801f702d4bd601012c0fc81e95d2c72f2c3619d207f945ee4a5318c6f43454ef2f40cb420676b9b2 |
C:\Users\Admin\AppData\Local\Temp\8E11.exe
| MD5 | 147f5f5bbc80b2ad753993e15f3f32c2 |
| SHA1 | 16d73b4abeef12cf76414338901eb7bbef46775f |
| SHA256 | 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990 |
| SHA512 | 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6 |
memory/2552-93-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2980-91-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2480-90-0x0000000004B90000-0x0000000004D47000-memory.dmp
memory/1996-87-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/2980-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\178D.exe
| MD5 | 3dd02e3a7d6552f6312e29bc4189c06a |
| SHA1 | c52bb026df26445a1e4ccf66baf61d99ecd1ff8a |
| SHA256 | cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70 |
| SHA512 | 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485 |
\Users\Admin\AppData\Local\Temp\is-U6QD0.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-U6QD0.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2876-55-0x0000000000990000-0x0000000001467000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2EC6.exe
| MD5 | 1f652fb01b4861f2d240649942d0200e |
| SHA1 | c2ab7d119bdba790bb908adf9ae8279a51413837 |
| SHA256 | 2d4792caa881ebea9d23fb717f3bef3082505045afd3ccb85129380e350b38c6 |
| SHA512 | 3e6a03c5fe71155d4f3e1ab0a9a04c1edbd0c3619ea77df75752f5bba6143443928e3e292a7be2bf3bb176c44941e3e341df79b2e40e633b0fb11d8c7245cdfa |
C:\Users\Admin\AppData\Local\Temp\2EC6.exe
| MD5 | e97c631637f4c885d871544551d720af |
| SHA1 | e00baa78d3f4d6a43ca479bf5dbe992e25d92e40 |
| SHA256 | 8fbac80c52787cf5379e8a09b0704c042d9cb365ddf988bf7505b59946c9dbff |
| SHA512 | 90a36a5935279eb2cb2c1962c4f6f7303d60eb6ecf362f682ec38cad5efb4fccc2b576cfa56c7f2981ed8277136e77f50d51cf04759ea5148d0fd2462a3ccdd8 |
memory/684-191-0x0000000002F35000-0x0000000002F4A000-memory.dmp
memory/684-194-0x0000000000220000-0x000000000022B000-memory.dmp
memory/684-197-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8FA7.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
memory/2480-50-0x00000000049D0000-0x0000000004B88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp
| MD5 | b046a7e6c710ca913cd51e0d600d82b8 |
| SHA1 | 3ab188d745200761be04969bca3ce79b3f7ffd39 |
| SHA256 | fb58dbe3bbb54a7334b02183caf1f4b225cc08c745eb9fb1d48392c6a9add0a2 |
| SHA512 | f867ae23a7c83885044a967a49632d4b5801f2d377d77677b9e4a703a07344351572a03561127997cc66b3e5d07802495cef138c6386756ecfdfccbf745765ea |
C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp
| MD5 | 845957f47f72097d7e5093d1e3e34019 |
| SHA1 | e533f295f012f31b18e0a151037839a9f3bdc713 |
| SHA256 | 032a6302ad514e9704679502cc6122aaf0d433577ba63ef213fd4c2798b9a296 |
| SHA512 | d8ebb43300f5cf6452ab7690138ee46ac93c2474e709a92342e59f84e6470ae01eecdbe5d01fb5ca6680538800ffd646035644d1f824412046e9fd403036a90b |
C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-4AJ29.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp
| MD5 | d3878d281b41d2d54d190edafb6a2987 |
| SHA1 | 2c85815d39045b8842029ae69f9920897dce84c6 |
| SHA256 | dcb793df4f76e5e5290c0a60017a00c944b05d2b6ffb28c66069acb76fdbd61d |
| SHA512 | 44763f07b9f4c32d7977283d4ed7c0d9aadf760f0827a1e90eca38db26d332a89d4d12659cb61a98c0b574c32eef60dacd182cdf2a28bcb27285e916ffa4aac4 |
\Users\Admin\AppData\Local\Temp\is-PB7CF.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp
| MD5 | b11909d5e4e08b1a6da220eca474d49f |
| SHA1 | b42582ab65d400f3450907ddc0857092c4daa4a8 |
| SHA256 | 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff |
| SHA512 | 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | fc38310973cf92ef5d0eaf23758c5420 |
| SHA1 | f67e38d66151d77eb528dd37e9c492dfeb913011 |
| SHA256 | b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b |
| SHA512 | a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 6c2e85db6467d63c8bef74cfc9e4fe0e |
| SHA1 | 969e03891c7836192a5dd03ed7d150dfbe93c9bd |
| SHA256 | 33464ea1e8ca15e9a069ee6df5cf0ed7dad3610c8872962a210414bb85a14b49 |
| SHA512 | ad614109a9c22ac307bf97f2026b28616ebe55ac9d04234855ab839c691b64b3ca8b03ccc1f20f7197e072a64c268402baebe7cf65e0d9dcc037d66237dd44b2 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c53fcb793d89fccc8e81ce4d40eaf49d |
| SHA1 | 32c7441c1f58019d675c0a24f583f3d1211deae6 |
| SHA256 | aa590bc4a44a1deebf9e4c31ae12880119af498dfee30007a94f9507d45783f1 |
| SHA512 | 4ca499648dabd9aa6d024f1c83faff9ebc45ff6a533ea541a7b3f8346ebf0b6899e33df675e333264b222f328a335eefe5806095577da600cfad3873ff03630f |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 8968359e460df9992c18c113c1c17674 |
| SHA1 | 1370811cb82506f311c9ea7564df9a0029bd2265 |
| SHA256 | da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c |
| SHA512 | cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3 |
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | fd7431015eb5f5ebfe9e4a7397bb7b45 |
| SHA1 | fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914 |
| SHA256 | 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04 |
| SHA512 | dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | b4cd344bdf164bc552a7e4b7fd152594 |
| SHA1 | 8e41f116655fbb8f4f614c21c0b02f06b281beba |
| SHA256 | 65e375fbf5477a9c9ea06b4fd5115169b96478deaf55d65f207d89327269a015 |
| SHA512 | 1624548747342c564bac7e0830bc2710b6de8585fc70d1003ac77e972aaeb907ac6ce45ef53e04f9af38a60811aac6435be9192ded73106c538ddb9dd82916a0 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 56b83c068dc6c8df9c02236e9587cd42 |
| SHA1 | 9803091206a0fff470768e67577426cce937a939 |
| SHA256 | 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e |
| SHA512 | e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d36d5fcf6f7e6c67304fed7123a7f816 |
| SHA1 | e8fd7e15c0e589532c8c2f908f68db1c39b326c5 |
| SHA256 | 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657 |
| SHA512 | 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 7c09db9c2dacb9e2f18b225f9f204f7a |
| SHA1 | 8b2e2227f02371994fb1a5d3839568a713fa7600 |
| SHA256 | 2f0d802802e13e5208a8adf47fb03f66e2ba0625396220a2f6af920bd0fc6674 |
| SHA512 | ee6eb0cc2ccc30ebcb3a7b70e2bdbbbbaf17d8745576cc1eb5d80744118ac484e42eb202ff4b8c8a59aa380e95b2d5b09d1754d26c3d72bfb0c6f8ef4f85830b |
memory/2064-279-0x0000000073AC0000-0x00000000741AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1844d76e7d4331107eeb8fc6274fa9b2 |
| SHA1 | 82ae81925c68a662af3b5243db9ae9d0b1721958 |
| SHA256 | 0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1 |
| SHA512 | 2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947 |
\Users\Admin\AppData\Local\Temp\nsj714A.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 7e16dda41b2ae464d9612815f0d3d6eb |
| SHA1 | 1b2486381b4e1cade80e200638f64d9fc4693ed5 |
| SHA256 | 492a2edab7086f7989f9fb74f662683b7a12f47691c04ee6c764e335a0cbf2b1 |
| SHA512 | 4549699fa1fdb320b22b5ac456a72d219c09a83b11cccdb9d49cfac26428721b710873304cc7109a6802bd79b52325ff6380e55c5b14a42dda6b1221c4f8e72b |
memory/2996-286-0x000000001B5C0000-0x000000001B8A2000-memory.dmp
memory/2996-288-0x0000000001EB0000-0x0000000001EB8000-memory.dmp
memory/2996-293-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp30F.tmp
| MD5 | 1d264333dd61f6b795e8b5583203ff9e |
| SHA1 | 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6 |
| SHA256 | 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2 |
| SHA512 | d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2996-296-0x0000000002C6B000-0x0000000002CD2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 029a5147d2f0d080800b095d06298a55 |
| SHA1 | 6d53b0c00f128318d23de9db082989e30369baad |
| SHA256 | cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566 |
| SHA512 | b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c |
memory/2996-294-0x0000000002C64000-0x0000000002C67000-memory.dmp
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | b29cd31f15d37cebbe2804adc62ce2e9 |
| SHA1 | e036f370e3b9a849609823c1cf295c07968b91a0 |
| SHA256 | 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2 |
| SHA512 | 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | f26249769d27c4988588974f0afc5ad0 |
| SHA1 | e8b18cd33637ba0baebb2e1e0140103debcc264a |
| SHA256 | 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363 |
| SHA512 | 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 10da85ae04da6c225fd4ea9d204378c9 |
| SHA1 | d3730e020f9e2a5c217926180d44b65a91cf6a4a |
| SHA256 | d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5 |
| SHA512 | 1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69 |
memory/2260-320-0x0000000019DC0000-0x000000001A0A2000-memory.dmp
memory/2260-321-0x0000000000E00000-0x0000000000E08000-memory.dmp
memory/2260-324-0x0000000001464000-0x0000000001467000-memory.dmp
memory/2260-325-0x000000000146B000-0x00000000014D2000-memory.dmp
memory/2260-323-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 716b6e79efee22fe3f3503a241a5eb8c |
| SHA1 | 94ddf83d37704bccf33929fb1c9cb9972375dfb6 |
| SHA256 | 9a9e270e138b57ce4cac1c2d159ad093f200076721548f144a9c241dd3189b2c |
| SHA512 | d7b2a61c3f964ac49bf09a91fb2a50ef8bcb242af1b3541e8f0af808936ac828780dfaf93329b3d38a165ce223579fdfe909c56f786e76d737a80f0d5925131a |
memory/2360-342-0x0000000019BD0000-0x0000000019EB2000-memory.dmp
memory/2360-344-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp
memory/2360-346-0x0000000001054000-0x0000000001057000-memory.dmp
memory/2360-354-0x000000000105B000-0x00000000010C2000-memory.dmp
memory/2876-369-0x0000000077DBF000-0x0000000077DC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | dc75ac469975abdedd45ea30c8668aa3 |
| SHA1 | d884888f16815b92d0581f23969944d9e333e225 |
| SHA256 | 24e1b63bfa49da320f28f53008faf4e17f053373f767b765eaa39413bcbbad04 |
| SHA512 | fe81b45e6dcd867801a3d783c04ad62e8690c6c87bfe1279cd4d5bf108b8294e3c6151679927d97abdeab455becc669b27cee2124dc70b641147ea27badbdf76 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 115c48091793a2d2c4995b3b5125f215 |
| SHA1 | b6c73454c5ffa0786eb019bfd4033c09c3f96b95 |
| SHA256 | 7dace915ad25b86af4f58b19ee3584e23720b552db8ca34641d21b670e3442df |
| SHA512 | ec87da2198f1651921ce550d56adcbbef25e1826ef3ac97c7f8aa73e198c009e4b66c87a33bff6f6bfea416015dbcce8b9c0fc9dc103c60bcc83aff13aba1ca4 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | d5ac8347ec7fe6b3267af60cf71255a7 |
| SHA1 | f8258729ec532f3161b0affd5082fbb5b194805d |
| SHA256 | ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27 |
| SHA512 | 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296 |
memory/2112-409-0x0000000000890000-0x0000000000898000-memory.dmp
memory/2112-407-0x0000000019FC0000-0x000000001A2A2000-memory.dmp
memory/2112-422-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp
memory/2112-424-0x0000000001574000-0x0000000001577000-memory.dmp
memory/2112-426-0x000000000157B000-0x00000000015E2000-memory.dmp
C:\Windows\TEMP\gbfbijmbpkdw.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/1824-425-0x0000000000240000-0x0000000000241000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-22 04:52
Reported
2024-02-22 04:57
Platform
win10-20240221-en
Max time kernel
262s
Max time network
300s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Socks5Systemz
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E5B1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nso274C.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nso274C.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 141.98.234.31 | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\E5B1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\B76A.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1848 set thread context of 3840 | N/A | C:\Users\Admin\AppData\Local\Temp\E5B1.exe | C:\Users\Admin\AppData\Local\Temp\E5B1.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2405.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2405.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2405.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nso274C.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nso274C.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\System\CurrentControlSet | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2405.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 34 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 35 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: 36 | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe
"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5E2.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\B5E2.dll
C:\Users\Admin\AppData\Local\Temp\B76A.exe
C:\Users\Admin\AppData\Local\Temp\B76A.exe
C:\Users\Admin\AppData\Local\Temp\C92E.exe
C:\Users\Admin\AppData\Local\Temp\C92E.exe
C:\Users\Admin\AppData\Local\Temp\DAC3.exe
C:\Users\Admin\AppData\Local\Temp\DAC3.exe
C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp" /SL5="$302DC,3536428,54272,C:\Users\Admin\AppData\Local\Temp\DAC3.exe"
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
C:\Users\Admin\AppData\Local\Temp\ECB7.exe
C:\Users\Admin\AppData\Local\Temp\ECB7.exe
C:\Users\Admin\AppData\Local\Temp\13F6.exe
C:\Users\Admin\AppData\Local\Temp\13F6.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\2405.exe
C:\Users\Admin\AppData\Local\Temp\2405.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nso274C.tmp
C:\Users\Admin\AppData\Local\Temp\nso274C.tmp
C:\Users\Admin\AppData\Local\Temp\3C31.exe
C:\Users\Admin\AppData\Local\Temp\3C31.exe
C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp
"C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp" /SL5="$702A8,4081152,54272,C:\Users\Admin\AppData\Local\Temp\3C31.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MX | 187.204.68.217:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 217.68.204.187.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 172.67.171.112:80 | en.bestsup.su | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.141.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| KR | 211.181.24.133:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 133.24.181.211.in-addr.arpa | udp |
| KR | 211.181.24.133:80 | sjyey.com | tcp |
| HK | 141.98.234.31:53 | bmlwibe.com | udp |
| US | 8.8.8.8:53 | 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa | udp |
| KR | 211.181.24.133:80 | sjyey.com | tcp |
| IT | 185.196.8.22:80 | bmlwibe.com | tcp |
| US | 8.8.8.8:53 | 22.8.196.185.in-addr.arpa | udp |
| KR | 211.181.24.133:80 | sjyey.com | tcp |
| KR | 211.181.24.133:80 | sjyey.com | tcp |
| KR | 211.181.24.133:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| LV | 195.123.209.91:5092 | tcp | |
| FR | 178.33.183.251:443 | tcp | |
| N/A | 127.0.0.1:51069 | tcp | |
| NL | 185.142.239.49:4444 | tcp | |
| SE | 171.25.193.9:80 | tcp | |
| US | 8.8.8.8:53 | 9.193.25.171.in-addr.arpa | udp |
| US | 135.148.171.158:443 | tcp | |
| US | 94.26.73.162:9201 | tcp | |
| US | 8.8.8.8:53 | daed8be5-d84e-4662-ab27-45601081d89e.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | 162.73.26.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.171.148.135.in-addr.arpa | udp |
| IT | 185.196.8.22:80 | bmlwibe.com | tcp |
| US | 135.148.171.158:443 | tcp | |
| US | 94.26.73.162:9201 | tcp | |
| N/A | 127.0.0.1:21922 | tcp | |
| US | 8.8.8.8:53 | server9.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| NL | 108.177.119.127:19302 | stun.l.google.com | udp |
| BG | 185.82.216.108:443 | server9.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | 127.119.177.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server9.statsexplorer.org | tcp |
| FI | 65.21.49.9:9001 | tcp | |
| US | 8.8.8.8:53 | 9.49.21.65.in-addr.arpa | udp |
| N/A | 127.0.0.1:21922 | tcp | |
| N/A | 127.0.0.1:21922 | tcp | |
| N/A | 127.0.0.1:21922 | tcp | |
| N/A | 127.0.0.1:21922 | tcp | |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| N/A | 127.0.0.1:52039 | tcp | |
| N/A | 127.0.0.1:52045 | tcp | |
| N/A | 127.0.0.1:52048 | tcp | |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | phbrmbcureezloze.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | phbrmbcureezloze.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| US | 8.8.8.8:53 | doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | phbrmbcureezloze.cem | udp |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| N/A | 127.0.0.1:52055 | tcp | |
| N/A | 127.0.0.1:52056 | tcp | |
| N/A | 127.0.0.1:52062 | tcp | |
| N/A | 127.0.0.1:52068 | tcp | |
| N/A | 127.0.0.1:52070 | tcp | |
| N/A | 127.0.0.1:52074 | tcp | |
| N/A | 127.0.0.1:52079 | tcp | |
| N/A | 127.0.0.1:52086 | tcp | |
| N/A | 127.0.0.1:52090 | tcp | |
| N/A | 127.0.0.1:52093 | tcp | |
| N/A | 127.0.0.1:52096 | tcp | |
| N/A | 127.0.0.1:52098 | tcp | |
| N/A | 127.0.0.1:52104 | tcp | |
| N/A | 127.0.0.1:52107 | tcp | |
| N/A | 127.0.0.1:52113 | tcp | |
| N/A | 127.0.0.1:52118 | tcp | |
| N/A | 127.0.0.1:52122 | tcp | |
| N/A | 127.0.0.1:52124 | tcp | |
| N/A | 127.0.0.1:52128 | tcp | |
| N/A | 127.0.0.1:52135 | tcp | |
| N/A | 127.0.0.1:52138 | tcp | |
| N/A | 127.0.0.1:52140 | tcp | |
| N/A | 127.0.0.1:52142 | tcp | |
| N/A | 127.0.0.1:52147 | tcp | |
| N/A | 127.0.0.1:52151 | tcp | |
| N/A | 127.0.0.1:52153 | tcp | |
| N/A | 127.0.0.1:52159 | tcp | |
| N/A | 127.0.0.1:52162 | tcp | |
| US | 8.8.8.8:53 | doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| N/A | 127.0.0.1:52166 | tcp | |
| N/A | 127.0.0.1:52169 | tcp | |
| N/A | 127.0.0.1:52175 | tcp | |
| N/A | 127.0.0.1:52182 | tcp | |
| N/A | 127.0.0.1:52185 | tcp | |
| N/A | 127.0.0.1:52188 | tcp | |
| N/A | 127.0.0.1:52190 | tcp | |
| N/A | 127.0.0.1:52193 | tcp | |
| N/A | 127.0.0.1:52198 | tcp | |
| N/A | 127.0.0.1:52201 | tcp | |
| N/A | 127.0.0.1:52206 | tcp | |
| N/A | 127.0.0.1:52211 | tcp | |
| N/A | 127.0.0.1:52214 | tcp | |
| N/A | 127.0.0.1:52218 | tcp | |
| N/A | 127.0.0.1:52223 | tcp | |
| N/A | 127.0.0.1:52228 | tcp | |
| N/A | 127.0.0.1:52231 | tcp | |
| N/A | 127.0.0.1:52238 | tcp | |
| N/A | 127.0.0.1:52240 | tcp | |
| N/A | 127.0.0.1:52244 | tcp | |
| N/A | 127.0.0.1:52246 | tcp | |
| N/A | 127.0.0.1:52250 | tcp | |
| N/A | 127.0.0.1:52253 | tcp | |
| N/A | 127.0.0.1:52257 | tcp | |
| N/A | 127.0.0.1:52261 | tcp | |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.ph | udp |
| US | 8.8.8.8:53 | phbrmbcureezloze.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| N/A | 127.0.0.1:52266 | tcp | |
| N/A | 127.0.0.1:52269 | tcp | |
| N/A | 127.0.0.1:52272 | tcp | |
| N/A | 127.0.0.1:52277 | tcp | |
| N/A | 127.0.0.1:52280 | tcp | |
| N/A | 127.0.0.1:52287 | tcp | |
| N/A | 127.0.0.1:52293 | tcp | |
| N/A | 127.0.0.1:52299 | tcp | |
| N/A | 127.0.0.1:52302 | tcp | |
| N/A | 127.0.0.1:52306 | tcp | |
| N/A | 127.0.0.1:52310 | tcp | |
| N/A | 127.0.0.1:52313 | tcp | |
| N/A | 127.0.0.1:52316 | tcp | |
| N/A | 127.0.0.1:52321 | tcp | |
| N/A | 127.0.0.1:52323 | tcp | |
| N/A | 127.0.0.1:52327 | tcp | |
| N/A | 127.0.0.1:52330 | tcp | |
| N/A | 127.0.0.1:52336 | tcp | |
| N/A | 127.0.0.1:52339 | tcp | |
| N/A | 127.0.0.1:52341 | tcp | |
| US | 8.8.8.8:53 | ybhee.cem.ph | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| US | 8.8.8.8:53 | ftp.bozfrezd.cem | udp |
| N/A | 127.0.0.1:52343 | tcp | |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 45.79.222.138:22 | ybhee.cem.ph | tcp |
| US | 45.79.222.138:21 | ybhee.cem.ph | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | phbrmbcureezloze.cem | udp |
| IT | 185.196.8.22:80 | bmlwibe.com | tcp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 45.79.222.138:443 | ybhee.cem.ph | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | 138.222.79.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | mail.bozfrezd.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| US | 8.8.8.8:53 | ftp.ymbol.cem | udp |
| US | 8.8.8.8:53 | ftp.bozfrezd.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | 642mbrkejozgbgezcy.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 45.79.222.138:995 | ybhee.cem.ph | tcp |
| US | 45.79.222.138:465 | ybhee.cem.ph | tcp |
| US | 45.79.222.138:80 | ybhee.cem.ph | tcp |
| US | 45.79.222.138:80 | ybhee.cem.ph | tcp |
| US | 45.79.222.138:22 | ybhee.cem.ph | tcp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.bozfrezd.cem | udp |
| US | 8.8.8.8:53 | bozfrezd.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ymbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | 642mbrkejozgbgezcy.cem | udp |
| US | 8.8.8.8:53 | phbrmbcureezloze.cem | udp |
| US | 8.8.8.8:53 | doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | eg.g4s.cem | udp |
| US | 8.8.8.8:53 | ftp.doplembjoceg.cem | udp |
| US | 8.8.8.8:53 | ftp.ymbol.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.eg.g4s.cem | udp |
| US | 8.8.8.8:53 | ftp.bozfrezd.cem | udp |
| US | 8.8.8.8:53 | ftp.phbrmbcureezloze.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| N/A | 127.0.0.1:52350 | tcp | |
| N/A | 127.0.0.1:52352 | tcp | |
| N/A | 127.0.0.1:52356 | tcp | |
| N/A | 127.0.0.1:52359 | tcp | |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | 642mbrkejozgbgezcy.cem | udp |
Files
memory/4860-2-0x00000000001E0000-0x00000000001EB000-memory.dmp
memory/4860-1-0x0000000002E70000-0x0000000002F70000-memory.dmp
memory/4860-3-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/3368-4-0x0000000000C40000-0x0000000000C56000-memory.dmp
memory/4860-5-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B5E2.dll
| MD5 | b9db85df6544fb2e9d8edf86a490fddf |
| SHA1 | 61d6f784bddb442230af3a9224f1a63771794ba7 |
| SHA256 | 037568e4264872078e5c58e0c098aac222eafa36620120eb8905d7ad2c04b98e |
| SHA512 | 9763ffbf3fc0e53de5d4463b2284074489263e628cb35f602505c6a7bd7351004f4454e289616701973074dd755191971a00301bfbe4d3e708dc0c8723091237 |
\Users\Admin\AppData\Local\Temp\B5E2.dll
| MD5 | e114e5f9b43b98818152d7ece42a5d16 |
| SHA1 | 7e8dfac848a912d2f1997a3ba7eb9de458fe3240 |
| SHA256 | 50079b1e9de89509e5615b62103527de5083c5a21e600e975d3d1f06745eba89 |
| SHA512 | 100f227b3e4add165210d23cab76eb0c59b0363b099d315a884b65c63c77483fbf00fc84b70585d009c054cdfa98d1e92ec9b38633bf903208b668e4024b8cc8 |
memory/4052-14-0x00000000005D0000-0x00000000005D6000-memory.dmp
memory/4052-15-0x0000000010000000-0x00000000101A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B76A.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
memory/4052-21-0x00000000045E0000-0x0000000004704000-memory.dmp
memory/4052-22-0x0000000004710000-0x0000000004818000-memory.dmp
memory/4052-25-0x0000000004710000-0x0000000004818000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C92E.exe
| MD5 | 49608dbbd93509d8b380a26b95fd0e22 |
| SHA1 | c721e50cef31c20dabe7bda1ca711b72e42dcc8e |
| SHA256 | 324cd2784ee56feab35c1829b56618b75307ef261ac2e81ae0dc1860d630c4f8 |
| SHA512 | 4938f7c7aa505c1db4abb08025373d6ef5d9f57d4d5a74736ba840f319211480cb1138048bdf33043afd8769b2b7a658a6df66271318204bd0f90b242c488852 |
memory/4828-29-0x0000000000D90000-0x0000000001867000-memory.dmp
memory/4828-34-0x00000000005D0000-0x00000000005D1000-memory.dmp
memory/4828-36-0x00000000005E0000-0x00000000005E1000-memory.dmp
memory/4828-35-0x0000000000D90000-0x0000000001867000-memory.dmp
memory/4828-38-0x0000000000CE0000-0x0000000000CE1000-memory.dmp
memory/4828-37-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
memory/4828-40-0x0000000000D00000-0x0000000000D01000-memory.dmp
memory/4828-39-0x0000000000CF0000-0x0000000000CF1000-memory.dmp
memory/4828-42-0x0000000000D20000-0x0000000000D21000-memory.dmp
memory/4828-41-0x0000000000D10000-0x0000000000D11000-memory.dmp
memory/4828-43-0x0000000000D30000-0x0000000000D31000-memory.dmp
memory/4828-44-0x0000000000D40000-0x0000000000D41000-memory.dmp
memory/4828-45-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/4828-46-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/4828-47-0x0000000000D70000-0x0000000000D71000-memory.dmp
memory/4828-48-0x0000000000D80000-0x0000000000D81000-memory.dmp
memory/4828-49-0x0000000002D70000-0x0000000002D71000-memory.dmp
memory/4828-50-0x0000000002D80000-0x0000000002D81000-memory.dmp
memory/4828-51-0x0000000002D90000-0x0000000002D91000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C92E.exe
| MD5 | db5cfe996b7849772dd6bdfceb4d3d0e |
| SHA1 | 1f7ebc3bd1bbdf60f225be83dbb5021a8b7ce7d9 |
| SHA256 | afaedb6c2cb17e5d8f8eb4c21bf005477596d50749b1c5bb2e62305a710adc0f |
| SHA512 | 7987dc7f9326c3e62bfcef899c631c2e6d871140b9b4ec38c6d373158fe39188edf4ec227f96421e2249c18218daef6d984b6a373772d5f5c5a599f1ccd694c5 |
memory/4828-54-0x0000000000D90000-0x0000000001867000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DAC3.exe
| MD5 | 56eb708e76f68bf4cb83b8b585e7b472 |
| SHA1 | 5de9c4ce39b48a35a0ccba651bace072034d4970 |
| SHA256 | f812a914d2d25bcfc7308d036eaed85ab8c45eceea526485349e8a368565ea29 |
| SHA512 | d79edbde7adf89ca891b5f36eb69e79ede77c0afaa2928d89efb2a616518025bf3fcaff1e817e745e9f4ced1808fd3e5e35bbf4b8d032d3f7610ec4f7ea9c83f |
C:\Users\Admin\AppData\Local\Temp\DAC3.exe
| MD5 | 1f34fda5244ff14c8e27e692d6bbfc48 |
| SHA1 | 64d7cf0ebdd3411e1c1e9744215fb67a60c01617 |
| SHA256 | 578adeab6b3f436600e9b5bd55651cfeb3f2891a9c94d30b2735705e78b50acb |
| SHA512 | 5270a0e8a0cc2eb64d9b00fa92a459863c1c111fabc00c2ab15492455dc515da4f280a3a9ed620729573f393581aa58ba39666fe737d4f20c666e0134de16674 |
memory/3224-59-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp
| MD5 | 1ba055823154222509be8b1cb57f0d49 |
| SHA1 | a11bdd1f4106f1de2dd075801987965f97c5c2b2 |
| SHA256 | c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841 |
| SHA512 | 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a |
memory/4052-74-0x0000000010000000-0x00000000101A5000-memory.dmp
memory/3216-75-0x0000000000500000-0x0000000000501000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-M5OB0.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 6531377e552f95f4fc86936c834b6c4f |
| SHA1 | d3a95eedbe42b3ae54bddaf9a3f07676ce825882 |
| SHA256 | 44010a545cc1e6372a0c6e263664872e40e592bc0b2fe3b72c27a3a286f64d83 |
| SHA512 | 0694e8d0460aeee4a0672f90ec49f9b984e56238b7673e5afbdbd661571163eeae963c7000f9f8581ff8979ab2f7be71cf0cdb20543afe9ef1211c284d734401 |
memory/4280-113-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4280-114-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4280-115-0x0000000000400000-0x0000000000736000-memory.dmp
C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe
| MD5 | b6b6dbd2249af53bb8ff7e97c64cfa4c |
| SHA1 | 60d202a5c1ffb9ca23f499957ae039ff2bffccc6 |
| SHA256 | 7cdec457c3ff37b671b31d32d761b0dacf1c7b9e56a175db0af669da4b7355a2 |
| SHA512 | 8c7c17e08da22c07d05b25d83eb692c4b620890157d87d2beef355a4a94aa593eb3c383f4ca617c2bd59153073ef07cc4d006217ea77695a63ab3ef4bad9664e |
memory/4280-118-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 5eafaa84b0e9364b9e2a1fa869d82acb |
| SHA1 | 623c071827cb4c0a12c8b918f4951db71991a5ff |
| SHA256 | ade8963d386a46fa5860f25f10b95a940d098736530041ed019e9499ef6ad4a4 |
| SHA512 | 48ead8d914a766c3fcb38fe3665a1bcb2a87d033cc485e0de7ffd0aaefb6f12454c3116a7de38ba48a6710855d4a44d146f2885c99a7fdfa2d665320a88151fd |
C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
| MD5 | 3b66557b08111e0f88d2929a0f912d54 |
| SHA1 | 395d4d43ffb7de91181c2def0ca7df444ba7d20f |
| SHA256 | d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d |
| SHA512 | e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd |
memory/4792-120-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4792-122-0x0000000000400000-0x0000000000736000-memory.dmp
memory/4828-123-0x0000000000D90000-0x0000000001867000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
| MD5 | f908986a9a401c359378486bc78c3884 |
| SHA1 | 7e0b647b2ba95895bdfbbb345cfa651335e6eebf |
| SHA256 | 76c3e5219eea16aff8c970c3e4fddfbaa915d4572e493561afd1ff391a8d5949 |
| SHA512 | 5b3d4556d0319abc96fb66977ee023dee734617028cbdc5d9acb5ebda45ff63f294590760b17dc81521c469f19b4b705e91269e989c015ed0950b8d12f39494e |
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
| MD5 | 03e2f1c0a8137b121e0a066272f06141 |
| SHA1 | 036517f6d3186f32c5b7bd28ed1d00317d9f8387 |
| SHA256 | b204645aa001cf50b9f96616c46ce548575674b990ea4779bf3a548cd8a411c2 |
| SHA512 | e2f5606cc053243cf4747fb1e65f606656a5d0aaeece27060426f84409be24c899be4e7f0dd02761403362d3d610c731edb550a66541e30bdf17c4c4b6059632 |
memory/1848-129-0x0000000004AC0000-0x0000000004C85000-memory.dmp
memory/1848-130-0x0000000004D90000-0x0000000004F47000-memory.dmp
memory/3840-131-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3840-134-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E5B1.exe
| MD5 | b68c06311883b3cea5fb16225d495fa3 |
| SHA1 | b092330537454602b87a65a621d3f8136c940629 |
| SHA256 | 8edb6e867a4ed0e5f3fe4bb4fda3965162c2ea6cb81a4b89503d40caa9a565be |
| SHA512 | 31996e5ed5b3ddb2640d3f0579933bf4dd474ac8d557707f202cb07f94a8943d0777d3e271fe518fc825bedb12561dc07f605e814cd9b276bb7cddb764a5baae |
memory/3840-135-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3840-136-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3840-137-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3840-138-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\B5E2.dll
| MD5 | 6dcece9c805f33365b7c109efd71beb5 |
| SHA1 | edadd660c6b8e165c40ffab8bd55bfb788e0fe70 |
| SHA256 | 68cfc37357ea36f1f08f630d954b1b7b0aec45c2afa907a7302c2abd175fb11a |
| SHA512 | 6757db07e009e0391d9a48da78a9d8bfa4c5b4b98ace88550b28878b4f2d0cf15b62f017bb465b402a5eb71f9d263b5c63b89956bddf204561cf5738716e27bb |
memory/3840-141-0x0000000000A00000-0x0000000000A06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ECB7.exe
| MD5 | 8ecc17d2df0678a4dd4ecd24915f15cd |
| SHA1 | e05782dd5a4da0a2fbd6418f2ca9a738b5185e64 |
| SHA256 | 25e9e66f3cf68811568a4c48f5d5b401aa7b4ce3d1f26a6653ac69fbff2411c1 |
| SHA512 | 7ef3e2161399b4934e1f238c2e75c286327058d512c99231f0252a71fe30848b221ab38e050ac835e9e9ea1aad37055d6e558cc1924f4b36888497abb358ccf7 |
C:\Users\Admin\AppData\Local\Temp\ECB7.exe
| MD5 | 6a87f5c791f9660d1007b5a163ce9d23 |
| SHA1 | 596eb0b150e966295e1833bcf38ee1016ca9d242 |
| SHA256 | 49c9882974cb1da926abce4653b49d0a68a7a0dad0c0009274d6a956aad225ee |
| SHA512 | 1f5e6b28c8cec4b1fd39c942cd7056abd0f979a66f3ee25b5c9bed99947909a240dc676e764b8750e2356e647b55f39ff65e571dfe0f436e277006e9e6845128 |
memory/3224-148-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3216-149-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/4792-150-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\13F6.exe
| MD5 | 81a4b7e8eb05ba5252fcf6f06fa1d8ad |
| SHA1 | 36e9c9a943f841a8f4b48c2f8a22ca1c32861144 |
| SHA256 | fa6d0da78f7ce3c47e7840075dcd1c5f6d90f42c815f68ce69b1b093b661bde3 |
| SHA512 | 0fd7bbc145abe87470b2f878b67db0e35358fcf06a8ce82b06364e0d6e8b1712e41e0be6010f53478676622237c7e13766f934d264a8a17cdb3f83ca341d0bb4 |
C:\Users\Admin\AppData\Local\Temp\13F6.exe
| MD5 | 79b1c5df98d3810ec21749780349ffcf |
| SHA1 | 3cc7f65d34f769f69fb980cce070238911fbb886 |
| SHA256 | bd3facb8ea2d3515a83054f88dfa3588f47236e3773f5cb720c9cbf2e0e429de |
| SHA512 | 68c57dc48582ceb0bed781fbf91440694232be6d5e8ca24886dca13daffa1ef13663e56c18298c4a77e1d84903c251508ca7cae31b6ef94a2b45e814ab99b55e |
memory/4932-158-0x0000000072050000-0x000000007273E000-memory.dmp
memory/4932-157-0x0000000000280000-0x0000000000B36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 1a5f11fd65b25fdfe3e69eccc28265c3 |
| SHA1 | a11ac870691fa1e11a65b66cc7f8e7c248e4eaff |
| SHA256 | e912690bfbfa7419712c65800f1218650c7be1a5e50f8c74c1a5a0de9942587c |
| SHA512 | 0630429a6f88026938b81669dcbb8b50ff958f2f46a908bb6d9dc40530ae39f2c859c5a74adb9a824caea67ee9b2ccccbc16ea9aff63e9ac7bf6af3954b5a066 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 91d1d07a874ad5c5616d302ac8e6f561 |
| SHA1 | 855effd1b0e9d7db5407d6fda1e70fd1d0474d79 |
| SHA256 | f390e1c5324f2df81127fbc5833e385b97e36557d4ccd2ba0b26a31302194af0 |
| SHA512 | 22a0b2f27b4ea5e96f1fa194158c1ef6351abe6076fe1db35ceaaca229cda80e87171acc9b71c58546f9ba3d3e94dd3f02600b78b1c8fae1d6e5f9e6365d7335 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 833517b362dce1a28f7d320bbf8a42a1 |
| SHA1 | 949e3fcaa1956717bb7c824aaf511cca77581c93 |
| SHA256 | 4c323af4e7545e09789941715baed39c4d15737fccd1f59b2695e85b5128ee9e |
| SHA512 | d65e88e366ae27fd0aa868ca75060b4293950c51b2c5c247d1756037e8d76ea6287bc87c3a05316902d316306c1ed506e7a54f46e72da95f82e28fdfa8dbe2a7 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 0d186841287a0da01d58f36efe45c296 |
| SHA1 | 7cd78b1adb0f2050ccb809a1e880fb7aafa9bc73 |
| SHA256 | 45bc3cc6ac85666f2e2ffe81fc10e8a1b97256f2fbbbecbcb89edd9b98825882 |
| SHA512 | 4741df559792693b5e58fa97c67f1f755fbafad18d7a627fee1d34990460ab4a1592706d980e85018aa02ce5d040406587f726c72899e92eec9b681a851d2029 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 1da12eb5ed9c3654e3e05e07965b07ca |
| SHA1 | 33409895e02523a9272c7c3d4f983f9c9967ae8a |
| SHA256 | 07311bd84df02d85b6a56555dbe775262535fc6597cd5aa73117d303365b8716 |
| SHA512 | 3c3f6ba87a95ce46b2c0e88add185d3f6fbc7f98a9bc7910bf5ca6bf65fb23f55c7e56886aa784f2307f7e5e207138d7d84eb8c2e7043dc9a4abd74528ef4a17 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 0961b07158f26d26393a22e86859974e |
| SHA1 | e6f54f12a426ce23e51714f05b7d8ff462af57e2 |
| SHA256 | 54325a76735dd25e03879ec602c6cee8fc7cdb49315a2b013750efe42cece28a |
| SHA512 | d4ba0006472fbf293b18f5c05b556949392ae5f8f8d53b351e11a0f1ebb56ef37beec0e6dbc5560e076d64cc43e34167b2fa95c809ffb21b2bbf5752ac7f0473 |
memory/4932-177-0x0000000072050000-0x000000007273E000-memory.dmp
memory/3840-178-0x0000000002C50000-0x0000000002D74000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsk1DD5.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1844d76e7d4331107eeb8fc6274fa9b2 |
| SHA1 | 82ae81925c68a662af3b5243db9ae9d0b1721958 |
| SHA256 | 0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1 |
| SHA512 | 2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947 |
memory/3840-185-0x0000000002D80000-0x0000000002E88000-memory.dmp
memory/5012-186-0x00000000028F0000-0x0000000002CF6000-memory.dmp
memory/5012-188-0x0000000002E00000-0x00000000036EB000-memory.dmp
memory/3840-190-0x0000000002D80000-0x0000000002E88000-memory.dmp
memory/5012-191-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2548-193-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/4792-192-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2405.exe
| MD5 | 0a107bf148f82af636813c98bffaf1aa |
| SHA1 | 5d94b205bb3aa52479c87ad9be192580a1fb1ce0 |
| SHA256 | 8acc5a6eacd080c06ee91150388700c910fc300cb3f85585dd4667f20dd11e9d |
| SHA512 | 7ee46e7081826a8190e67f94009998085e584254d910e3f57dc7d9b5931e1cb6662aa52ef6f3c404a6fe41a30621a51ab5a846131497afaf27b9c20eeed9fb4c |
C:\Users\Admin\AppData\Local\Temp\2405.exe
| MD5 | 8c898b181136238560dc7d857363a362 |
| SHA1 | 2eb52e150ce15e1e2770ce8a0aa6463e04241655 |
| SHA256 | 868aaad983185c9de720ab7b1e3089788580f145ba855c5c32e4233bf079dee5 |
| SHA512 | 48bdf0ae698477a0bf99c8775bed611b47a630d1ce69912797fc5a029bc9ac2b514cfd6a2651dfbf9961efb382548faf16030e3dd06ab9d7387365ebf7390cfa |
memory/3896-199-0x0000000002DA0000-0x0000000002EA0000-memory.dmp
memory/3896-200-0x0000000002EA0000-0x0000000002EAB000-memory.dmp
memory/3896-207-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso274C.tmp
| MD5 | 1d264333dd61f6b795e8b5583203ff9e |
| SHA1 | 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6 |
| SHA256 | 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2 |
| SHA512 | d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7 |
memory/4924-217-0x0000000002F90000-0x0000000003090000-memory.dmp
memory/4924-218-0x0000000002DA0000-0x0000000002DD4000-memory.dmp
memory/4924-219-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/4792-220-0x0000000000400000-0x0000000000736000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3368-222-0x0000000002D20000-0x0000000002D36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3C31.exe
| MD5 | a071948d0b1884e42a362d980c3403b9 |
| SHA1 | 1b22ec256c8fcaca203b73cc0270acca9554110f |
| SHA256 | f70e172f986824c12345eb18bbe8361ea0ae9bad8179ab23c0e9ec97660a7358 |
| SHA512 | a260fd5e418aafda5ae5cced9b67a878e0219ce54f4a22668a8cc6d5c4d7d8f45dcdeef839d7d97cbb5079f0e915daeb5f4e2d71047d374516e0a82883e29408 |
memory/3896-232-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3C31.exe
| MD5 | 3b9ed878856f3a69e5b6d76080345c95 |
| SHA1 | 31f7e3f63e91f73384a3e3fb00d804d8793b2a5f |
| SHA256 | 7b05e5025320037f9daf62f8e7fe637086e6b306e84926a8b0d5b29a25ef13fd |
| SHA512 | 978f25010acafdc0ef4d1b73cb6d01f43423137476e2069e8ab56ca8983170c8d9afda7b678cf79c849cfd20f570662b065d143f40b12e0889196d7b71c08adf |
memory/1836-236-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp
| MD5 | b11909d5e4e08b1a6da220eca474d49f |
| SHA1 | b42582ab65d400f3450907ddc0857092c4daa4a8 |
| SHA256 | 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff |
| SHA512 | 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab |
C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-6PC46.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
memory/864-268-0x00000000001F0000-0x00000000001F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-H2U6D.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-H2U6D.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/4924-352-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/3720-371-0x00007FFBCC1E0000-0x00007FFBCCBCC000-memory.dmp
memory/3720-372-0x0000013D4C430000-0x0000013D4C440000-memory.dmp
memory/3720-373-0x0000013D4C430000-0x0000013D4C440000-memory.dmp
memory/5012-374-0x00000000028F0000-0x0000000002CF6000-memory.dmp
memory/3720-375-0x0000013D4C400000-0x0000013D4C422000-memory.dmp
memory/3720-378-0x0000013D4C6C0000-0x0000013D4C736000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0uqovn0.afg.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3720-410-0x0000013D4C430000-0x0000013D4C440000-memory.dmp
memory/4104-426-0x0000000005220000-0x0000000005256000-memory.dmp
memory/4104-429-0x0000000007A10000-0x0000000008038000-memory.dmp
memory/4104-431-0x0000000005300000-0x0000000005310000-memory.dmp
memory/4104-430-0x00000000718B0000-0x0000000071F9E000-memory.dmp
memory/4104-432-0x0000000005300000-0x0000000005310000-memory.dmp
memory/5012-428-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2548-434-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/3720-437-0x0000013D4C430000-0x0000013D4C440000-memory.dmp
memory/4104-438-0x0000000007980000-0x00000000079A2000-memory.dmp
memory/4104-439-0x00000000080B0000-0x0000000008116000-memory.dmp
memory/4104-440-0x0000000008220000-0x0000000008286000-memory.dmp
memory/4104-441-0x00000000082A0000-0x00000000085F0000-memory.dmp
memory/4792-446-0x00000000009C0000-0x0000000000A62000-memory.dmp
memory/4104-450-0x00000000086D0000-0x00000000086EC000-memory.dmp
memory/4104-451-0x0000000008740000-0x000000000878B000-memory.dmp
memory/4104-470-0x0000000009740000-0x000000000977C000-memory.dmp
memory/4104-501-0x00000000098E0000-0x0000000009956000-memory.dmp
memory/4104-508-0x000000000A690000-0x000000000A6C3000-memory.dmp
memory/4104-510-0x0000000072470000-0x00000000724BB000-memory.dmp
memory/4104-512-0x000000006E6F0000-0x000000006EA40000-memory.dmp
memory/4104-514-0x00000000097C0000-0x00000000097DE000-memory.dmp
memory/4104-524-0x000000000A6D0000-0x000000000A775000-memory.dmp
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 56b83c068dc6c8df9c02236e9587cd42 |
| SHA1 | 9803091206a0fff470768e67577426cce937a939 |
| SHA256 | 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e |
| SHA512 | e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | d5ac8347ec7fe6b3267af60cf71255a7 |
| SHA1 | f8258729ec532f3161b0affd5082fbb5b194805d |
| SHA256 | ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27 |
| SHA512 | 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296 |
C:\Users\Admin\AppData\Roaming\sehhdhg
| MD5 | 3dd02e3a7d6552f6312e29bc4189c06a |
| SHA1 | c52bb026df26445a1e4ccf66baf61d99ecd1ff8a |
| SHA256 | cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70 |
| SHA512 | 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | a97b7709ded87e52ee06c4b8b181034c |
| SHA1 | b9d7b8477766d6316329c395eb38cc9fd914a00a |
| SHA256 | 9f470f144df5ad788b012450bdb5ae2007221434974ae64390081ec523e30169 |
| SHA512 | b8b9af25459da9e60935a0ffb807d8e3df291e7003f18f1b904817562c345c7652f249121d4ceed48c2d3d013a72393ed3637b74f91f602a6105ac60e55e53f0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | db01a2c1c7e70b2b038edf8ad5ad9826 |
| SHA1 | 540217c647a73bad8d8a79e3a0f3998b5abd199b |
| SHA256 | 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d |
| SHA512 | c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | efbb7bd0d9e1bfc523146661beb53958 |
| SHA1 | ad1053b6c245e7ed0e496711f9c930ab1ccc9dec |
| SHA256 | 73b5b13cfafdef87fe297e0009aa95267436af2fea12b49b2aa6a5bb66383297 |
| SHA512 | 89402d62180a356edc36b735bd6f326df20c0b8e63ff248c59d44102745d365c3184516743086b19c6a5abfc12196697917ab075b70cfdd74d731bfdd8c62f6f |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 7aac7c53b58a8b0a0b23552816658244 |
| SHA1 | 296b3e96334a230b623c91284b3efb223fca218e |
| SHA256 | d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2 |
| SHA512 | 4230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | bfedf45e11243a852f6f99233078cd28 |
| SHA1 | f14063b7d324eb03f864dac1899f1fbb25754e34 |
| SHA256 | 3695c24fb861df4b2624fb4dab745ceec1238cbf4e90de58c300a182d9f69383 |
| SHA512 | 3967a5acdaad569e8fe655a31310eb8874fcac73e21e2034c1490492aa2b6a7674cff18af128da638f51f0326065b8519ed9c55d835e945bcacb66ad385dd8e3 |
C:\Windows\rss\csrss.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e3914e62a23dcc3c07a382101732c39a |
| SHA1 | 02cd9703f81f57add46c1d6e9cbdd1f77dde1442 |
| SHA256 | 3807e60da220f387b3ddecbc2e6e7786967f1f81b9521f7908f4833ae7d5d262 |
| SHA512 | d4b7e9d78b329d21ae12652c5f0a1ad0b71cc4c2249754099caf3798bfdeb3eadffc1a735492f13cf0784db4d92de02deb5061a2cebebbc8c529dcdeecba4808 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 405fe91c736dfd5d67770881bb147272 |
| SHA1 | be8f088b303dc625dbecad44264bdf4a7ee8c691 |
| SHA256 | 35cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c |
| SHA512 | 665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 036c94be7691e9f6aabbd6ab24a6a502 |
| SHA1 | 6bbe6345b92534741eb8a1b3237f77b61e916414 |
| SHA256 | f8dcc32e05b38bcfb3cd672c591ff9639404dabfd960022102732ad1ddb90ffd |
| SHA512 | 2b52e547e60cbfd84a50b0477460daa5686dd6b61f9cd3d668f75eb0d7dc2232be4dae161e7ecd28ed5dacdd9d0cbe98680611a00645bab4d88bea4c4668f51a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 9fc15a19f74d62d36e895d9d2e128330 |
| SHA1 | 48f961724da70398d758da9ceec84db407071cce |
| SHA256 | d7c2f6463a24473c6419278c858e931f20b77562a44f8e405368f87756d411f6 |
| SHA512 | 58e754a958665b5d9db72d7e1e66e1aa45dbf111a8343d85998176d00348693d8881fe373f877b1143c41721680d4f0d55aaa4b2b098d687882b127ab4fa53f4 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 207306451fbe1b6ee1974317bad2021a |
| SHA1 | 583b15d7e76d0237f36b40821bc63b542ef3094f |
| SHA256 | 776002c93f9fbf09203b989100f9b59a517e27659daa88e3697aa48d37af58d4 |
| SHA512 | ada7c88d5ed4365294c6045c2c297fe81703b33284a6b29fc2ca264440aac189c06960529cef24c847d7e6ddde22258614d4c918c0822d9c0ea69a4f66bd8754 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |