Malware Analysis Report

2024-11-30 04:48

Sample ID 240222-fhdkkacd93
Target f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1
SHA256 f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1
Tags
smokeloader pub1 backdoor bootkit evasion persistence trojan upx dcrat glupteba lumma socks5systemz stealc botnet discovery dropper infostealer loader rat rootkit spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1

Threat Level: Known bad

The file f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1 was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor bootkit evasion persistence trojan upx dcrat glupteba lumma socks5systemz stealc botnet discovery dropper infostealer loader rat rootkit spyware stealer

Glupteba

Detect Socks5Systemz Payload

Windows security bypass

SmokeLoader

Stealc

Lumma Stealer

Socks5Systemz

Glupteba payload

DcRat

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Modifies Windows Firewall

UPX packed file

Reads data files stored by FTP clients

Windows security modification

Unexpected DNS network traffic destination

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Manipulates WinMonFS driver.

Writes to the Master Boot Record (MBR)

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 04:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 04:52

Reported

2024-02-22 04:57

Platform

win7-20240221-en

Max time kernel

66s

Max time network

301s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\789A.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2480 set thread context of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\cmd.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2536 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2536 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2536 wrote to memory of 1996 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\789A.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\789A.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\789A.exe
PID 1204 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\789A.exe
PID 1204 wrote to memory of 2876 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F9D.exe
PID 1204 wrote to memory of 2876 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F9D.exe
PID 1204 wrote to memory of 2876 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F9D.exe
PID 1204 wrote to memory of 2876 N/A N/A C:\Users\Admin\AppData\Local\Temp\7F9D.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\8894.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1204 wrote to memory of 2480 N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1204 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FA7.exe
PID 1204 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FA7.exe
PID 1204 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FA7.exe
PID 1204 wrote to memory of 2464 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FA7.exe
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2592 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\8894.exe C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 2480 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Users\Admin\AppData\Local\Temp\8E11.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F859.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F859.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F859.exe
PID 1204 wrote to memory of 2064 N/A N/A C:\Users\Admin\AppData\Local\Temp\F859.exe
PID 1204 wrote to memory of 684 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 684 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 684 N/A N/A C:\Windows\SysWOW64\cmd.exe
PID 1204 wrote to memory of 684 N/A N/A C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe

"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7733.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7733.dll

C:\Users\Admin\AppData\Local\Temp\789A.exe

C:\Users\Admin\AppData\Local\Temp\789A.exe

C:\Users\Admin\AppData\Local\Temp\7F9D.exe

C:\Users\Admin\AppData\Local\Temp\7F9D.exe

C:\Users\Admin\AppData\Local\Temp\8894.exe

C:\Users\Admin\AppData\Local\Temp\8894.exe

C:\Users\Admin\AppData\Local\Temp\8E11.exe

C:\Users\Admin\AppData\Local\Temp\8E11.exe

C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp" /SL5="$60122,3536428,54272,C:\Users\Admin\AppData\Local\Temp\8894.exe"

C:\Users\Admin\AppData\Local\Temp\8E11.exe

C:\Users\Admin\AppData\Local\Temp\8E11.exe

C:\Users\Admin\AppData\Local\Temp\F859.exe

C:\Users\Admin\AppData\Local\Temp\F859.exe

C:\Users\Admin\AppData\Local\Temp\178D.exe

C:\Users\Admin\AppData\Local\Temp\178D.exe

C:\Users\Admin\AppData\Local\Temp\2EC6.exe

C:\Users\Admin\AppData\Local\Temp\2EC6.exe

C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp" /SL5="$7011E,4081152,54272,C:\Users\Admin\AppData\Local\Temp\2EC6.exe"

C:\Users\Admin\AppData\Local\Temp\8FA7.exe

C:\Users\Admin\AppData\Local\Temp\8FA7.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\nsp30F.tmp

C:\Users\Admin\AppData\Local\Temp\nsp30F.tmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

"C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
UZ 195.158.3.162:80 trmpc.com tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 8.8.8.8:53 sjyey.com udp
PA 190.219.136.87:80 sjyey.com tcp
PA 190.219.136.87:80 sjyey.com tcp
PA 190.219.136.87:80 sjyey.com tcp
PA 190.219.136.87:80 sjyey.com tcp
PA 190.219.136.87:80 sjyey.com tcp
PA 190.219.136.87:80 sjyey.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 93.186.202.32:9001 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
DE 142.93.169.197:9001 tcp
DE 134.209.224.96:443 tcp
NL 188.93.233.49:443 tcp
CA 51.222.15.200:9001 tcp
CA 51.222.15.200:9001 tcp
NL 188.93.233.49:443 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 ybhee.cem udp

Files

memory/2220-1-0x0000000002DE0000-0x0000000002EE0000-memory.dmp

memory/2220-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2220-3-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/2220-5-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/1204-4-0x0000000002E90000-0x0000000002EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7733.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/1996-16-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/1996-14-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\789A.exe

MD5 c72686776ff597a19516cf988cbf966f
SHA1 fb879d0ca1893d3c3473c1804538a1ec278ea350
SHA256 7daf6b4fb7d961668e2c0a52becadd016e71bfed6cb6ab188bcdd87dc80966fd
SHA512 8d9ccb8b0d7cd478d1844b22eea2201b6ef069fadeaf5c030f839868556b881cd5f163516e3a1c69c10dec80efea5e34935e0d55b5005aba55726d4114461972

C:\Users\Admin\AppData\Local\Temp\7F9D.exe

MD5 75d947e89ff1fc9a84378a9e82129300
SHA1 8187e15e129a2607eca4184f52ac62abe65cccb0
SHA256 2ccc350959dd154a8ca6f319ab1d7417e981c631aaf9c42155cf6892a7f52dd8
SHA512 d717060fd27e85d2977a0646653cd370b1691ff4bb4d7ca3d44914291d01ce8286aeeb762e529c674422a70110e1c4bd075c02e76133c95726280bb7c6e8e8f7

memory/2876-25-0x0000000000990000-0x0000000001467000-memory.dmp

memory/1996-26-0x00000000024E0000-0x0000000002604000-memory.dmp

memory/1996-28-0x0000000002610000-0x0000000002718000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8894.exe

MD5 47bd0dc2e444e5264ef55968ad6a5213
SHA1 83f142ad6ddd0f47ec79e60e3a4b995d9a1bd441
SHA256 a4fbad2ee40733993fd10b6e4389e167dff19661baaf93868f6d227fe3e81aae
SHA512 e1e8aef2d2c20b7146cad4b1eb69b88a1f153bc65471949df3082f6304992633fafbf70e47519d591ac122a7a10131f5f2445011f87680d762b1b42a13919b84

memory/2592-40-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8894.exe

MD5 d78279852521ab500d93eb9c73aaa88e
SHA1 432f1c9f5c217ba40ba72e1d219a90113fe4ff0e
SHA256 0b9e7ba7c189d2aa1fc687a103c9c1464078e133a828c10d082ed0b16d3bf01f
SHA512 501714b2a68e8a801e7a3ed04522f3bbbb58152a07c25ad761a2be2a1e26eed1490de8e91fa0d362dc2aab0367dcf840e52ed855f6d9efd8a848f0fb1b738f22

C:\Users\Admin\AppData\Local\Temp\8E11.exe

MD5 7df0a37ea93e9676049adbb35ab47097
SHA1 30acbdb5d4a02237a0dca2bf5f688c07738bde8a
SHA256 43112b96efddcca1f5ab3da79a8d169a9888490c4dbb5ef3c05783bd078f9537
SHA512 1bf08983c99fbfa12e2319e41cfa9af3341859cd6b65da1fd7778db447e0f7c078c97246a77ea512751f398599452afed6d09c983cac66aff91d6d58d117a6ed

memory/1996-36-0x0000000002610000-0x0000000002718000-memory.dmp

memory/2876-52-0x00000000000F0000-0x00000000000F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-UOA4J.tmp\8894.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

C:\Users\Admin\AppData\Local\Temp\8FA7.exe

MD5 6b2363ef5f4c29a951f2bdcd3b0296d7
SHA1 d8515c7d27c8032139ab80bd04db8e7ecea6a503
SHA256 c795a9e5b9aebc6f67feb60076ca2100ebff12a0c9bcc466fdfbac6903f9d08e
SHA512 ed47012a67aae58c297397027dbe84d7c658b1a25634799f7ad0464726df18212913a64e2c99c676cc9a0fe146b4a84df1d46f3d198655434da20d4fe4bb65f6

memory/2480-62-0x00000000049D0000-0x0000000004B88000-memory.dmp

memory/2876-86-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2876-92-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2876-96-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2980-99-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2876-102-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2980-103-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2876-106-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2876-108-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2552-107-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2876-110-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2980-105-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2876-112-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2876-114-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2592-100-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2980-117-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\7733.dll

MD5 cc5c115968f748943b48d1b0571dad07
SHA1 ec7c0e714b8b33b3cd45cea2f8c4386e2db497d9
SHA256 bbdba277d404b57611b7485a8e36a206618e9df9620a2f5b9b96461ca316201e
SHA512 7240bbdde66e74fccdbdcb082788d7c227fda8a4f97e1dc6d11cedbbc4b999825b28dbad7ac7543c0fac2173f1889826a1da4eeed70cea3016b3ddd39477ebf2

memory/2980-123-0x0000000000390000-0x0000000000396000-memory.dmp

memory/2876-125-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2876-127-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2876-126-0x0000000077DBF000-0x0000000077DC0000-memory.dmp

memory/2876-129-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2876-119-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2876-131-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2876-133-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2876-118-0x0000000077DC0000-0x0000000077DC1000-memory.dmp

memory/2876-137-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2876-97-0x0000000077DBF000-0x0000000077DC0000-memory.dmp

memory/2980-95-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2876-142-0x0000000077DBF000-0x0000000077DC0000-memory.dmp

memory/2064-151-0x0000000000EF0000-0x00000000017A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F859.exe

MD5 245f4402e033c84c44d4ca89d7ccd300
SHA1 9cde8b3799efbcaa5d79fea62ca2b437f90f2b55
SHA256 1e0ba2c32b881ea138c8cdab825d831a8efc45c4738bc84c8748ccc2fefffd18
SHA512 c4511047b7dd45077a3894b61f5ae98ed824c26585acc01a3426e2742d34fc01d8f1cfb2e102661ee281118d43be124e285fb0064e77467f23bd938272ea9f7c

C:\Users\Admin\AppData\Local\Temp\F859.exe

MD5 d5bd59ffb0abb7b697eccef01a93ecee
SHA1 4e00a88b2eec458dd84f4968dc679adce1f850a6
SHA256 aab767a6a82386eae52a47e22ce6e1b47f1f4ff09ff33c79d48fbac7b6b658de
SHA512 caa556ff630aeea89a2154a02535a315682f49bef19d735e801f702d4bd601012c0fc81e95d2c72f2c3619d207f945ee4a5318c6f43454ef2f40cb420676b9b2

C:\Users\Admin\AppData\Local\Temp\8E11.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2552-93-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2980-91-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2480-90-0x0000000004B90000-0x0000000004D47000-memory.dmp

memory/1996-87-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/2980-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\178D.exe

MD5 3dd02e3a7d6552f6312e29bc4189c06a
SHA1 c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256 cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA512 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485

\Users\Admin\AppData\Local\Temp\is-U6QD0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-U6QD0.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2876-55-0x0000000000990000-0x0000000001467000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2EC6.exe

MD5 1f652fb01b4861f2d240649942d0200e
SHA1 c2ab7d119bdba790bb908adf9ae8279a51413837
SHA256 2d4792caa881ebea9d23fb717f3bef3082505045afd3ccb85129380e350b38c6
SHA512 3e6a03c5fe71155d4f3e1ab0a9a04c1edbd0c3619ea77df75752f5bba6143443928e3e292a7be2bf3bb176c44941e3e341df79b2e40e633b0fb11d8c7245cdfa

C:\Users\Admin\AppData\Local\Temp\2EC6.exe

MD5 e97c631637f4c885d871544551d720af
SHA1 e00baa78d3f4d6a43ca479bf5dbe992e25d92e40
SHA256 8fbac80c52787cf5379e8a09b0704c042d9cb365ddf988bf7505b59946c9dbff
SHA512 90a36a5935279eb2cb2c1962c4f6f7303d60eb6ecf362f682ec38cad5efb4fccc2b576cfa56c7f2981ed8277136e77f50d51cf04759ea5148d0fd2462a3ccdd8

memory/684-191-0x0000000002F35000-0x0000000002F4A000-memory.dmp

memory/684-194-0x0000000000220000-0x000000000022B000-memory.dmp

memory/684-197-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8FA7.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2480-50-0x00000000049D0000-0x0000000004B88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp

MD5 b046a7e6c710ca913cd51e0d600d82b8
SHA1 3ab188d745200761be04969bca3ce79b3f7ffd39
SHA256 fb58dbe3bbb54a7334b02183caf1f4b225cc08c745eb9fb1d48392c6a9add0a2
SHA512 f867ae23a7c83885044a967a49632d4b5801f2d377d77677b9e4a703a07344351572a03561127997cc66b3e5d07802495cef138c6386756ecfdfccbf745765ea

C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp

MD5 845957f47f72097d7e5093d1e3e34019
SHA1 e533f295f012f31b18e0a151037839a9f3bdc713
SHA256 032a6302ad514e9704679502cc6122aaf0d433577ba63ef213fd4c2798b9a296
SHA512 d8ebb43300f5cf6452ab7690138ee46ac93c2474e709a92342e59f84e6470ae01eecdbe5d01fb5ca6680538800ffd646035644d1f824412046e9fd403036a90b

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-4AJ29.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp

MD5 d3878d281b41d2d54d190edafb6a2987
SHA1 2c85815d39045b8842029ae69f9920897dce84c6
SHA256 dcb793df4f76e5e5290c0a60017a00c944b05d2b6ffb28c66069acb76fdbd61d
SHA512 44763f07b9f4c32d7977283d4ed7c0d9aadf760f0827a1e90eca38db26d332a89d4d12659cb61a98c0b574c32eef60dacd182cdf2a28bcb27285e916ffa4aac4

\Users\Admin\AppData\Local\Temp\is-PB7CF.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-CU5O4.tmp\2EC6.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fc38310973cf92ef5d0eaf23758c5420
SHA1 f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256 b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512 a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 6c2e85db6467d63c8bef74cfc9e4fe0e
SHA1 969e03891c7836192a5dd03ed7d150dfbe93c9bd
SHA256 33464ea1e8ca15e9a069ee6df5cf0ed7dad3610c8872962a210414bb85a14b49
SHA512 ad614109a9c22ac307bf97f2026b28616ebe55ac9d04234855ab839c691b64b3ca8b03ccc1f20f7197e072a64c268402baebe7cf65e0d9dcc037d66237dd44b2

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c53fcb793d89fccc8e81ce4d40eaf49d
SHA1 32c7441c1f58019d675c0a24f583f3d1211deae6
SHA256 aa590bc4a44a1deebf9e4c31ae12880119af498dfee30007a94f9507d45783f1
SHA512 4ca499648dabd9aa6d024f1c83faff9ebc45ff6a533ea541a7b3f8346ebf0b6899e33df675e333264b222f328a335eefe5806095577da600cfad3873ff03630f

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8968359e460df9992c18c113c1c17674
SHA1 1370811cb82506f311c9ea7564df9a0029bd2265
SHA256 da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c
SHA512 cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 fd7431015eb5f5ebfe9e4a7397bb7b45
SHA1 fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914
SHA256 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04
SHA512 dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b4cd344bdf164bc552a7e4b7fd152594
SHA1 8e41f116655fbb8f4f614c21c0b02f06b281beba
SHA256 65e375fbf5477a9c9ea06b4fd5115169b96478deaf55d65f207d89327269a015
SHA512 1624548747342c564bac7e0830bc2710b6de8585fc70d1003ac77e972aaeb907ac6ce45ef53e04f9af38a60811aac6435be9192ded73106c538ddb9dd82916a0

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d36d5fcf6f7e6c67304fed7123a7f816
SHA1 e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA256 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA512 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 7c09db9c2dacb9e2f18b225f9f204f7a
SHA1 8b2e2227f02371994fb1a5d3839568a713fa7600
SHA256 2f0d802802e13e5208a8adf47fb03f66e2ba0625396220a2f6af920bd0fc6674
SHA512 ee6eb0cc2ccc30ebcb3a7b70e2bdbbbbaf17d8745576cc1eb5d80744118ac484e42eb202ff4b8c8a59aa380e95b2d5b09d1754d26c3d72bfb0c6f8ef4f85830b

memory/2064-279-0x0000000073AC0000-0x00000000741AE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1844d76e7d4331107eeb8fc6274fa9b2
SHA1 82ae81925c68a662af3b5243db9ae9d0b1721958
SHA256 0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1
SHA512 2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947

\Users\Admin\AppData\Local\Temp\nsj714A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 7e16dda41b2ae464d9612815f0d3d6eb
SHA1 1b2486381b4e1cade80e200638f64d9fc4693ed5
SHA256 492a2edab7086f7989f9fb74f662683b7a12f47691c04ee6c764e335a0cbf2b1
SHA512 4549699fa1fdb320b22b5ac456a72d219c09a83b11cccdb9d49cfac26428721b710873304cc7109a6802bd79b52325ff6380e55c5b14a42dda6b1221c4f8e72b

memory/2996-286-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

memory/2996-288-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

memory/2996-293-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp30F.tmp

MD5 1d264333dd61f6b795e8b5583203ff9e
SHA1 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA256 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512 d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2996-296-0x0000000002C6B000-0x0000000002CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 029a5147d2f0d080800b095d06298a55
SHA1 6d53b0c00f128318d23de9db082989e30369baad
SHA256 cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512 b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

memory/2996-294-0x0000000002C64000-0x0000000002C67000-memory.dmp

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b29cd31f15d37cebbe2804adc62ce2e9
SHA1 e036f370e3b9a849609823c1cf295c07968b91a0
SHA256 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA512 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 f26249769d27c4988588974f0afc5ad0
SHA1 e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 10da85ae04da6c225fd4ea9d204378c9
SHA1 d3730e020f9e2a5c217926180d44b65a91cf6a4a
SHA256 d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5
SHA512 1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69

memory/2260-320-0x0000000019DC0000-0x000000001A0A2000-memory.dmp

memory/2260-321-0x0000000000E00000-0x0000000000E08000-memory.dmp

memory/2260-324-0x0000000001464000-0x0000000001467000-memory.dmp

memory/2260-325-0x000000000146B000-0x00000000014D2000-memory.dmp

memory/2260-323-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 716b6e79efee22fe3f3503a241a5eb8c
SHA1 94ddf83d37704bccf33929fb1c9cb9972375dfb6
SHA256 9a9e270e138b57ce4cac1c2d159ad093f200076721548f144a9c241dd3189b2c
SHA512 d7b2a61c3f964ac49bf09a91fb2a50ef8bcb242af1b3541e8f0af808936ac828780dfaf93329b3d38a165ce223579fdfe909c56f786e76d737a80f0d5925131a

memory/2360-342-0x0000000019BD0000-0x0000000019EB2000-memory.dmp

memory/2360-344-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2360-346-0x0000000001054000-0x0000000001057000-memory.dmp

memory/2360-354-0x000000000105B000-0x00000000010C2000-memory.dmp

memory/2876-369-0x0000000077DBF000-0x0000000077DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 dc75ac469975abdedd45ea30c8668aa3
SHA1 d884888f16815b92d0581f23969944d9e333e225
SHA256 24e1b63bfa49da320f28f53008faf4e17f053373f767b765eaa39413bcbbad04
SHA512 fe81b45e6dcd867801a3d783c04ad62e8690c6c87bfe1279cd4d5bf108b8294e3c6151679927d97abdeab455becc669b27cee2124dc70b641147ea27badbdf76

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 115c48091793a2d2c4995b3b5125f215
SHA1 b6c73454c5ffa0786eb019bfd4033c09c3f96b95
SHA256 7dace915ad25b86af4f58b19ee3584e23720b552db8ca34641d21b670e3442df
SHA512 ec87da2198f1651921ce550d56adcbbef25e1826ef3ac97c7f8aa73e198c009e4b66c87a33bff6f6bfea416015dbcce8b9c0fc9dc103c60bcc83aff13aba1ca4

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 d5ac8347ec7fe6b3267af60cf71255a7
SHA1 f8258729ec532f3161b0affd5082fbb5b194805d
SHA256 ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA512 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296

memory/2112-409-0x0000000000890000-0x0000000000898000-memory.dmp

memory/2112-407-0x0000000019FC0000-0x000000001A2A2000-memory.dmp

memory/2112-422-0x000007FEF5630000-0x000007FEF5FCD000-memory.dmp

memory/2112-424-0x0000000001574000-0x0000000001577000-memory.dmp

memory/2112-426-0x000000000157B000-0x00000000015E2000-memory.dmp

C:\Windows\TEMP\gbfbijmbpkdw.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/1824-425-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 04:52

Reported

2024-02-22 04:57

Platform

win10-20240221-en

Max time kernel

262s

Max time network

300s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\E5B1.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\B76A.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2405.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2405.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2405.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nso274C.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nso274C.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3368 wrote to memory of 4848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3368 wrote to memory of 4848 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4848 wrote to memory of 4052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 4052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4848 wrote to memory of 4052 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3368 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76A.exe
PID 3368 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76A.exe
PID 3368 wrote to memory of 3180 N/A N/A C:\Users\Admin\AppData\Local\Temp\B76A.exe
PID 3368 wrote to memory of 4828 N/A N/A C:\Users\Admin\AppData\Local\Temp\C92E.exe
PID 3368 wrote to memory of 4828 N/A N/A C:\Users\Admin\AppData\Local\Temp\C92E.exe
PID 3368 wrote to memory of 4828 N/A N/A C:\Users\Admin\AppData\Local\Temp\C92E.exe
PID 3368 wrote to memory of 3224 N/A N/A C:\Users\Admin\AppData\Local\Temp\DAC3.exe
PID 3368 wrote to memory of 3224 N/A N/A C:\Users\Admin\AppData\Local\Temp\DAC3.exe
PID 3368 wrote to memory of 3224 N/A N/A C:\Users\Admin\AppData\Local\Temp\DAC3.exe
PID 3224 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\DAC3.exe C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp
PID 3224 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\DAC3.exe C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp
PID 3224 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\DAC3.exe C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp
PID 3216 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3216 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3216 wrote to memory of 4280 N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3216 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3216 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3216 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3368 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 3368 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 3368 wrote to memory of 1848 N/A N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 1848 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\E5B1.exe C:\Users\Admin\AppData\Local\Temp\E5B1.exe
PID 3368 wrote to memory of 1744 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB7.exe
PID 3368 wrote to memory of 1744 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB7.exe
PID 3368 wrote to memory of 1744 N/A N/A C:\Users\Admin\AppData\Local\Temp\ECB7.exe
PID 3368 wrote to memory of 4932 N/A N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe
PID 3368 wrote to memory of 4932 N/A N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe
PID 3368 wrote to memory of 4932 N/A N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe
PID 4932 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4932 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4932 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4932 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4932 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4932 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4932 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4932 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\13F6.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4296 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4296 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4296 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3368 wrote to memory of 3896 N/A N/A C:\Users\Admin\AppData\Local\Temp\2405.exe
PID 3368 wrote to memory of 3896 N/A N/A C:\Users\Admin\AppData\Local\Temp\2405.exe
PID 3368 wrote to memory of 3896 N/A N/A C:\Users\Admin\AppData\Local\Temp\2405.exe
PID 2548 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4296 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nso274C.tmp
PID 4296 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nso274C.tmp
PID 4296 wrote to memory of 4924 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nso274C.tmp
PID 3368 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C31.exe
PID 3368 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C31.exe
PID 3368 wrote to memory of 1836 N/A N/A C:\Users\Admin\AppData\Local\Temp\3C31.exe
PID 1836 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\3C31.exe C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe

"C:\Users\Admin\AppData\Local\Temp\f81cc35bd0f7599ab29084c262f6e1237bfec2d77db9820a4b4699d67f93ebf1.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5E2.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B5E2.dll

C:\Users\Admin\AppData\Local\Temp\B76A.exe

C:\Users\Admin\AppData\Local\Temp\B76A.exe

C:\Users\Admin\AppData\Local\Temp\C92E.exe

C:\Users\Admin\AppData\Local\Temp\C92E.exe

C:\Users\Admin\AppData\Local\Temp\DAC3.exe

C:\Users\Admin\AppData\Local\Temp\DAC3.exe

C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp" /SL5="$302DC,3536428,54272,C:\Users\Admin\AppData\Local\Temp\DAC3.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

C:\Users\Admin\AppData\Local\Temp\ECB7.exe

C:\Users\Admin\AppData\Local\Temp\ECB7.exe

C:\Users\Admin\AppData\Local\Temp\13F6.exe

C:\Users\Admin\AppData\Local\Temp\13F6.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\2405.exe

C:\Users\Admin\AppData\Local\Temp\2405.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nso274C.tmp

C:\Users\Admin\AppData\Local\Temp\nso274C.tmp

C:\Users\Admin\AppData\Local\Temp\3C31.exe

C:\Users\Admin\AppData\Local\Temp\3C31.exe

C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp" /SL5="$702A8,4081152,54272,C:\Users\Admin\AppData\Local\Temp\3C31.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 trmpc.com udp
MX 187.204.68.217:80 trmpc.com tcp
US 8.8.8.8:53 217.68.204.187.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
KR 211.181.24.133:80 sjyey.com tcp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
KR 211.181.24.133:80 sjyey.com tcp
HK 141.98.234.31:53 bmlwibe.com udp
US 8.8.8.8:53 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.f.1.a.e.2.6.d.8.ip6.arpa udp
KR 211.181.24.133:80 sjyey.com tcp
IT 185.196.8.22:80 bmlwibe.com tcp
US 8.8.8.8:53 22.8.196.185.in-addr.arpa udp
KR 211.181.24.133:80 sjyey.com tcp
KR 211.181.24.133:80 sjyey.com tcp
KR 211.181.24.133:80 sjyey.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
LV 195.123.209.91:5092 tcp
FR 178.33.183.251:443 tcp
N/A 127.0.0.1:51069 tcp
NL 185.142.239.49:4444 tcp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 135.148.171.158:443 tcp
US 94.26.73.162:9201 tcp
US 8.8.8.8:53 daed8be5-d84e-4662-ab27-45601081d89e.uuid.statsexplorer.org udp
US 8.8.8.8:53 162.73.26.94.in-addr.arpa udp
US 8.8.8.8:53 158.171.148.135.in-addr.arpa udp
IT 185.196.8.22:80 bmlwibe.com tcp
US 135.148.171.158:443 tcp
US 94.26.73.162:9201 tcp
N/A 127.0.0.1:21922 tcp
US 8.8.8.8:53 server9.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
NL 108.177.119.127:19302 stun.l.google.com udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 127.119.177.108.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
FI 65.21.49.9:9001 tcp
US 8.8.8.8:53 9.49.21.65.in-addr.arpa udp
N/A 127.0.0.1:21922 tcp
N/A 127.0.0.1:21922 tcp
N/A 127.0.0.1:21922 tcp
N/A 127.0.0.1:21922 tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
US 8.8.8.8:53 ymbol.cem udp
N/A 127.0.0.1:52039 tcp
N/A 127.0.0.1:52045 tcp
N/A 127.0.0.1:52048 tcp
US 8.8.8.8:53 ymbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 phbrmbcureezloze.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 phbrmbcureezloze.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
US 8.8.8.8:53 doplembjoceg.cem udp
US 8.8.8.8:53 doplembjoceg.cem udp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 phbrmbcureezloze.cem udp
US 8.8.8.8:53 ymbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
N/A 127.0.0.1:52055 tcp
N/A 127.0.0.1:52056 tcp
N/A 127.0.0.1:52062 tcp
N/A 127.0.0.1:52068 tcp
N/A 127.0.0.1:52070 tcp
N/A 127.0.0.1:52074 tcp
N/A 127.0.0.1:52079 tcp
N/A 127.0.0.1:52086 tcp
N/A 127.0.0.1:52090 tcp
N/A 127.0.0.1:52093 tcp
N/A 127.0.0.1:52096 tcp
N/A 127.0.0.1:52098 tcp
N/A 127.0.0.1:52104 tcp
N/A 127.0.0.1:52107 tcp
N/A 127.0.0.1:52113 tcp
N/A 127.0.0.1:52118 tcp
N/A 127.0.0.1:52122 tcp
N/A 127.0.0.1:52124 tcp
N/A 127.0.0.1:52128 tcp
N/A 127.0.0.1:52135 tcp
N/A 127.0.0.1:52138 tcp
N/A 127.0.0.1:52140 tcp
N/A 127.0.0.1:52142 tcp
N/A 127.0.0.1:52147 tcp
N/A 127.0.0.1:52151 tcp
N/A 127.0.0.1:52153 tcp
N/A 127.0.0.1:52159 tcp
N/A 127.0.0.1:52162 tcp
US 8.8.8.8:53 doplembjoceg.cem udp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
N/A 127.0.0.1:52166 tcp
N/A 127.0.0.1:52169 tcp
N/A 127.0.0.1:52175 tcp
N/A 127.0.0.1:52182 tcp
N/A 127.0.0.1:52185 tcp
N/A 127.0.0.1:52188 tcp
N/A 127.0.0.1:52190 tcp
N/A 127.0.0.1:52193 tcp
N/A 127.0.0.1:52198 tcp
N/A 127.0.0.1:52201 tcp
N/A 127.0.0.1:52206 tcp
N/A 127.0.0.1:52211 tcp
N/A 127.0.0.1:52214 tcp
N/A 127.0.0.1:52218 tcp
N/A 127.0.0.1:52223 tcp
N/A 127.0.0.1:52228 tcp
N/A 127.0.0.1:52231 tcp
N/A 127.0.0.1:52238 tcp
N/A 127.0.0.1:52240 tcp
N/A 127.0.0.1:52244 tcp
N/A 127.0.0.1:52246 tcp
N/A 127.0.0.1:52250 tcp
N/A 127.0.0.1:52253 tcp
N/A 127.0.0.1:52257 tcp
N/A 127.0.0.1:52261 tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ymbol.cem udp
US 8.8.8.8:53 ybhee.cem.ph udp
US 8.8.8.8:53 phbrmbcureezloze.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
N/A 127.0.0.1:52266 tcp
N/A 127.0.0.1:52269 tcp
N/A 127.0.0.1:52272 tcp
N/A 127.0.0.1:52277 tcp
N/A 127.0.0.1:52280 tcp
N/A 127.0.0.1:52287 tcp
N/A 127.0.0.1:52293 tcp
N/A 127.0.0.1:52299 tcp
N/A 127.0.0.1:52302 tcp
N/A 127.0.0.1:52306 tcp
N/A 127.0.0.1:52310 tcp
N/A 127.0.0.1:52313 tcp
N/A 127.0.0.1:52316 tcp
N/A 127.0.0.1:52321 tcp
N/A 127.0.0.1:52323 tcp
N/A 127.0.0.1:52327 tcp
N/A 127.0.0.1:52330 tcp
N/A 127.0.0.1:52336 tcp
N/A 127.0.0.1:52339 tcp
N/A 127.0.0.1:52341 tcp
US 8.8.8.8:53 ybhee.cem.ph udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 doplembjoceg.cem udp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ymbol.cem udp
US 8.8.8.8:53 ftp.bozfrezd.cem udp
N/A 127.0.0.1:52343 tcp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 45.79.222.138:22 ybhee.cem.ph tcp
US 45.79.222.138:21 ybhee.cem.ph tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 phbrmbcureezloze.cem udp
IT 185.196.8.22:80 bmlwibe.com tcp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 45.79.222.138:443 ybhee.cem.ph tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 138.222.79.45.in-addr.arpa udp
US 8.8.8.8:53 doplembjoceg.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 mail.bozfrezd.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 ymbol.cem udp
US 8.8.8.8:53 ftp.ymbol.cem udp
US 8.8.8.8:53 ftp.bozfrezd.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 642mbrkejozgbgezcy.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 45.79.222.138:995 ybhee.cem.ph tcp
US 45.79.222.138:465 ybhee.cem.ph tcp
US 45.79.222.138:80 ybhee.cem.ph tcp
US 45.79.222.138:80 ybhee.cem.ph tcp
US 45.79.222.138:22 ybhee.cem.ph tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ssh.bozfrezd.cem udp
US 8.8.8.8:53 bozfrezd.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ymbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 642mbrkejozgbgezcy.cem udp
US 8.8.8.8:53 phbrmbcureezloze.cem udp
US 8.8.8.8:53 doplembjoceg.cem udp
US 8.8.8.8:53 eg.g4s.cem udp
US 8.8.8.8:53 ftp.doplembjoceg.cem udp
US 8.8.8.8:53 ftp.ymbol.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 ftp.eg.g4s.cem udp
US 8.8.8.8:53 ftp.bozfrezd.cem udp
US 8.8.8.8:53 ftp.phbrmbcureezloze.cem udp
US 8.8.8.8:53 ybhee.cem udp
N/A 127.0.0.1:52350 tcp
N/A 127.0.0.1:52352 tcp
N/A 127.0.0.1:52356 tcp
N/A 127.0.0.1:52359 tcp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 642mbrkejozgbgezcy.cem udp

Files

memory/4860-2-0x00000000001E0000-0x00000000001EB000-memory.dmp

memory/4860-1-0x0000000002E70000-0x0000000002F70000-memory.dmp

memory/4860-3-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/3368-4-0x0000000000C40000-0x0000000000C56000-memory.dmp

memory/4860-5-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5E2.dll

MD5 b9db85df6544fb2e9d8edf86a490fddf
SHA1 61d6f784bddb442230af3a9224f1a63771794ba7
SHA256 037568e4264872078e5c58e0c098aac222eafa36620120eb8905d7ad2c04b98e
SHA512 9763ffbf3fc0e53de5d4463b2284074489263e628cb35f602505c6a7bd7351004f4454e289616701973074dd755191971a00301bfbe4d3e708dc0c8723091237

\Users\Admin\AppData\Local\Temp\B5E2.dll

MD5 e114e5f9b43b98818152d7ece42a5d16
SHA1 7e8dfac848a912d2f1997a3ba7eb9de458fe3240
SHA256 50079b1e9de89509e5615b62103527de5083c5a21e600e975d3d1f06745eba89
SHA512 100f227b3e4add165210d23cab76eb0c59b0363b099d315a884b65c63c77483fbf00fc84b70585d009c054cdfa98d1e92ec9b38633bf903208b668e4024b8cc8

memory/4052-14-0x00000000005D0000-0x00000000005D6000-memory.dmp

memory/4052-15-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B76A.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/4052-21-0x00000000045E0000-0x0000000004704000-memory.dmp

memory/4052-22-0x0000000004710000-0x0000000004818000-memory.dmp

memory/4052-25-0x0000000004710000-0x0000000004818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C92E.exe

MD5 49608dbbd93509d8b380a26b95fd0e22
SHA1 c721e50cef31c20dabe7bda1ca711b72e42dcc8e
SHA256 324cd2784ee56feab35c1829b56618b75307ef261ac2e81ae0dc1860d630c4f8
SHA512 4938f7c7aa505c1db4abb08025373d6ef5d9f57d4d5a74736ba840f319211480cb1138048bdf33043afd8769b2b7a658a6df66271318204bd0f90b242c488852

memory/4828-29-0x0000000000D90000-0x0000000001867000-memory.dmp

memory/4828-34-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/4828-36-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/4828-35-0x0000000000D90000-0x0000000001867000-memory.dmp

memory/4828-38-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

memory/4828-37-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

memory/4828-40-0x0000000000D00000-0x0000000000D01000-memory.dmp

memory/4828-39-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

memory/4828-42-0x0000000000D20000-0x0000000000D21000-memory.dmp

memory/4828-41-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/4828-43-0x0000000000D30000-0x0000000000D31000-memory.dmp

memory/4828-44-0x0000000000D40000-0x0000000000D41000-memory.dmp

memory/4828-45-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/4828-46-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/4828-47-0x0000000000D70000-0x0000000000D71000-memory.dmp

memory/4828-48-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/4828-49-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/4828-50-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/4828-51-0x0000000002D90000-0x0000000002D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C92E.exe

MD5 db5cfe996b7849772dd6bdfceb4d3d0e
SHA1 1f7ebc3bd1bbdf60f225be83dbb5021a8b7ce7d9
SHA256 afaedb6c2cb17e5d8f8eb4c21bf005477596d50749b1c5bb2e62305a710adc0f
SHA512 7987dc7f9326c3e62bfcef899c631c2e6d871140b9b4ec38c6d373158fe39188edf4ec227f96421e2249c18218daef6d984b6a373772d5f5c5a599f1ccd694c5

memory/4828-54-0x0000000000D90000-0x0000000001867000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DAC3.exe

MD5 56eb708e76f68bf4cb83b8b585e7b472
SHA1 5de9c4ce39b48a35a0ccba651bace072034d4970
SHA256 f812a914d2d25bcfc7308d036eaed85ab8c45eceea526485349e8a368565ea29
SHA512 d79edbde7adf89ca891b5f36eb69e79ede77c0afaa2928d89efb2a616518025bf3fcaff1e817e745e9f4ced1808fd3e5e35bbf4b8d032d3f7610ec4f7ea9c83f

C:\Users\Admin\AppData\Local\Temp\DAC3.exe

MD5 1f34fda5244ff14c8e27e692d6bbfc48
SHA1 64d7cf0ebdd3411e1c1e9744215fb67a60c01617
SHA256 578adeab6b3f436600e9b5bd55651cfeb3f2891a9c94d30b2735705e78b50acb
SHA512 5270a0e8a0cc2eb64d9b00fa92a459863c1c111fabc00c2ab15492455dc515da4f280a3a9ed620729573f393581aa58ba39666fe737d4f20c666e0134de16674

memory/3224-59-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-UFNL0.tmp\DAC3.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/4052-74-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/3216-75-0x0000000000500000-0x0000000000501000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-M5OB0.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 6531377e552f95f4fc86936c834b6c4f
SHA1 d3a95eedbe42b3ae54bddaf9a3f07676ce825882
SHA256 44010a545cc1e6372a0c6e263664872e40e592bc0b2fe3b72c27a3a286f64d83
SHA512 0694e8d0460aeee4a0672f90ec49f9b984e56238b7673e5afbdbd661571163eeae963c7000f9f8581ff8979ab2f7be71cf0cdb20543afe9ef1211c284d734401

memory/4280-113-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4280-114-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4280-115-0x0000000000400000-0x0000000000736000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 b6b6dbd2249af53bb8ff7e97c64cfa4c
SHA1 60d202a5c1ffb9ca23f499957ae039ff2bffccc6
SHA256 7cdec457c3ff37b671b31d32d761b0dacf1c7b9e56a175db0af669da4b7355a2
SHA512 8c7c17e08da22c07d05b25d83eb692c4b620890157d87d2beef355a4a94aa593eb3c383f4ca617c2bd59153073ef07cc4d006217ea77695a63ab3ef4bad9664e

memory/4280-118-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 5eafaa84b0e9364b9e2a1fa869d82acb
SHA1 623c071827cb4c0a12c8b918f4951db71991a5ff
SHA256 ade8963d386a46fa5860f25f10b95a940d098736530041ed019e9499ef6ad4a4
SHA512 48ead8d914a766c3fcb38fe3665a1bcb2a87d033cc485e0de7ffd0aaefb6f12454c3116a7de38ba48a6710855d4a44d146f2885c99a7fdfa2d665320a88151fd

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 3b66557b08111e0f88d2929a0f912d54
SHA1 395d4d43ffb7de91181c2def0ca7df444ba7d20f
SHA256 d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d
SHA512 e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd

memory/4792-120-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4792-122-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4828-123-0x0000000000D90000-0x0000000001867000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 f908986a9a401c359378486bc78c3884
SHA1 7e0b647b2ba95895bdfbbb345cfa651335e6eebf
SHA256 76c3e5219eea16aff8c970c3e4fddfbaa915d4572e493561afd1ff391a8d5949
SHA512 5b3d4556d0319abc96fb66977ee023dee734617028cbdc5d9acb5ebda45ff63f294590760b17dc81521c469f19b4b705e91269e989c015ed0950b8d12f39494e

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 03e2f1c0a8137b121e0a066272f06141
SHA1 036517f6d3186f32c5b7bd28ed1d00317d9f8387
SHA256 b204645aa001cf50b9f96616c46ce548575674b990ea4779bf3a548cd8a411c2
SHA512 e2f5606cc053243cf4747fb1e65f606656a5d0aaeece27060426f84409be24c899be4e7f0dd02761403362d3d610c731edb550a66541e30bdf17c4c4b6059632

memory/1848-129-0x0000000004AC0000-0x0000000004C85000-memory.dmp

memory/1848-130-0x0000000004D90000-0x0000000004F47000-memory.dmp

memory/3840-131-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3840-134-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5B1.exe

MD5 b68c06311883b3cea5fb16225d495fa3
SHA1 b092330537454602b87a65a621d3f8136c940629
SHA256 8edb6e867a4ed0e5f3fe4bb4fda3965162c2ea6cb81a4b89503d40caa9a565be
SHA512 31996e5ed5b3ddb2640d3f0579933bf4dd474ac8d557707f202cb07f94a8943d0777d3e271fe518fc825bedb12561dc07f605e814cd9b276bb7cddb764a5baae

memory/3840-135-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3840-136-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3840-137-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3840-138-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\B5E2.dll

MD5 6dcece9c805f33365b7c109efd71beb5
SHA1 edadd660c6b8e165c40ffab8bd55bfb788e0fe70
SHA256 68cfc37357ea36f1f08f630d954b1b7b0aec45c2afa907a7302c2abd175fb11a
SHA512 6757db07e009e0391d9a48da78a9d8bfa4c5b4b98ace88550b28878b4f2d0cf15b62f017bb465b402a5eb71f9d263b5c63b89956bddf204561cf5738716e27bb

memory/3840-141-0x0000000000A00000-0x0000000000A06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ECB7.exe

MD5 8ecc17d2df0678a4dd4ecd24915f15cd
SHA1 e05782dd5a4da0a2fbd6418f2ca9a738b5185e64
SHA256 25e9e66f3cf68811568a4c48f5d5b401aa7b4ce3d1f26a6653ac69fbff2411c1
SHA512 7ef3e2161399b4934e1f238c2e75c286327058d512c99231f0252a71fe30848b221ab38e050ac835e9e9ea1aad37055d6e558cc1924f4b36888497abb358ccf7

C:\Users\Admin\AppData\Local\Temp\ECB7.exe

MD5 6a87f5c791f9660d1007b5a163ce9d23
SHA1 596eb0b150e966295e1833bcf38ee1016ca9d242
SHA256 49c9882974cb1da926abce4653b49d0a68a7a0dad0c0009274d6a956aad225ee
SHA512 1f5e6b28c8cec4b1fd39c942cd7056abd0f979a66f3ee25b5c9bed99947909a240dc676e764b8750e2356e647b55f39ff65e571dfe0f436e277006e9e6845128

memory/3224-148-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3216-149-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4792-150-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\13F6.exe

MD5 81a4b7e8eb05ba5252fcf6f06fa1d8ad
SHA1 36e9c9a943f841a8f4b48c2f8a22ca1c32861144
SHA256 fa6d0da78f7ce3c47e7840075dcd1c5f6d90f42c815f68ce69b1b093b661bde3
SHA512 0fd7bbc145abe87470b2f878b67db0e35358fcf06a8ce82b06364e0d6e8b1712e41e0be6010f53478676622237c7e13766f934d264a8a17cdb3f83ca341d0bb4

C:\Users\Admin\AppData\Local\Temp\13F6.exe

MD5 79b1c5df98d3810ec21749780349ffcf
SHA1 3cc7f65d34f769f69fb980cce070238911fbb886
SHA256 bd3facb8ea2d3515a83054f88dfa3588f47236e3773f5cb720c9cbf2e0e429de
SHA512 68c57dc48582ceb0bed781fbf91440694232be6d5e8ca24886dca13daffa1ef13663e56c18298c4a77e1d84903c251508ca7cae31b6ef94a2b45e814ab99b55e

memory/4932-158-0x0000000072050000-0x000000007273E000-memory.dmp

memory/4932-157-0x0000000000280000-0x0000000000B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 1a5f11fd65b25fdfe3e69eccc28265c3
SHA1 a11ac870691fa1e11a65b66cc7f8e7c248e4eaff
SHA256 e912690bfbfa7419712c65800f1218650c7be1a5e50f8c74c1a5a0de9942587c
SHA512 0630429a6f88026938b81669dcbb8b50ff958f2f46a908bb6d9dc40530ae39f2c859c5a74adb9a824caea67ee9b2ccccbc16ea9aff63e9ac7bf6af3954b5a066

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 91d1d07a874ad5c5616d302ac8e6f561
SHA1 855effd1b0e9d7db5407d6fda1e70fd1d0474d79
SHA256 f390e1c5324f2df81127fbc5833e385b97e36557d4ccd2ba0b26a31302194af0
SHA512 22a0b2f27b4ea5e96f1fa194158c1ef6351abe6076fe1db35ceaaca229cda80e87171acc9b71c58546f9ba3d3e94dd3f02600b78b1c8fae1d6e5f9e6365d7335

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 833517b362dce1a28f7d320bbf8a42a1
SHA1 949e3fcaa1956717bb7c824aaf511cca77581c93
SHA256 4c323af4e7545e09789941715baed39c4d15737fccd1f59b2695e85b5128ee9e
SHA512 d65e88e366ae27fd0aa868ca75060b4293950c51b2c5c247d1756037e8d76ea6287bc87c3a05316902d316306c1ed506e7a54f46e72da95f82e28fdfa8dbe2a7

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 0d186841287a0da01d58f36efe45c296
SHA1 7cd78b1adb0f2050ccb809a1e880fb7aafa9bc73
SHA256 45bc3cc6ac85666f2e2ffe81fc10e8a1b97256f2fbbbecbcb89edd9b98825882
SHA512 4741df559792693b5e58fa97c67f1f755fbafad18d7a627fee1d34990460ab4a1592706d980e85018aa02ce5d040406587f726c72899e92eec9b681a851d2029

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 1da12eb5ed9c3654e3e05e07965b07ca
SHA1 33409895e02523a9272c7c3d4f983f9c9967ae8a
SHA256 07311bd84df02d85b6a56555dbe775262535fc6597cd5aa73117d303365b8716
SHA512 3c3f6ba87a95ce46b2c0e88add185d3f6fbc7f98a9bc7910bf5ca6bf65fb23f55c7e56886aa784f2307f7e5e207138d7d84eb8c2e7043dc9a4abd74528ef4a17

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 0961b07158f26d26393a22e86859974e
SHA1 e6f54f12a426ce23e51714f05b7d8ff462af57e2
SHA256 54325a76735dd25e03879ec602c6cee8fc7cdb49315a2b013750efe42cece28a
SHA512 d4ba0006472fbf293b18f5c05b556949392ae5f8f8d53b351e11a0f1ebb56ef37beec0e6dbc5560e076d64cc43e34167b2fa95c809ffb21b2bbf5752ac7f0473

memory/4932-177-0x0000000072050000-0x000000007273E000-memory.dmp

memory/3840-178-0x0000000002C50000-0x0000000002D74000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsk1DD5.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1844d76e7d4331107eeb8fc6274fa9b2
SHA1 82ae81925c68a662af3b5243db9ae9d0b1721958
SHA256 0fddf79ba668abf7a760e7076da3fdcca389e221c5005b10737a75b271da3aa1
SHA512 2be6c7a7f25b12ee3082f122fd17ded3697dd97518e41765d49f5141e969b6e4d24f664a6aae29e647c2e8d7518d3a6b1216c8a460a7425ab4c60e5bd60dc947

memory/3840-185-0x0000000002D80000-0x0000000002E88000-memory.dmp

memory/5012-186-0x00000000028F0000-0x0000000002CF6000-memory.dmp

memory/5012-188-0x0000000002E00000-0x00000000036EB000-memory.dmp

memory/3840-190-0x0000000002D80000-0x0000000002E88000-memory.dmp

memory/5012-191-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2548-193-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/4792-192-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2405.exe

MD5 0a107bf148f82af636813c98bffaf1aa
SHA1 5d94b205bb3aa52479c87ad9be192580a1fb1ce0
SHA256 8acc5a6eacd080c06ee91150388700c910fc300cb3f85585dd4667f20dd11e9d
SHA512 7ee46e7081826a8190e67f94009998085e584254d910e3f57dc7d9b5931e1cb6662aa52ef6f3c404a6fe41a30621a51ab5a846131497afaf27b9c20eeed9fb4c

C:\Users\Admin\AppData\Local\Temp\2405.exe

MD5 8c898b181136238560dc7d857363a362
SHA1 2eb52e150ce15e1e2770ce8a0aa6463e04241655
SHA256 868aaad983185c9de720ab7b1e3089788580f145ba855c5c32e4233bf079dee5
SHA512 48bdf0ae698477a0bf99c8775bed611b47a630d1ce69912797fc5a029bc9ac2b514cfd6a2651dfbf9961efb382548faf16030e3dd06ab9d7387365ebf7390cfa

memory/3896-199-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/3896-200-0x0000000002EA0000-0x0000000002EAB000-memory.dmp

memory/3896-207-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso274C.tmp

MD5 1d264333dd61f6b795e8b5583203ff9e
SHA1 88bb193ee2e8b088bd7d3174c2ebe67eab3c6bd6
SHA256 71027e689116445930e37ce7c8837654f3d457dff6feabb0a6726d3899b7d1d2
SHA512 d1dd4fbda68053b80cd3b889c9f66c6cd2077ed353cd17ddb35cfc6a85d30f7d16150852593e89ac2a4d11bcde7e0d1289c343bb9228d9de86d4c8bc01c6aaa7

memory/4924-217-0x0000000002F90000-0x0000000003090000-memory.dmp

memory/4924-218-0x0000000002DA0000-0x0000000002DD4000-memory.dmp

memory/4924-219-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/4792-220-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3368-222-0x0000000002D20000-0x0000000002D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C31.exe

MD5 a071948d0b1884e42a362d980c3403b9
SHA1 1b22ec256c8fcaca203b73cc0270acca9554110f
SHA256 f70e172f986824c12345eb18bbe8361ea0ae9bad8179ab23c0e9ec97660a7358
SHA512 a260fd5e418aafda5ae5cced9b67a878e0219ce54f4a22668a8cc6d5c4d7d8f45dcdeef839d7d97cbb5079f0e915daeb5f4e2d71047d374516e0a82883e29408

memory/3896-232-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3C31.exe

MD5 3b9ed878856f3a69e5b6d76080345c95
SHA1 31f7e3f63e91f73384a3e3fb00d804d8793b2a5f
SHA256 7b05e5025320037f9daf62f8e7fe637086e6b306e84926a8b0d5b29a25ef13fd
SHA512 978f25010acafdc0ef4d1b73cb6d01f43423137476e2069e8ab56ca8983170c8d9afda7b678cf79c849cfd20f570662b065d143f40b12e0889196d7b71c08adf

memory/1836-236-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VQSHU.tmp\3C31.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-6PC46.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/864-268-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-H2U6D.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-H2U6D.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4924-352-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/3720-371-0x00007FFBCC1E0000-0x00007FFBCCBCC000-memory.dmp

memory/3720-372-0x0000013D4C430000-0x0000013D4C440000-memory.dmp

memory/3720-373-0x0000013D4C430000-0x0000013D4C440000-memory.dmp

memory/5012-374-0x00000000028F0000-0x0000000002CF6000-memory.dmp

memory/3720-375-0x0000013D4C400000-0x0000013D4C422000-memory.dmp

memory/3720-378-0x0000013D4C6C0000-0x0000013D4C736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t0uqovn0.afg.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/3720-410-0x0000013D4C430000-0x0000013D4C440000-memory.dmp

memory/4104-426-0x0000000005220000-0x0000000005256000-memory.dmp

memory/4104-429-0x0000000007A10000-0x0000000008038000-memory.dmp

memory/4104-431-0x0000000005300000-0x0000000005310000-memory.dmp

memory/4104-430-0x00000000718B0000-0x0000000071F9E000-memory.dmp

memory/4104-432-0x0000000005300000-0x0000000005310000-memory.dmp

memory/5012-428-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2548-434-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/3720-437-0x0000013D4C430000-0x0000013D4C440000-memory.dmp

memory/4104-438-0x0000000007980000-0x00000000079A2000-memory.dmp

memory/4104-439-0x00000000080B0000-0x0000000008116000-memory.dmp

memory/4104-440-0x0000000008220000-0x0000000008286000-memory.dmp

memory/4104-441-0x00000000082A0000-0x00000000085F0000-memory.dmp

memory/4792-446-0x00000000009C0000-0x0000000000A62000-memory.dmp

memory/4104-450-0x00000000086D0000-0x00000000086EC000-memory.dmp

memory/4104-451-0x0000000008740000-0x000000000878B000-memory.dmp

memory/4104-470-0x0000000009740000-0x000000000977C000-memory.dmp

memory/4104-501-0x00000000098E0000-0x0000000009956000-memory.dmp

memory/4104-508-0x000000000A690000-0x000000000A6C3000-memory.dmp

memory/4104-510-0x0000000072470000-0x00000000724BB000-memory.dmp

memory/4104-512-0x000000006E6F0000-0x000000006EA40000-memory.dmp

memory/4104-514-0x00000000097C0000-0x00000000097DE000-memory.dmp

memory/4104-524-0x000000000A6D0000-0x000000000A775000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 d5ac8347ec7fe6b3267af60cf71255a7
SHA1 f8258729ec532f3161b0affd5082fbb5b194805d
SHA256 ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA512 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296

C:\Users\Admin\AppData\Roaming\sehhdhg

MD5 3dd02e3a7d6552f6312e29bc4189c06a
SHA1 c52bb026df26445a1e4ccf66baf61d99ecd1ff8a
SHA256 cb34f0fe3c44490fcf75fae3bfbda353d52b8463ad4f12a67c503e9c3d855a70
SHA512 4a64121a31e09d6114209fbf91f2ff1d130d8faa7c7d2a739e461c0cf6230072afabd51da34f38d476df1ecec89f111c1d63136a22bba187cc20b66dc7aa4485

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a97b7709ded87e52ee06c4b8b181034c
SHA1 b9d7b8477766d6316329c395eb38cc9fd914a00a
SHA256 9f470f144df5ad788b012450bdb5ae2007221434974ae64390081ec523e30169
SHA512 b8b9af25459da9e60935a0ffb807d8e3df291e7003f18f1b904817562c345c7652f249121d4ceed48c2d3d013a72393ed3637b74f91f602a6105ac60e55e53f0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 efbb7bd0d9e1bfc523146661beb53958
SHA1 ad1053b6c245e7ed0e496711f9c930ab1ccc9dec
SHA256 73b5b13cfafdef87fe297e0009aa95267436af2fea12b49b2aa6a5bb66383297
SHA512 89402d62180a356edc36b735bd6f326df20c0b8e63ff248c59d44102745d365c3184516743086b19c6a5abfc12196697917ab075b70cfdd74d731bfdd8c62f6f

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 7aac7c53b58a8b0a0b23552816658244
SHA1 296b3e96334a230b623c91284b3efb223fca218e
SHA256 d9619d2067c02e6cdbe31e2971cd22d05e4f4051ad4257f1011030c656188bc2
SHA512 4230577e5cd538dd5c333de1f0cb2c6086c0fbe100c1bbd8bf6a8e6700acef62487e9ecd97f9e7a6da7a9f95c9bffdc023aa68daa062df275cc9909208c85045

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bfedf45e11243a852f6f99233078cd28
SHA1 f14063b7d324eb03f864dac1899f1fbb25754e34
SHA256 3695c24fb861df4b2624fb4dab745ceec1238cbf4e90de58c300a182d9f69383
SHA512 3967a5acdaad569e8fe655a31310eb8874fcac73e21e2034c1490492aa2b6a7674cff18af128da638f51f0326065b8519ed9c55d835e945bcacb66ad385dd8e3

C:\Windows\rss\csrss.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e3914e62a23dcc3c07a382101732c39a
SHA1 02cd9703f81f57add46c1d6e9cbdd1f77dde1442
SHA256 3807e60da220f387b3ddecbc2e6e7786967f1f81b9521f7908f4833ae7d5d262
SHA512 d4b7e9d78b329d21ae12652c5f0a1ad0b71cc4c2249754099caf3798bfdeb3eadffc1a735492f13cf0784db4d92de02deb5061a2cebebbc8c529dcdeecba4808

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 405fe91c736dfd5d67770881bb147272
SHA1 be8f088b303dc625dbecad44264bdf4a7ee8c691
SHA256 35cd503f042a7031124b2f5c09c62a3028f344cefc72e82f570f18263bb4379c
SHA512 665e902b7b6a51a4496ee382ed4ad8dd67cef564ffc84294c261fc850aed70db688f5f75f3add8b6d0c57aae2f407f100115101856b3c506a0e78725e9fc03a0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 036c94be7691e9f6aabbd6ab24a6a502
SHA1 6bbe6345b92534741eb8a1b3237f77b61e916414
SHA256 f8dcc32e05b38bcfb3cd672c591ff9639404dabfd960022102732ad1ddb90ffd
SHA512 2b52e547e60cbfd84a50b0477460daa5686dd6b61f9cd3d668f75eb0d7dc2232be4dae161e7ecd28ed5dacdd9d0cbe98680611a00645bab4d88bea4c4668f51a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9fc15a19f74d62d36e895d9d2e128330
SHA1 48f961724da70398d758da9ceec84db407071cce
SHA256 d7c2f6463a24473c6419278c858e931f20b77562a44f8e405368f87756d411f6
SHA512 58e754a958665b5d9db72d7e1e66e1aa45dbf111a8343d85998176d00348693d8881fe373f877b1143c41721680d4f0d55aaa4b2b098d687882b127ab4fa53f4

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 207306451fbe1b6ee1974317bad2021a
SHA1 583b15d7e76d0237f36b40821bc63b542ef3094f
SHA256 776002c93f9fbf09203b989100f9b59a517e27659daa88e3697aa48d37af58d4
SHA512 ada7c88d5ed4365294c6045c2c297fe81703b33284a6b29fc2ca264440aac189c06960529cef24c847d7e6ddde22258614d4c918c0822d9c0ea69a4f66bd8754

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec