Malware Analysis Report

2024-11-30 04:47

Sample ID 240222-g3e5kadh67
Target d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe
SHA256 d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879
Tags
dcrat glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lumma upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879

Threat Level: Known bad

The file d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan lumma upx

Glupteba

DcRat

Lumma Stealer

Stealc

Glupteba payload

SmokeLoader

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables containing URLs to raw contents of a Github gist

Detects executables packed with VMProtect.

UPX dump on OEP (original entry point)

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing artifacts associated with disabling Widnows Defender

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables Discord URL observed in first stage droppers

Creates new service(s)

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

Reads data files stored by FTP clients

Executes dropped EXE

Deletes itself

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Checks processor information in registry

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 06:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 06:19

Reported

2024-02-22 06:22

Platform

win7-20240221-en

Max time kernel

115s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B4C5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\EDA2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsuED4E.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsuED4E.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\36DD.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\EB2B.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1576 set thread context of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240222062116.cab C:\Windows\system32\makecab.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\956.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BCE0.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BCE0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wedbwii N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wedbwii N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\wedbwii N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BCE0.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsuED4E.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsuED4E.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-562 = "SE Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-21 = "Cape Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-552 = "North Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-791 = "SA Western Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wedbwii
PID 2396 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wedbwii
PID 2396 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wedbwii
PID 2396 wrote to memory of 3028 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\wedbwii
PID 1192 wrote to memory of 2628 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2628 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2628 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2628 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2628 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2628 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1192 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2B.exe
PID 1192 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2B.exe
PID 1192 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2B.exe
PID 1192 wrote to memory of 1188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB2B.exe
PID 1192 wrote to memory of 864 N/A N/A C:\Users\Admin\AppData\Local\Temp\956.exe
PID 1192 wrote to memory of 864 N/A N/A C:\Users\Admin\AppData\Local\Temp\956.exe
PID 1192 wrote to memory of 864 N/A N/A C:\Users\Admin\AppData\Local\Temp\956.exe
PID 1192 wrote to memory of 864 N/A N/A C:\Users\Admin\AppData\Local\Temp\956.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 1192 wrote to memory of 2160 N/A N/A C:\Users\Admin\AppData\Local\Temp\2224.exe
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 2160 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\2224.exe C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp
PID 864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\956.exe C:\Windows\SysWOW64\WerFault.exe
PID 864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\956.exe C:\Windows\SysWOW64\WerFault.exe
PID 864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\956.exe C:\Windows\SysWOW64\WerFault.exe
PID 864 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\956.exe C:\Windows\SysWOW64\WerFault.exe
PID 2152 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2152 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2152 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2152 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1192 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1192 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1192 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1192 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1576 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\36DD.exe C:\Users\Admin\AppData\Local\Temp\36DD.exe
PID 1192 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\4790.exe
PID 1192 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\4790.exe
PID 1192 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\4790.exe
PID 1192 wrote to memory of 896 N/A N/A C:\Users\Admin\AppData\Local\Temp\4790.exe
PID 2152 wrote to memory of 2948 N/A C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe

"C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8AEE55CF-5AAE-480B-B8D3-69E73CCFC8F3} S-1-5-21-3787592910-3720486031-2929222812-1000:HSNHLVYA\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\wedbwii

C:\Users\Admin\AppData\Roaming\wedbwii

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E734.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E734.dll

C:\Users\Admin\AppData\Local\Temp\EB2B.exe

C:\Users\Admin\AppData\Local\Temp\EB2B.exe

C:\Users\Admin\AppData\Local\Temp\956.exe

C:\Users\Admin\AppData\Local\Temp\956.exe

C:\Users\Admin\AppData\Local\Temp\2224.exe

C:\Users\Admin\AppData\Local\Temp\2224.exe

C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp" /SL5="$8011E,3536428,54272,C:\Users\Admin\AppData\Local\Temp\2224.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 128

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\Temp\36DD.exe

C:\Users\Admin\AppData\Local\Temp\36DD.exe

C:\Users\Admin\AppData\Local\Temp\36DD.exe

C:\Users\Admin\AppData\Local\Temp\36DD.exe

C:\Users\Admin\AppData\Local\Temp\4790.exe

C:\Users\Admin\AppData\Local\Temp\4790.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\B4C5.exe

C:\Users\Admin\AppData\Local\Temp\B4C5.exe

C:\Users\Admin\AppData\Local\Temp\BCE0.exe

C:\Users\Admin\AppData\Local\Temp\BCE0.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

C:\Users\Admin\AppData\Local\Temp\nsuED4E.tmp

C:\Users\Admin\AppData\Local\Temp\nsuED4E.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp" /SL5="$501D4,4081152,54272,C:\Users\Admin\AppData\Local\Temp\EDA2.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222062116.log C:\Windows\Logs\CBS\CbsPersist_20240222062116.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 94.142.241.226:9443 tcp
N/A 127.0.0.1:49440 tcp
DE 195.201.94.113:443 tcp
US 8.8.8.8:53 trmpc.com udp
BA 185.12.79.25:80 trmpc.com tcp
DE 78.46.174.72:9001 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 198.58.107.53:9001 tcp
US 204.13.164.118:443 tcp
HU 87.229.115.23:9001 tcp
DE 89.58.56.112:587 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 89.58.56.112:587 tcp
US 185.150.189.243:9100 tcp
HU 87.229.115.23:9001 tcp
N/A 127.0.0.1:54232 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 sjyey.com udp
KR 175.120.254.9:80 sjyey.com tcp
US 8.8.8.8:53 babonwo.ru udp
RU 91.189.114.29:80 babonwo.ru tcp
US 8.8.8.8:53 mth.com.ua udp
US 8.8.8.8:53 angrymod.top udp
US 8.8.8.8:53 ederanaya.top udp
US 8.8.8.8:53 gsdigital.top udp
US 8.8.8.8:53 newsite.vip udp
US 8.8.8.8:53 zentari.live udp
US 8.8.8.8:53 ketobites.live udp
US 8.8.8.8:53 ntxketobhb.live udp
US 8.8.8.8:53 biopureketo.live udp
US 8.8.8.8:53 saudeemharmonia.live udp
US 8.8.8.8:53 edaman.app udp
US 8.8.8.8:53 kamusikoking.click udp
US 8.8.8.8:53 visuall.life udp
US 8.8.8.8:53 shapeup.life udp
US 8.8.8.8:53 fitquest.life udp
US 8.8.8.8:53 anacosta.life udp
US 8.8.8.8:53 andreask.life udp
US 8.8.8.8:53 piratia.pw udp
US 104.21.79.117:80 piratia.pw tcp
US 104.21.79.117:443 piratia.pw tcp
US 8.8.8.8:53 easytrader.life udp
US 8.8.8.8:53 marketbot.ai udp
US 198.54.115.12:443 easytrader.life tcp
US 8.8.8.8:53 www.coexistence.life udp
IT 89.46.109.27:443 www.coexistence.life tcp
US 75.2.70.75:443 marketbot.ai tcp
US 8.8.8.8:53 www.marketbot.ai udp
IE 34.249.200.254:443 www.marketbot.ai tcp
DE 49.12.80.144:443 angrymod.top tcp
US 108.167.188.31:80 gsdigital.top tcp
US 8.8.8.8:53 realitydream.life udp
US 8.8.8.8:53 feroniawellness.life udp
US 104.21.14.99:443 realitydream.life tcp
US 169.60.37.100:443 feroniawellness.life tcp
US 34.174.143.98:80 ederanaya.top tcp
US 8.8.8.8:53 peerlearninghub.life udp
US 8.8.8.8:53 apps.identrust.com udp
US 66.29.146.152:443 kamusikoking.click tcp
GB 96.17.179.205:80 apps.identrust.com tcp
JP 152.70.111.31:443 peerlearninghub.life tcp
US 8.8.8.8:53 produtos-oficiais.life udp
US 184.94.213.105:443 edaman.app tcp
US 8.8.8.8:53 erro.fun udp
US 8.8.8.8:53 malingsongsong.click udp
KR 112.175.247.152:443 visuall.life tcp
US 66.29.146.152:443 malingsongsong.click tcp
US 8.8.8.8:53 epskorea.life udp
DE 116.202.199.249:443 zentari.live tcp
IN 89.117.157.20:443 shapeup.life tcp
US 8.8.8.8:53 misxv.fun udp
HK 34.96.199.131:443 erro.fun tcp
BR 154.49.247.205:443 anacosta.life tcp
DE 85.195.78.42:443 epskorea.life tcp
US 141.193.213.11:443 andreask.life tcp
US 62.72.50.15:443 misxv.fun tcp
US 8.8.8.8:53 risha.fun udp
NL 194.5.156.114:443 risha.fun tcp
US 8.8.8.8:53 trueg.fun udp
US 8.8.8.8:53 jetland.fun udp
US 8.8.8.8:53 wangat.fun udp
US 8.8.8.8:53 fortu12.fun udp
US 8.8.8.8:53 elmundo.fun udp
US 8.8.8.8:53 escape.fun udp
US 8.8.8.8:53 11exch.fun udp
US 8.8.8.8:53 gamepet.fun udp
US 8.8.8.8:53 jogarpet.fun udp
US 216.172.172.212:443 trueg.fun tcp
US 104.21.45.45:443 jetland.fun tcp
US 162.241.60.218:443 elmundo.fun tcp
AU 103.4.234.120:443 wangat.fun tcp
US 52.2.139.173:443 escape.fun tcp
US 154.49.142.250:443 11exch.fun tcp
US 50.116.86.54:443 jogarpet.fun tcp
US 50.116.86.54:443 jogarpet.fun tcp
US 8.8.8.8:53 movistar.space udp
US 8.8.8.8:53 agaskoso.fun udp
NL 185.224.129.211:443 movistar.space tcp
US 8.8.8.8:53 wpbuilder.fun udp
FR 89.117.169.5:443 wpbuilder.fun tcp
US 8.8.8.8:53 bigbamboo.fun udp
US 8.8.8.8:53 secafacil.fun udp
US 8.8.8.8:53 sportgame.fun udp
US 8.8.8.8:53 loklokapp.fun udp
US 8.8.8.8:53 feramfest.fun udp
IN 89.117.188.39:443 sportgame.fun tcp
US 172.67.148.176:443 loklokapp.fun tcp
LT 84.32.84.32:443 feramfest.fun tcp
US 8.8.8.8:53 toyboxfun.cloud udp
US 8.8.8.8:53 matematyka.cloud udp
US 8.8.8.8:53 appespiao.cloud udp
US 8.8.8.8:53 chanceuxlj.cloud udp
US 8.8.8.8:53 temporario.cloud udp
US 8.8.8.8:53 maximum-dev.cloud udp
PL 46.242.247.9:443 matematyka.cloud tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
BR 154.49.247.203:443 temporario.cloud tcp
ZA 129.151.174.28:443 maximum-dev.cloud tcp
US 172.67.155.141:443 chanceuxlj.cloud tcp
US 154.56.47.130:443 appespiao.cloud tcp
US 8.8.8.8:53 mnbelevator.cloud udp
US 149.100.151.119:443 mnbelevator.cloud tcp
US 104.21.79.117:443 piratia.pw tcp
US 8.8.8.8:53 rkassociates.cloud udp
US 8.8.8.8:53 webfortest00.cloud udp
IN 82.180.143.195:443 rkassociates.cloud tcp
US 8.8.8.8:53 www.chanceuxlj.cloud udp
ZA 129.151.174.28:443 maximum-dev.cloud tcp
US 104.21.89.17:443 www.chanceuxlj.cloud tcp
US 8.8.8.8:53 totalsolution.cloud udp
US 8.8.8.8:53 thiagowp.com.br udp
RO 86.120.107.100:443 totalsolution.cloud tcp
US 8.8.8.8:53 hanumanchalisa.cloud udp
US 8.8.8.8:53 imunify-alert.com udp
US 104.21.31.97:443 imunify-alert.com tcp
US 172.67.223.35:443 thiagowp.com.br tcp
US 195.35.38.45:443 hanumanchalisa.cloud tcp
US 8.8.8.8:53 jskconsultancy.cloud udp
US 8.8.8.8:53 mentorianextlevel.cloud udp
US 8.8.8.8:53 aachet.cyou udp
US 8.8.8.8:53 aachested.cyou udp
US 89.117.139.241:443 jskconsultancy.cloud tcp
US 104.21.82.207:443 aachet.cyou tcp
US 8.8.8.8:53 aigc.link udp
GB 154.49.138.146:443 mentorianextlevel.cloud tcp
HK 103.21.220.18:443 aigc.link tcp
US 104.21.80.236:443 aachested.cyou tcp
US 8.8.8.8:53 gg-z.com udp
US 8.8.8.8:53 erd.agency udp
US 8.8.8.8:53 sk2n.com udp
US 8.8.8.8:53 nuz9.com udp
US 63.250.38.48:443 nuz9.com tcp
RU 31.31.198.32:443 gg-z.com tcp
DE 78.47.69.34:443 sk2n.com tcp
US 8.8.8.8:53 40bjj.com udp
US 8.8.8.8:53 19fus.com udp
US 8.8.8.8:53 6dhwz.com udp
US 8.8.8.8:53 4chew.com udp
US 67.227.173.153:443 40bjj.com tcp
SG 156.67.222.78:443 19fus.com tcp
US 8.8.8.8:53 aicgg.com udp
US 8.8.8.8:53 adgug.com udp
US 8.8.8.8:53 go-piratia.ru udp
US 172.67.179.5:80 go-piratia.ru tcp
US 75.2.115.196:443 4chew.com tcp
US 172.67.179.5:443 go-piratia.ru tcp
IN 86.38.243.14:443 adgug.com tcp
US 148.135.43.207:443 aicgg.com tcp
US 8.8.8.8:53 apluu.com udp
BR 185.239.210.90:443 apluu.com tcp
US 8.8.8.8:53 aytei.com udp
US 8.8.8.8:53 ccoha.com udp
US 8.8.8.8:53 cltpk.com udp
US 72.167.64.87:80 aytei.com tcp
US 198.23.60.57:443 cltpk.com tcp
US 8.8.8.8:53 cosal.com udp
SG 139.59.114.220:443 ccoha.com tcp
US 173.236.199.129:443 cosal.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
PL 51.68.137.186:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 d-oya.com udp
NL 45.93.124.145:443 d-oya.com tcp
US 8.8.8.8:53 dkcco.com udp
US 107.180.232.233:443 dkcco.com tcp
US 8.8.8.8:53 eteje.com udp
US 8.8.8.8:53 exymp.com udp
US 172.67.223.4:443 eteje.com tcp
DE 217.160.0.230:443 exymp.com tcp
US 8.8.8.8:53 gevav.com udp

Files

memory/1684-1-0x0000000002F00000-0x0000000003000000-memory.dmp

memory/1684-2-0x0000000000230000-0x000000000023B000-memory.dmp

memory/1684-3-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/1192-4-0x0000000002A40000-0x0000000002A56000-memory.dmp

memory/1684-5-0x0000000000400000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Roaming\wedbwii

MD5 1e5213a9ba12bdd61fe9b725189397a9
SHA1 2a30c244ad788b987bada2f441c1eecc034f49fc
SHA256 d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879
SHA512 90e2a210fee8aad6086af802b309559d50e417fc9e63d166f111f94986cfbb7fa36c348156869e76f3186484a879ef61923e9745b17d8fd83548354ef14ea4dd

memory/3028-14-0x0000000002E10000-0x0000000002F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E734.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/3028-17-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/2360-19-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/2360-20-0x0000000000290000-0x0000000000296000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB2B.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/1192-26-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

memory/3028-29-0x0000000000400000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\956.exe

MD5 232abffd9cbf87bdac05b7d6edebe8a9
SHA1 3b641ba2ff63568f1e7cfa3c3eb5faa2e35fc7d7
SHA256 dec50a8977b5fc2a35f3af2d41679370953fdd6221a69b225ff461235868456b
SHA512 f785aacf824c51f1a7733548ed0b4e04ad10e6d65d46ab34456700d75db256bc0c1cf54a0ea539075cc18ffb586afd9ec0dd6fca8cc806a15b1ad3a02b70f08c

memory/864-34-0x0000000000230000-0x0000000000D07000-memory.dmp

memory/2360-40-0x0000000002200000-0x0000000002324000-memory.dmp

memory/2360-47-0x0000000002330000-0x0000000002438000-memory.dmp

memory/864-43-0x0000000000130000-0x0000000000131000-memory.dmp

memory/864-51-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/864-50-0x0000000000130000-0x0000000000131000-memory.dmp

memory/864-48-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2360-42-0x0000000002330000-0x0000000002438000-memory.dmp

memory/2360-41-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/864-53-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/864-56-0x0000000000230000-0x0000000000D07000-memory.dmp

memory/864-63-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/864-72-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/864-78-0x0000000000200000-0x0000000000201000-memory.dmp

memory/864-75-0x000000007708F000-0x0000000077090000-memory.dmp

memory/864-76-0x0000000000200000-0x0000000000201000-memory.dmp

memory/864-74-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/864-70-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/864-69-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/864-67-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/864-66-0x0000000077090000-0x0000000077091000-memory.dmp

memory/864-64-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/864-61-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/864-59-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/864-58-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/864-57-0x000000007708F000-0x0000000077090000-memory.dmp

memory/2360-55-0x0000000002330000-0x0000000002438000-memory.dmp

memory/864-87-0x0000000000220000-0x0000000000221000-memory.dmp

memory/864-93-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/864-92-0x0000000000220000-0x0000000000221000-memory.dmp

memory/864-96-0x000000007708F000-0x0000000077090000-memory.dmp

memory/864-90-0x0000000000220000-0x0000000000221000-memory.dmp

memory/864-109-0x000000007708F000-0x0000000077090000-memory.dmp

memory/864-89-0x000000007708F000-0x0000000077090000-memory.dmp

memory/864-86-0x0000000000210000-0x0000000000211000-memory.dmp

memory/864-84-0x0000000000210000-0x0000000000211000-memory.dmp

memory/864-82-0x000000007708F000-0x0000000077090000-memory.dmp

memory/864-81-0x0000000000210000-0x0000000000211000-memory.dmp

memory/864-111-0x0000000077090000-0x0000000077091000-memory.dmp

memory/864-80-0x0000000000200000-0x0000000000201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2224.exe

MD5 4dd26c88149b328412ac7f6f0e3d1a72
SHA1 af47844b1d0db977976de37c29e84149a065a224
SHA256 90bbef837da92629d1bd14769840bbfa64eb01546de45732ea2fade7d2abe736
SHA512 ab6adf200857ca91a95d2bd65aa57612feef3a0e1099f422f901282db846d99c4b93bd41345adae385a93e0f4a2825b755c4ad0c0211274220d230c34dee39cf

memory/2160-119-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2224.exe

MD5 5cdbf483bec791e4e84fe61cfcfb0c05
SHA1 784b1f289c5a52a69e2d008dc63af9febbed0e2e
SHA256 682ef3750452953a8a43c753a61d99fbc68795be3a58efed57bcfc0e5e6fe0f5
SHA512 9f9fd3ba30788bfe29242d1b5b7467f4d06350cbce9455063a52bb293142791c40790c247a5ebc3f0e7b04bf545322d71bc582356f5954a58f6ccb169e19bd91

memory/864-123-0x000000007708F000-0x0000000077090000-memory.dmp

memory/864-131-0x000000007708F000-0x0000000077090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0NHE9.tmp\2224.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

\Users\Admin\AppData\Local\Temp\is-MNB40.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/864-152-0x000000007708F000-0x0000000077090000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-MNB40.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2152-146-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\956.exe

MD5 005e8220dfa67869004180cf66626c04
SHA1 7a3ecbdfd9beed1508c9b270eb81b0368746e238
SHA256 3bf8f41cc35bf9128018642160a22554135bd17e6f7ca3a34b15ce35c3079d8c
SHA512 f43cb3ff6214d8d4b30869f3fa9c914e8753915ce93ab78f7796cfe8f27447c0f5c70e0bdd55634f66dc48f5d631aaed310a002cdd9ff2b6ac72a12e392a9c1d

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 69698fa5a597b6443f2d5c222ccb80b2
SHA1 8c1b255d623e28b65a909bd61d78a80da07de7cb
SHA256 54e71d00d748a70d77a513ace5f3d7e591a0c3b3b9a7797868ae92ef6a87749f
SHA512 ac7eee0449af03d94d9cee7f52a5614a1ed5d2de63c3c15e7d10452eb5516d32bca30e3da03194b5fa0844e92de1f26b33f33b0f130e19ceffeabf7023edeb29

\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 f5b88dd1fdc02cdea1f2d7a0aafa5b01
SHA1 f6b63fb7d8d6c22ea9e3cd9ba2bb196f713cd3d5
SHA256 c336c835944d3a03020a378166ad4b2c38176e9976420f51f476d4e5a66f5ed3
SHA512 51e1a702bd917c9f65c97d8474b550a302aacd785ca526ea0ec7e0f132ee2c1f4fc59682c693fd4af8fce37ed6287522c87941133dc2ccd47a51b80aef6be3d9

\Users\Admin\AppData\Local\Temp\956.exe

MD5 3e20597b095b7a9ec311e3b400b7de46
SHA1 b491811b3f8ba87355a5bd9f62f92a8d3ad38065
SHA256 0ea117f712e73b4df98604e93f3f9996b83cee2a4691b3da4ac9db8f20ddd5dc
SHA512 9d9690bc075e8a569a6aa0fed91a14cdd2def622787eb533fd00c51018ba9d9e96d48409358f76490c839f2f731cb6f718ceb414b3e0de694640513065ced202

\Users\Admin\AppData\Local\Temp\956.exe

MD5 af958374de9c033dd073941961c6888b
SHA1 0081e4cec07975b85a2c57683b592b6c4ec838cf
SHA256 901aa9950f48ecbf371c460cf70644c761f6bdf234cdd71fe19779b61e6ec6ce
SHA512 6799df443275e7cfa0f35a9f3c9b345d31fff6420c4d156252ac4d4c4ad897a4d1394d5d753aa0c996bb83dbffcbc6c8f6684d3bd15ac33a64ff8bcce395366e

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 385c715def70ec982dc78e4fac19630e
SHA1 101703b14c45f39188b2b8dbe8815d01895b737e
SHA256 d3bd9f868ffc46edf6869f72ae60947675e743f535b4d650a6c5b752adaf33a4
SHA512 82deca52346ed66a8c0a3ad5045e2cfdb9ba0a210e6440dcc9a592d20379fa9bc92c65970e8fc3c2ab56d969e1667e5f879718110f9f8d20affd12716d23857a

C:\Users\Admin\AppData\Local\Temp\36DD.exe

MD5 6f6acad159c227395d99e3e777afe1bf
SHA1 c50b629119f2a842f5926d1be2886a502bdae0f9
SHA256 9c69bc44be42ab3766f48caf1de6b7ef8ee6849453e08af589b5879d8421ff08
SHA512 bdc7dfa1c78f11d66ce49ababb5f61e78514a8b7cfd4a0e0859d628d3ac92f8887a4b73eb80e99a9b75eb4e06b64455dcae05f47f0afc58a17a050af45b5dc67

C:\Users\Admin\AppData\Local\Temp\36DD.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

C:\Users\Admin\AppData\Local\Temp\36DD.exe

MD5 4747e2f3642706b27dfbc28a301a89ad
SHA1 f208fdc35cf02083029dac18df73776540647c00
SHA256 1696262dd12b5ed1460b9dd25376f8ce55cae2f1bbb555387d8496fb0edabcac
SHA512 4db4fffa3701935fa3b9843f5a972e31fcb3f223bd04f8662aa14aa644368c0c9371274e035820eb08c2aa1f8581b6d9bc05d98c3bbe154b0a6489a504f2a4dc

memory/1576-221-0x0000000004840000-0x00000000049F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\36DD.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1576-223-0x0000000004A00000-0x0000000004BB7000-memory.dmp

\Users\Admin\AppData\Local\Temp\956.exe

MD5 3435f1bb1599727ceb310d5e9e4098b8
SHA1 640c5c1dc4728673741559a1d655fb7146dd85a2
SHA256 ce6c9bd0a210b4b69de3857a7f6fe8d6121d985e4446f2c71a5876beff1c577f
SHA512 00c5d4d49c1093633a4b379883e4b31bda7681cbe0327e83383c71795b9ac5df77ea8123c00ddeeb24dccb5c06075c634b254e6d4342b2a2b2bd3f0ac73e6896

\Users\Admin\AppData\Local\Temp\E734.dll

MD5 f348d5d70bea26a44255ab384bcb9ecd
SHA1 8c5e9e4ca640b83afa3a95ee9a485b34a633ef4c
SHA256 e93abb6ef514c8af68d2567af5c1370ab6a1664b5d7a69ca38269cc69ec5fd8c
SHA512 734738213ed8b9d5c0e2633bb6b38bfdfc35037d3b7d3b3e384d967e8f522a315d0e58d71975c9134122fa7baeb9d57836787d96894a6c7d298b51611b7fedf9

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 403efea73df7a481c59ec3cb80e8ecef
SHA1 abe5c4e2b0541d6700269a3be8faa14b7ccd2555
SHA256 394e4020c62baa6ddc1dce74828d3814165a89ea4c880343577b72354700e1be
SHA512 da9693ff9099649bf1e735a6957d92a526c8a318d2e9018a51f2a257743ccc6331e85deeac597bdc4050367c6dc5a9ddfc06505d1e2ab8dfc6c32bee7eaf3826

memory/1484-239-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 3b66557b08111e0f88d2929a0f912d54
SHA1 395d4d43ffb7de91181c2def0ca7df444ba7d20f
SHA256 d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d
SHA512 e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd

C:\Users\Admin\AppData\Local\Temp\B4C5.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

memory/1276-257-0x0000000000050000-0x0000000000906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BCE0.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 16d91bd51af2045b1900302ccb982b21
SHA1 ba128cb9ba8f737544826d59c0f745513f4ec025
SHA256 aff9e45d9038b5fef40e0366d5f6c76831f00d5292fb588b4d3b96809e358f5e
SHA512 3fc1b0e0ed54ea59a693b1143e2ecd5ea8350a28f4a3c10930fa9fe8929cf3ebc63dc409a4d98f199e4aa920d3de6fd643235b86df5967a3ed0f83d978d1992f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d378fd2b15848b7a718dcbcf69fa0766
SHA1 fc5cd16b156ebebe3b98b97c2af85ffbf5ef10f0
SHA256 cce58fe749530e81feff898986569fa1ce4d02a9dc4d189a7e1659c0736bc102
SHA512 2f7b7b39fc610742bf00a4eb78cdd3fa35f39eef9ca6689a4059c5929bc0b439748e8af0c2796a1bcd9f9cb096939a65736de390ee9fe956db46b1efdc5eb1c2

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7f48b037f22f8f23ef235c82bd530408
SHA1 4ed9016fa3b1370dbafdf8dfc553b9f4428ceafe
SHA256 8ab66ccf571fb49e524d96955072cec792df1f526b966f92152316094e7c8eb2
SHA512 953e0470b54dd572fde877de0cbadbbc6570b44da581f13d221f37c3018d875f4dacc6ef0e8d6b5d7a506ecdf4ad7b0e4a03e8b8f306a5d98c8ff80c6c38529a

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 91e399715dd1fe32872e91c707d19ef0
SHA1 714250930cb571392581d816a23c165331fb9483
SHA256 4f672aa2dc2ea5ea57b3876f17e6af686bdd7fdae25a2454d2684a7e3240d07c
SHA512 6a36f8f88cda17d586a860c765be5addcad8d630f9007990f7a0dc5a010b0e1f0161a3ebad17033be1ef5d38cde5f083a24dc486c472138f4ab6f22f2ce06587

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 7a2d1943277194ca6b5e6cae80596595
SHA1 29ce7090adacb2e29b7ced5504a359ad9e497ecb
SHA256 5e96c1e7fbc4037ad64a01274c28a967709ee2c6d9f075a05078fe6e92f01cc7
SHA512 a0f6cc4e879dcae446642c21fc6293e6abef1aafa9888244237cef345b29effb4494051c4add899a03df3394c98de850e4099c60c310cac9ce75d61d0a3f0ba0

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 c3f0460a60fb14edf70f84e635349d81
SHA1 6cdeee2227100b06b43d27a5f9df9769fcb29adb
SHA256 d0db9fd6f1adbdc15620d6ea5daeda8cca07e59b94fc5ed83eadc11ce8bb227e
SHA512 a09f2e2946c0c2132703347ffb3d88e802ab7080827743686ef662efaacbeb58036f2f34fbe081b434fc72d980678eaef81e9d9e8ee5c40e9cc55b261966782b

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 5e0ff36e0a47f07ce34aa4a6077205d8
SHA1 684e8c7e575d7d88bb1d6ab0b16ae7503749fb4f
SHA256 5530c33905b04868e7521c68a52044b369d6d22c0272fa5480102147bdef305c
SHA512 5d11197f50fcd1354f14c63602a46b9484e6596dea160ef4f7e9a535004655603298cbcb64676852a64622305d258b9d6ae31eac58d269ac453a9d7e9af8d7c6

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0382fa4f0e27cfe8971b5ee495c5ecd3
SHA1 9f19db447e16a1ba65608dfde4857ed17a5ebf83
SHA256 d118eddfed9567a4e5e49b56259f5366ed74e19270b1e0232ba6df34968c65ee
SHA512 37e3e4e73e626e5b2c14203b9c5d6e2dd95e809745d030aba6c91ee96fe9525e80c9b909a1927761915b16b2805503b742a765e73fd7d7deed559abee9e47356

\Users\Admin\AppData\Local\Temp\nseD1D1.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 72e8e5e0f684e10caff138cbbfec3407
SHA1 d302fd8a778a2be79d452ea1b07b08d8480d174b
SHA256 03304ad14d48cd39fca7a6ec17fdc7e54a31c78fd4fafba3820430b6b15e8e65
SHA512 06bb2a115d8fc9711b06fbd4620a4ee1d0589c8b1e590a379993d31480f3d372470584be3973f101d60a15f175a7b75d6258622fabb8ca529deb79b0d79080b5

memory/2940-312-0x0000000000400000-0x0000000000818000-memory.dmp

memory/2940-310-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2940-308-0x00000000008F5000-0x0000000000903000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 67122a4920bad6df6c05efe1643dfd91
SHA1 63740cc7b31dba13a2ed07e66371e9fb6a4f05ce
SHA256 8f91726ebcb3ff5106745ea991a1a1ef198c712e4be03b8ebb8723048e6be1ad
SHA512 c40b661e573425ded62f2e3396b0ba1e854da0c3148f2e1e67aca83c7bae5d2af0026e89d3e648369454ef0510002a87d184959dba4362f3fbc3acf533c7fa14

memory/1276-318-0x0000000072D90000-0x000000007347E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 4a805137fedf229af6b662d0960b7d0a
SHA1 5c0e4273278385c672e4604746479c751a1f0e63
SHA256 a7f2961c1b006f619ec50b2966d6773ffc60eff4daca4faf8869421dd391c9be
SHA512 f44ed1314a1e18f0a3f650340342f38d28750caad3e0892d22b28d07aec9ec3bf0484bca3a588a43b1cdeeabb4837a08e4e98f4197ade47902a921524803641c

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

MD5 3b9ed878856f3a69e5b6d76080345c95
SHA1 31f7e3f63e91f73384a3e3fb00d804d8793b2a5f
SHA256 7b05e5025320037f9daf62f8e7fe637086e6b306e84926a8b0d5b29a25ef13fd
SHA512 978f25010acafdc0ef4d1b73cb6d01f43423137476e2069e8ab56ca8983170c8d9afda7b678cf79c849cfd20f570662b065d143f40b12e0889196d7b71c08adf

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

MD5 bb751a2b1e7d1f606135b0314ec59b61
SHA1 d288d40c822225b707aeb8cec8a51eef1c1ad61c
SHA256 714936f7f50290d34360c9be3438250f2d784fd506f9d070e7fabd2dc68b99cc
SHA512 7dc498b9f97b32015f25454c28cd7a0a1cdf890148f1e77b26d68049128ea1d11ece07187b36c3a5cd3dd6ce8200e86b7844bd50e8a2687527e2a2bd011933bc

\Users\Admin\AppData\Local\Temp\nsuED4E.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

C:\Users\Admin\AppData\Local\Temp\EDA2.exe

MD5 562599d4dd56fc758c0698e17200e7a7
SHA1 39e8dc6c69406658b312ec71cbbbcc16d62e50de
SHA256 2a4b7e8b4a51d6dc7ddd3ffb49fe8424c2112b461892f8853171d69037081d69
SHA512 d5bf4bea1bb1a2f4d9dabb9554719be681563dd0325a8e95facfc0b6c81bf22b0d241ab9b446a87a08d65368913e0b928f313c5693930602e7eb90d5341d4ad4

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\is-0627H.tmp\EDA2.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-NUC5B.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

\Users\Admin\AppData\Local\Temp\is-VD87J.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/976-463-0x0000000000CD5000-0x0000000000CED000-memory.dmp

memory/976-465-0x0000000000400000-0x0000000000822000-memory.dmp

memory/976-464-0x00000000009C0000-0x00000000009F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 33b8ba6f4e6cf8d6e5c03d34d23fe31a
SHA1 99d4bec17b62f738c26521dbebce96b1c65bc675
SHA256 b279c9930b44a044278a47405617dfe1a2337fde9196cbd8dbeb9f43c70ed41e
SHA512 9ec1ca744c884bb09ff34cbb235ce5abd12f31c6a640bda29b5bc65c86a723d921f89150789c54ea429b47c618fd2cc35ba27037021c00ab3766739ba5f39131

memory/2572-486-0x0000000002800000-0x0000000002BF8000-memory.dmp

memory/2572-487-0x0000000002C00000-0x00000000034EB000-memory.dmp

memory/2572-488-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2644-501-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

memory/2644-502-0x0000000002320000-0x0000000002328000-memory.dmp

\Windows\rss\csrss.exe

MD5 fd26cab6c96936e2099e81ca9b288e56
SHA1 f7b705cfc487f8bf805b8f9a57287eba9174cb1b
SHA256 469e51bf5af4cf24653e928e70bb568c663de74669f44bf79bf2289ba0ded64b
SHA512 6e269eab404858b4428c3a935cb70a854d5c3aeeb9cef23d6b7f86ff82ca7439c058af6165c595bb82a2449375725d9cf004af224f1055f16ff53224117691a1

memory/1620-512-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/2644-511-0x000007FEF4480000-0x000007FEF4E1D000-memory.dmp

memory/2644-513-0x0000000002594000-0x0000000002597000-memory.dmp

memory/1620-515-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2644-514-0x000000000259B000-0x0000000002602000-memory.dmp

memory/1156-557-0x0000000019A10000-0x0000000019CF2000-memory.dmp

memory/1156-558-0x0000000000CE0000-0x0000000000CE8000-memory.dmp

memory/1156-572-0x000007FEF4D10000-0x000007FEF56AD000-memory.dmp

memory/1156-574-0x00000000011B4000-0x00000000011B7000-memory.dmp

memory/1156-582-0x00000000011BB000-0x0000000001222000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7B62.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar8BF9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27176f416bf1c3d21e329b396911e5b5
SHA1 08e0f425ab769b1054472445fa82b6558edc61f1
SHA256 2e3e969455e60c6d94f906853bb768396a146d3d8b3edec6c4bec8cca3cfa9d2
SHA512 6fdc0b4bd4680de708cf448282ce7e292e09286c6172066d88c275673ea9f394af8cdb7ca69c5f19e785b569524559c69e50ecc468dfa041c42c584ba90885ac

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 06:19

Reported

2024-02-22 06:22

Platform

win10v2004-20240221-en

Max time kernel

72s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\CCBA.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\F505.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\CCBA.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\B15F.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2920 set thread context of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\36D.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\36D.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\36D.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2892 = "Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\36D.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OQDMM.tmp\132D.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3468 wrote to memory of 3564 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3468 wrote to memory of 3564 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3564 wrote to memory of 224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3564 wrote to memory of 224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3564 wrote to memory of 224 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3468 wrote to memory of 1504 N/A N/A C:\Users\Admin\AppData\Local\Temp\B15F.exe
PID 3468 wrote to memory of 1504 N/A N/A C:\Users\Admin\AppData\Local\Temp\B15F.exe
PID 3468 wrote to memory of 1504 N/A N/A C:\Users\Admin\AppData\Local\Temp\B15F.exe
PID 3468 wrote to memory of 1408 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE02.exe
PID 3468 wrote to memory of 1408 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE02.exe
PID 3468 wrote to memory of 1408 N/A N/A C:\Users\Admin\AppData\Local\Temp\BE02.exe
PID 3468 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\C74A.exe
PID 3468 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\C74A.exe
PID 3468 wrote to memory of 1404 N/A N/A C:\Users\Admin\AppData\Local\Temp\C74A.exe
PID 1404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\C74A.exe C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp
PID 1404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\C74A.exe C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp
PID 1404 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\C74A.exe C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp
PID 3468 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 3468 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 3468 wrote to memory of 2920 N/A N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 2920 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\CCBA.exe C:\Users\Admin\AppData\Local\Temp\CCBA.exe
PID 3468 wrote to memory of 3100 N/A N/A C:\Users\Admin\AppData\Local\Temp\D074.exe
PID 3468 wrote to memory of 3100 N/A N/A C:\Users\Admin\AppData\Local\Temp\D074.exe
PID 3468 wrote to memory of 3100 N/A N/A C:\Users\Admin\AppData\Local\Temp\D074.exe
PID 2060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2060 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2060 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2060 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2060 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3468 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\Temp\F505.exe
PID 3468 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\Temp\F505.exe
PID 3468 wrote to memory of 4900 N/A N/A C:\Users\Admin\AppData\Local\Temp\F505.exe
PID 4900 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4900 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4900 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4900 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4900 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4900 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4900 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4900 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\F505.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3468 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\36D.exe
PID 3468 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\36D.exe
PID 3468 wrote to memory of 1800 N/A N/A C:\Users\Admin\AppData\Local\Temp\36D.exe
PID 2524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2524 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2524 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp
PID 2524 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp
PID 2524 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp
PID 2220 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2220 wrote to memory of 3760 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3468 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\132D.exe
PID 3468 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\132D.exe
PID 3468 wrote to memory of 772 N/A N/A C:\Users\Admin\AppData\Local\Temp\132D.exe
PID 3760 wrote to memory of 236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe

"C:\Users\Admin\AppData\Local\Temp\d9e9ad2e1129ea6aa884668a13f6e3b73b7cedaa7fec69a38c4e683bea546879.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\AF89.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\AF89.dll

C:\Users\Admin\AppData\Local\Temp\B15F.exe

C:\Users\Admin\AppData\Local\Temp\B15F.exe

C:\Users\Admin\AppData\Local\Temp\BE02.exe

C:\Users\Admin\AppData\Local\Temp\BE02.exe

C:\Users\Admin\AppData\Local\Temp\C74A.exe

C:\Users\Admin\AppData\Local\Temp\C74A.exe

C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp" /SL5="$60090,3536428,54272,C:\Users\Admin\AppData\Local\Temp\C74A.exe"

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

C:\Users\Admin\AppData\Local\Temp\D074.exe

C:\Users\Admin\AppData\Local\Temp\D074.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\F505.exe

C:\Users\Admin\AppData\Local\Temp\F505.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\36D.exe

C:\Users\Admin\AppData\Local\Temp\36D.exe

C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp

C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\132D.exe

C:\Users\Admin\AppData\Local\Temp\132D.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\is-OQDMM.tmp\132D.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OQDMM.tmp\132D.tmp" /SL5="$80118,4081152,54272,C:\Users\Admin\AppData\Local\Temp\132D.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -i

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -s

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 224 -ip 224

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 3060 -ip 3060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3060 -s 912

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 224 -s 1984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
KR 211.171.233.129:80 trmpc.com tcp
US 8.8.8.8:53 129.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 85.209.157.3:443 tcp
CA 167.114.144.152:9002 tcp
US 199.249.230.155:443 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
N/A 127.0.0.1:52341 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
DE 37.157.253.35:443 tcp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
FI 65.108.231.17:9002 tcp
DE 78.46.123.26:8443 tcp
US 8.8.8.8:53 26.123.46.78.in-addr.arpa udp
US 8.8.8.8:53 17.231.108.65.in-addr.arpa udp
DE 78.46.123.26:8443 tcp
FI 65.108.231.17:9002 tcp
US 8.8.8.8:53 sjyey.com udp
AR 190.195.60.212:80 sjyey.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
DE 51.195.43.17:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
US 8.8.8.8:53 17.43.195.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
AR 190.195.60.212:80 sjyey.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
AR 190.195.60.212:80 sjyey.com tcp
US 8.8.8.8:53 1746c91e-6b52-462b-a581-98d938b50c58.uuid.statsexplorer.org udp
AR 190.195.60.212:80 sjyey.com tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 mozob3.mee.edu.eg udp
US 8.8.8.8:53 mozob3.mee.edu.eg udp
US 8.8.8.8:53 gd.cem udp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 gd.cem udp
US 8.8.8.8:53 boucon.fr udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 boucon.fr udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 jhgrbfok.cem udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 jhgrbfok.cem udp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 gd.cem udp
US 8.8.8.8:53 mozob3.mee.edu.eg udp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 bbv.bg udp
US 8.8.8.8:53 mail.boucon.fr udp
US 8.8.8.8:53 bbv.bg udp
US 8.8.8.8:53 6m-jrbdozg.jz udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
FR 185.51.177.25:443 boucon.fr tcp
US 8.8.8.8:53 6m-jrbdozg.jz udp
FR 185.51.177.25:21 boucon.fr tcp
US 8.8.8.8:53 pec.brchrm.oj udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 jhgrbfok.cem udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 mozob3.mee.edu.eg udp
US 8.8.8.8:53 pec.brchrm.oj udp
FR 185.51.179.241:143 mail.boucon.fr tcp
BG 193.107.69.123:22 bbv.bg tcp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 ftp.golebd.cem udp
FR 185.51.179.241:465 mail.boucon.fr tcp
FR 185.51.177.25:80 boucon.fr tcp
BG 193.107.69.123:21 bbv.bg tcp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 gd.cem udp
FR 185.51.179.241:995 mail.boucon.fr tcp
US 8.8.8.8:53 jhgrbfok.cem udp
FR 185.51.177.25:22 boucon.fr tcp
US 8.8.8.8:53 love.cem udp
BG 193.107.69.123:443 bbv.bg tcp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 241.179.51.185.in-addr.arpa udp
US 8.8.8.8:53 6m-jrbdozg.jz udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 pec.brchrm.oj udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
BG 193.107.69.123:143 bbv.bg tcp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 25.177.51.185.in-addr.arpa udp
US 8.8.8.8:53 123.69.107.193.in-addr.arpa udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 ftp.uberegypj.cem udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 ftp.jhebbrbeursbebujy.cem.br udp
FR 185.51.177.25:80 boucon.fr tcp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 ftp.golebd.cem udp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 ftp.ocleud.cem udp
US 8.8.8.8:53 jhgrbfok.cem udp
BG 193.107.69.123:80 bbv.bg tcp
FR 185.51.177.25:80 boucon.fr tcp
US 8.8.8.8:53 6m-jrbdozg.jz udp
US 8.8.8.8:53 mozob3.mee.edu.eg udp
US 8.8.8.8:53 lovez.cem udp
BG 193.107.69.123:995 bbv.bg tcp
FR 185.51.179.241:465 mail.boucon.fr tcp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 gd.cem udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 ftp.blumzes.udg.mx udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 pec.brchrm.oj udp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 mail.golebd.cem udp
US 8.8.8.8:53 msz.cem udp
FR 185.51.177.25:222 boucon.fr tcp
FR 185.51.177.25:80 boucon.fr tcp
FR 185.51.177.25:990 boucon.fr tcp
US 8.8.8.8:53 embolmezkey.club udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 lovez.cem udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 ftp.msz.cem udp
US 8.8.8.8:53 jhgrbfok.cem udp
US 8.8.8.8:53 ftp.uberegypj.cem udp
US 8.8.8.8:53 ftp.cojrembol.hu udp
US 8.8.8.8:53 6m-jrbdozg.jz udp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 blumzes.udg.mx udp
BG 193.107.69.123:465 bbv.bg tcp
BG 193.107.69.123:443 bbv.bg tcp
FR 185.51.177.25:80 boucon.fr tcp
BG 193.107.69.123:80 bbv.bg tcp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 blboez.cem.br udp
US 8.8.8.8:53 pec.brchrm.oj udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 mail.jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 mail.uberegypj.cem udp
US 8.8.8.8:53 ssh.golebd.cem udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 ftp.golebd.cem udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 ftp.ocleud.cem udp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 6m-jrbdozg.jz udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 lovez.cem udp
US 8.8.8.8:53 mbol.ru udp
US 8.8.8.8:53 mbol.ru udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 mozob3.mee.edu.eg udp
US 8.8.8.8:53 ftp.mozob3.mee.edu.eg udp
US 8.8.8.8:53 embolmezkey.club udp
US 8.8.8.8:53 blboez.cem.br udp
US 8.8.8.8:53 ftp.jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 jhgrbfok.cem udp
US 8.8.8.8:53 gd.cem udp
US 8.8.8.8:53 ssh.uberegypj.cem udp
US 8.8.8.8:53 mail.golebd.cem udp
US 8.8.8.8:53 pec.brchrm.oj udp
US 8.8.8.8:53 cbjedrbozmebolobrob.cem udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 mail.ocleud.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 bples.oj udp
US 8.8.8.8:53 cojrembol.hu udp
US 8.8.8.8:53 lovez.cem udp
US 8.8.8.8:53 embolmezkey.club udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 blumzes.udg.mx udp
US 8.8.8.8:53 ftp.msz.cem udp
US 8.8.8.8:53 mail.msz.cem udp
US 8.8.8.8:53 mail.cojrembol.hu udp
US 8.8.8.8:53 ftp.uberegypj.cem udp
US 8.8.8.8:53 uberegypj.cem udp
US 8.8.8.8:53 ftp.cojrembol.hu udp
US 8.8.8.8:53 6m-jrbdozg.jz udp
US 8.8.8.8:53 ftp.gd.cem udp
US 8.8.8.8:53 bples.oj udp
US 8.8.8.8:53 blboez.cem.br udp
US 8.8.8.8:53 ukr.zej udp
US 8.8.8.8:53 jhebbrbeursbebujy.cem.br udp
FR 185.51.177.25:80 boucon.fr tcp
BG 193.107.69.123:80 bbv.bg tcp
US 8.8.8.8:53 pec.brchrm.oj udp
US 8.8.8.8:53 jelefezocb.zej udp
US 8.8.8.8:53 ukr.zej udp
US 8.8.8.8:53 eurezocs.se udp
US 8.8.8.8:53 ssh.jhebbrbeursbebujy.cem.br udp
US 8.8.8.8:53 ftp.jelefezocb.zej udp
US 8.8.8.8:53 mail.blumzes.udg.mx udp
US 8.8.8.8:53 golebd.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 msz.cem udp
US 8.8.8.8:53 mail.uberegypj.cem udp
US 8.8.8.8:53 ftp.golebd.cem udp
US 8.8.8.8:53 ftp.ocleud.cem udp
US 8.8.8.8:53 sysce.cem udp
US 8.8.8.8:53 mail.jhebbrbeursbebujy.cem.br udp

Files

memory/1088-1-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/1088-2-0x0000000002EA0000-0x0000000002EAB000-memory.dmp

memory/1088-3-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/3468-4-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

memory/1088-5-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/1088-8-0x0000000002EA0000-0x0000000002EAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF89.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

C:\Users\Admin\AppData\Local\Temp\B15F.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/224-20-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/224-19-0x0000000000E60000-0x0000000000E66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE02.exe

MD5 e4eed39775944dd1a8565de4cbdb8e22
SHA1 994f8f13e956f447a95b55b4bc4a722dee9b5471
SHA256 559c63ad143ce4ddc9b5f14b69970e9c1bc67a87fcb812297a95092aa27a73fd
SHA512 b262d88411fb547057bbf503b680081c5dcf859eb2a9945425deb1341eb30eddae1f6f1961ddffcc90a3f918277d7296b5b841fdce640eb605bb0837c4e8337f

memory/224-25-0x0000000002B40000-0x0000000002C64000-memory.dmp

memory/224-26-0x0000000002C80000-0x0000000002D88000-memory.dmp

memory/224-29-0x0000000002C80000-0x0000000002D88000-memory.dmp

memory/1408-30-0x0000000000EE0000-0x00000000019B7000-memory.dmp

memory/224-35-0x0000000002C80000-0x0000000002D88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C74A.exe

MD5 6ab301bdb34a1c61adc3548ce669c7ea
SHA1 2567afe41c54e8be9374a641cb8ed328acbd1962
SHA256 0d92bcf3d437300b019cef6720ff8e9affddff6680acbe1fb69df8933403b363
SHA512 ca17af24785b9bdb86ea29b2eabd0c55807dbbc96e60343b13323d91a252dda8eb4f1be136346332325aedf6fb10f8fd7cb592d55a6e9e34af6b3312565ad488

memory/1408-39-0x0000000000EE0000-0x00000000019B7000-memory.dmp

memory/1408-41-0x0000000000D80000-0x0000000000D81000-memory.dmp

memory/1408-43-0x0000000000D90000-0x0000000000D91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C74A.exe

MD5 d9a37fafdfcf0b4ac736ca8c151eeb83
SHA1 0a669ee802a3cf8f1a4015d2ec552e8bb4486b0f
SHA256 6780c47727f6a4e9061734406c9f1c431eca83c784e15116ca2f16efceec7542
SHA512 91603d72f3fce73d68212785dc28ca421b789e6d7feab575d1337377cd14e6af3626e58faed68071e09cfb878d0b1a92e0c37cdb17f12c53ebfedf4ce04c31a6

memory/1408-46-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/1404-47-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1408-48-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/1408-50-0x0000000000DE0000-0x0000000000DE1000-memory.dmp

memory/1408-52-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/1408-53-0x0000000000E00000-0x0000000000E01000-memory.dmp

memory/1408-54-0x0000000000E10000-0x0000000000E11000-memory.dmp

memory/1408-45-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/1408-44-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

memory/1408-37-0x0000000000C60000-0x0000000000C61000-memory.dmp

memory/1408-55-0x0000000000E20000-0x0000000000E21000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp

MD5 951c5cff24d9852fc47e239f8a3184b0
SHA1 26b6c602a93093326446761e3a07a8e69de981c8
SHA256 fa7c173d6b452a5f897508c293ee962960c70e5789697f13b9dd630d5398c0a7
SHA512 f93dd3849427551a16af746c38fb295c90b6d6c0e2460fd778ce600071eb6968b4659031cb541ac833223506cedc43312f99d1682a06347ae6862ca2374a684e

C:\Users\Admin\AppData\Local\Temp\is-GDQ92.tmp\C74A.tmp

MD5 9bfda5709e2e63838d25c32fe8e125f2
SHA1 cbbe632d8cbb37272bf489f6f12e7bc7d3da4e17
SHA256 354dc10078e9217eae4ccbb5039d3c02d89b36d0deb447756e17979e68df23d0
SHA512 5646aca759ff83c47093beae6f092775a9102e3e6595c0d52081bca84fb61628e56b3efa8827d0cac2e3e3899a149b87bc9a20241de9692caff83eb1af593267

memory/1408-58-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/1408-57-0x0000000000E40000-0x0000000000E41000-memory.dmp

memory/1408-64-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/1408-63-0x0000000000E60000-0x0000000000E61000-memory.dmp

memory/1408-56-0x0000000000E30000-0x0000000000E31000-memory.dmp

memory/1408-67-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2060-66-0x0000000000610000-0x0000000000611000-memory.dmp

memory/1408-68-0x0000000000EE0000-0x00000000019B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-RN042.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1408-65-0x0000000000E80000-0x0000000000E81000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

MD5 b1ae746da1e7fb65cdcc65e3bcf22d8e
SHA1 93cfea53d51b20e6c58e0d7928fd8ad58c8338f6
SHA256 6455e6de49ee6f451c8bb4378733dd751dcea18be98cb623b9c200aa4452b1d3
SHA512 fc51b2b45db9a265c059ff3a6cc5c482779baff1ff367e174c8935d096b0388838b39db4dae5a6ea2509c729684de0b4c0d363880ff7bde943a7d6ac72b30d98

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

MD5 b12a32d3450c2cd7aae7f9af384b4cac
SHA1 973641854c881465136f275283c9642f8bad62d5
SHA256 388ef1a3c7b241d0583503e836918a2a316d8e4a733fed3ab39c838d73cf91b4
SHA512 fc6510b724f6af1994c3ef8549dd178a2e986c816a88d4ee6f7ff0d2bb94e3f3b144e547994635a764b43f0127e8bb11dbcd00d26aad6d12a6378626bc2f77c3

memory/1408-83-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

memory/1408-84-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

memory/1408-86-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

memory/1408-85-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BE02.exe

MD5 e19c92e5b3bcb45db90d7c4b454421e3
SHA1 066729d1e8488c5189935c9f902ed1b4127a7a2c
SHA256 de12c0b54caa8f9a0c904a46633ac56388df49b6aa44e529469fa42142d62b4c
SHA512 a7cfd8252de2fbf917794559572c5c92a7852ae44ac84db646da8dfa991d8df6bad554b5c209c02d7672d557cdc8653ca82a6a6385dbe7b50381836fa3b05e56

memory/1408-87-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

memory/2920-89-0x0000000004CF0000-0x0000000004EA7000-memory.dmp

memory/2480-90-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2920-97-0x0000000004A20000-0x0000000004BE4000-memory.dmp

memory/2480-127-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2480-96-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CCBA.exe

MD5 4747e2f3642706b27dfbc28a301a89ad
SHA1 f208fdc35cf02083029dac18df73776540647c00
SHA256 1696262dd12b5ed1460b9dd25376f8ce55cae2f1bbb555387d8496fb0edabcac
SHA512 4db4fffa3701935fa3b9843f5a972e31fcb3f223bd04f8662aa14aa644368c0c9371274e035820eb08c2aa1f8581b6d9bc05d98c3bbe154b0a6489a504f2a4dc

memory/1408-88-0x0000000000EA0000-0x0000000000ED2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D074.exe

MD5 6b2363ef5f4c29a951f2bdcd3b0296d7
SHA1 d8515c7d27c8032139ab80bd04db8e7ecea6a503
SHA256 c795a9e5b9aebc6f67feb60076ca2100ebff12a0c9bcc466fdfbac6903f9d08e
SHA512 ed47012a67aae58c297397027dbe84d7c658b1a25634799f7ad0464726df18212913a64e2c99c676cc9a0fe146b4a84df1d46f3d198655434da20d4fe4bb65f6

memory/2480-133-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 2382472fdb9417eb052e0e0ba17398c4
SHA1 ff66a948a3d81cf419ab51252b13cba002b27f12
SHA256 6df086b5e6bb8b974e67007c46d2b337d1ab46b2322d735a06a9f4b96bd8b140
SHA512 0dec59ec899d7c1c39c5d767dec3a76c2a49deb3be215b7be957ff3c454a35eb66bf50e6a59f483d1dfdf9d35eebe6769246fbd90cfab03198d87871c1b0a459

memory/2480-138-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2748-139-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2748-140-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2748-141-0x0000000000400000-0x0000000000736000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 92cc6eb1eb959a979fe2009fd402964e
SHA1 e42c3cc6830138cd64394df05bc8ea7d70b00e4a
SHA256 85ff491ef486c5548867d988d5abac3f3ed2ce3f103ac9de91d0a7b2049337c9
SHA512 64345c65b6ea0832ece401381764a3cdd764390d69ae69cf060e2e48c78e3849aa7f3d93c8acf8980a820520876845ebbf51ba170e687b47604b9ca142374e9c

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 9dc453bdd268f0a58d1670fc5e7b30a4
SHA1 1ae1989bab05f2e04b7d17ed3af9ceaa7286d46d
SHA256 21b68d4bf6883ae119c4af7edbd1bcebb33cd735682fbce27afa4536bd258564
SHA512 54fc542caa563048c9b311bcc8d82814890b26591e39276ba9139e00ba6322b052dd6d0a6f56f1f8c8f97081de9624ef77bec0f2f7897d78a2009b08ab310b14

memory/2748-144-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2480-145-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AF89.dll

MD5 f348d5d70bea26a44255ab384bcb9ecd
SHA1 8c5e9e4ca640b83afa3a95ee9a485b34a633ef4c
SHA256 e93abb6ef514c8af68d2567af5c1370ab6a1664b5d7a69ca38269cc69ec5fd8c
SHA512 734738213ed8b9d5c0e2633bb6b38bfdfc35037d3b7d3b3e384d967e8f522a315d0e58d71975c9134122fa7baeb9d57836787d96894a6c7d298b51611b7fedf9

memory/2480-147-0x0000000000D60000-0x0000000000D66000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 e50b964c3092c84448a3122fe81b7e4a
SHA1 ef35dfc6e062b7f80b8d9ef8f9166511c9ee80a9
SHA256 bb9fe6e8d9474ddc6bfcd4848ea5fa84e895bd2376828725d496ad635772de51
SHA512 c16a91b1ee2a4139aec407d985c3e96e8e4ae43d1b5e9977e08da9da121c6012ef970b1124bdbe469833b094415a59af7f6dd97414e17476c78eb1229de41600

memory/1408-151-0x0000000000EE0000-0x00000000019B7000-memory.dmp

memory/2508-152-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1404-154-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2508-155-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1408-156-0x0000000000EE0000-0x00000000019B7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F505.exe

MD5 db97755c3ac7e2a18aa83688668b021e
SHA1 1c017c1d22f3dfdbe8ac3fb69456ec159e421d9c
SHA256 9d4508745d026c75a2aa397f70371e4dddd14ddc3cbcb232dc19e26e95ad9db2
SHA512 8092c19f827a6f9897d083ee5eb7f039fb94a3b1161047f5dc67b15c8d108a1ca04c3c638e1b6cd2d1ef2795a7fc14c963e215bf91781df18f36ad835ad6c631

C:\Users\Admin\AppData\Local\Temp\F505.exe

MD5 98172b83ce3bbceb144ed69f245b0fdf
SHA1 482cd7d2b1595a4a4aa7a52e9468ab5a9a49b7af
SHA256 c2a9a6beb6985fe681cff57508bfbaa78dea3284ab70b891e7cb0d643478eb6e
SHA512 60a9160e36dc400f30c3f0aa0fdfb7b95760027ffc305f9d99fe1e1b90a016d2bc1da97014ea567912d0e8842dfe3080d9ac2fb14cc10ca49d32cd0555a79bce

memory/2060-162-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4900-165-0x00000000004A0000-0x0000000000D56000-memory.dmp

memory/4900-166-0x00000000735A0000-0x0000000073D50000-memory.dmp

memory/2060-167-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d06b00c65c1bb2c83b2916b704cf1f52
SHA1 5f865da9b2e8b58513d7f7f0cd61da46c1bf8413
SHA256 a75d86438769402dd2f1b0ddcad0601f4f0e477d220d886b9205189ff44a048d
SHA512 44a50298ccbba83c8d25495823a57d7566414cf3881e32ae5357c65981944e624236e084fcf1dd6c04a5c0712b2597f202f4d1f7a739cdbf9769a19b35c887af

memory/2480-176-0x0000000002D00000-0x0000000002E24000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 dca45c75c7d98e2f708c757e5c2e67a4
SHA1 e11feb2c0e225d93dfe08c61520995b0600b8f60
SHA256 61c5af41e4133e374e9a2d36dd44649dca21bb8b75550ef7d8f61214dc84dc84
SHA512 e5823b2d4ec9bf7bb232305deb90e28bfa549a49ce360fd7537a0303dc8da07c72767b17027778f1dd234b68c502945b5c037fec08efd7deaa29d5f6a23828ca

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 6bdb234305778c39ec1121b20dbb5b46
SHA1 9397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA256 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA512 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a837dd9f2d58bb7770c279d11473279b
SHA1 a820ce4052fe0f6769ffcc06ebf96fd7c4dcca03
SHA256 1935d60a54e51758585703483f2706fb9cb8721b84e48ae9bd0542accf7d87e5
SHA512 0bbd7c115d361f7ab56beb3277514c548e7dcd835a8e55cab79c09bac050c3ea0b9eeb3031fb47165d90ff9df5338b5a17b30964ef93630e65f13f3ee8ab6044

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 3cc7874e9ff2607460f01b5c05f89486
SHA1 3e220dcda21c3613b84ff36bca9e6a69a05270ee
SHA256 55d9b6391e5ebbdd95c965ceb193f7de4801ebcfce47805214c3316f29cc7692
SHA512 ef787b1b9947712f1973b06299e3d97199ae7f904d900e16e1ce84bdbc80349293c8f1cd86083536702668b368a9087fa9472406ec6578bb561576a1168eb7b7

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 6a190e993f065d939995adfdb07cc8a1
SHA1 9664f606593178eb502cc38b5431189cc4c2cd5e
SHA256 6c8188b31f1c40c05d61e65ea787b2fdde140b631a41a72318d33c5ca475df21
SHA512 a6c1421c487bb344f8bb7ebe9cf2ac2a72cea9c9b70fd9a4092f0891e2de2a3f8150f7ad213bd46300639f21649c79a8360ab917833cbfcb7460bc06de2d17e2

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 93df53829d7ff15b36cca0997bdf9523
SHA1 85961b7b321c9492e276ada800debaa55c9c1d59
SHA256 107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c
SHA512 37edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/2480-204-0x0000000002E30000-0x0000000002F38000-memory.dmp

memory/4900-206-0x00000000735A0000-0x0000000073D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsk423.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\36D.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 19e4e2c6f7c693c01f8748e6eb6f9c8f
SHA1 3e9b8fcba4eed2af70be5c2e78a681077b715d36
SHA256 43e3bc705d9a82a1ccbfa43ba81351e158671471494101fa4f14a7e91612e404
SHA512 38008e6db3dd18942efd825673ea50a989c0d5addaed127b8a4de7b72f7600056040b90347fddeff80e020506a018ee57cc44edefece461e1f34e575fbbe67af

memory/2480-197-0x0000000002E30000-0x0000000002F38000-memory.dmp

memory/2508-217-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2220-218-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2920-219-0x0000000004A20000-0x0000000004BE4000-memory.dmp

memory/2480-221-0x0000000002E30000-0x0000000002F38000-memory.dmp

memory/1800-225-0x0000000000860000-0x000000000086B000-memory.dmp

memory/1800-222-0x0000000000890000-0x0000000000990000-memory.dmp

memory/1800-226-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

C:\Users\Admin\AppData\Local\Temp\nseF7E.tmp

MD5 a4efe9885c0f19ef4aec74edf86efbf4
SHA1 9de07926d9505b3c33c9f44972cc25061e23bfa1
SHA256 7f86a9b8303a970549ce4eee10c29882d855ec3cecc1ed07ccf79d0b9c21a413
SHA512 e81f9d98da1d27b77e27f9fb276c1271a99f9f84d0683f74ea5af8d6b6b8c5418a10640f6edd0731a76e7f3ed640e717797ed1fc57b96bf1ff8b2ddfc53f8a6b

memory/3060-238-0x0000000002AB0000-0x0000000002EAE000-memory.dmp

memory/2480-239-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3060-240-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/3060-242-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\132D.exe

MD5 5026f56afb10ced6d39239ccd124d83a
SHA1 af46b98bd3529a0e1fcae837b1b10e023de938e7
SHA256 bb3bb5690bba4cf4f59846c51361006c7e1c0a7aba7f619b9ee3c427916e482c
SHA512 490b5e2223897a8fd0714a915ab05f9e618694db7ad97560fd7846cac1f6e5a2fa5bab88ee37dfcfda7fe29d96c4657002f0a8d632332a92127143ea50a871fb

memory/772-248-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\132D.exe

MD5 c7f45af1ae035b541c606f9e9b523075
SHA1 328d2a9d21e0fd1676fe6f7d3a87121eebf75ab7
SHA256 2a9f84982978ff8a816115f7ae43862a19ac4817c37c19a955365dcafeabf0ea
SHA512 bf03b7281c5cb3aac5196c3b9cd8813968cb0be5594802260ec2856e7b12664ca993774682b158d3a0f3e50bc3d0be85d791a713f066e13eb8d6bb5f8f571425

memory/224-252-0x0000000002350000-0x0000000002384000-memory.dmp

memory/224-251-0x0000000000860000-0x0000000000960000-memory.dmp

memory/2508-253-0x0000000000400000-0x0000000000736000-memory.dmp

memory/224-255-0x0000000000400000-0x0000000000822000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\is-OQDMM.tmp\132D.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Temp\is-RMSVQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-RMSVQ.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-P5P7E.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/2972-283-0x0000000002200000-0x0000000002201000-memory.dmp

memory/1800-317-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 da3962c139b139da9a284decddfbcd5d
SHA1 38a758d467ea3c2902725e01f4f8ed6858c316c9
SHA256 3496ee276b01e52f850b567853507840dfda40e8382ce58029c04f5de43ea945
SHA512 0fc6dac8eab46d5fb2cd7b816f0a2fdc75026ef84fadc680c25c2fe27348bd17c3844d22c432a2d83fdec32d490c5fad5bb550ed55f9d8b664ad8d2b70cdc50e

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 1b4b7a754ca653353af4c35644591022
SHA1 9b83d9e26b042be9b0fd35730e5eed46c4a4daee
SHA256 5d1dbc3b1fab062a627fefbc98a1329120f00623deb88068a937668f272ca518
SHA512 73bc9aede77bb6932aa8d5222ea10def8f0e264023e634af15efd2f0611065f70534ea096ec215b09959d3813794dc153eae9f3ff77328b0dfd3ff375e7992ea

memory/2220-325-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

memory/2112-327-0x0000000000400000-0x0000000000746000-memory.dmp

memory/2112-321-0x0000000000400000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 f1a4d979e086dd455710004ff474adaa
SHA1 867ee60300c78e29742be9e23c7111b8865f550b
SHA256 b2299b218f3ec19765cf98a82c287a1c1097b60b608c13af600576b25eaf771c
SHA512 4936dd4993962dfafab23f40e3ba494efe4d7801281a50f688c576fb0a9e0adf38b4a046445fea5a3936db19e6d699119e07c7a6de224bc5ee848b7429457533

memory/3060-330-0x0000000002AB0000-0x0000000002EAE000-memory.dmp

memory/3060-333-0x0000000002EB0000-0x000000000379B000-memory.dmp

memory/4388-334-0x0000000000400000-0x0000000000746000-memory.dmp

memory/4860-337-0x0000000004EC0000-0x0000000004EF6000-memory.dmp

memory/4860-340-0x0000000072FE0000-0x0000000073790000-memory.dmp

memory/4860-345-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4860-348-0x0000000005630000-0x0000000005C58000-memory.dmp

memory/4860-347-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/3060-350-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4860-356-0x00000000053A0000-0x00000000053C2000-memory.dmp

memory/4860-358-0x0000000005DD0000-0x0000000005E36000-memory.dmp

memory/4860-360-0x0000000005E40000-0x0000000005EA6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gz5ssewo.esk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4860-372-0x0000000005EB0000-0x0000000006204000-memory.dmp

memory/4860-384-0x0000000006490000-0x00000000064AE000-memory.dmp

memory/4860-389-0x00000000064C0000-0x000000000650C000-memory.dmp

memory/4860-399-0x0000000006A40000-0x0000000006A84000-memory.dmp

memory/772-405-0x0000000000400000-0x0000000000414000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 abfcb97761d27181324df239f72bbf9d
SHA1 ce35abb3cd5619a4484a3d4ceea9fbffaaf86219
SHA256 9e56c778ae4cdef2aa7ce8566d6c823921f5daf5e889e758e7219ea9f2cb05e8
SHA512 c64b681c44bc2946d601530a37ef9898ff0f4dfd7f5960e2f23ef173a3728073683ad8021a6a5462f9a43a003d8afe50eb96c4969fcf8edd8adf728482f03e96

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 ac208dbc94e06fef92baf760812ebbc7
SHA1 5a6f13a63d941ce321d270d95a8a7eba0d355fe4
SHA256 094a5f2d087bfe01ba5c2296c4473a842713f3c9c6bff474f11469d895713259
SHA512 b4aedd5758bcceb5c2b69a634dec8bc28e6167797767d9e535d5b8f39a459341ac0dae56b5541cd3a234ebcf70f401b83bedb3089f2df0f6f0fdcbe5bb73825a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d3800ebc0920f0df8765ed20aca3848a
SHA1 7386f881b98686eb2550449d34c5a076c4752816
SHA256 10a946b8b97f03ff613e5e10df4578018335b47ad8758c456474b6d925da6893
SHA512 03345d292c32d1a1074fabaa283e852154097828ce451a05b2926a7d80cfbb43a89cc3cc2961bce7eca8d3ae70609b9e40a7cccd2fde539d8a4be8acbfb57877

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e6046e6d56d17c606fed73d5e75386e2
SHA1 93822134de693e30e819f325f623b5f2a5731bb7
SHA256 eed85cfe4ca8b5aced7d524fcc15ff286f083c14d2db5f6dad983f54e889188b
SHA512 faba2bb8df368e097578dc5553de3d990cb063ffdfd68c3137f3b5c777f25ce3a0599453f718ff770c75a5288af1671dae004f595e2f965a44f4d35a5f6140b8

C:\Windows\rss\csrss.exe

MD5 3ca4a9bdbec4d6e4d299906880ff5333
SHA1 0687217241b17ebbbb2c5366a5e6814611006c11
SHA256 1432ceb485d36ed7af72913b693d5e2f975a7de52b70019c984908458440b5cc
SHA512 15e9e37b40d6016e38eb2bcd74625a163766ff0db2d4eb151ec92714de09a8b4c6beee2c76cca0700b17d5e2b9037bc7ea7942fd3e1e0ba3a730e7f162e15434

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1b24dce1b4e33e95734927edf69ce557
SHA1 d9529dfc925f52d4648fb6aae4c1df3b187391fe
SHA256 43831742f9bbb21bf0e50778a71e868ad59b0f8b983a09a4b339feb1f30ab11d
SHA512 f49f337f76f73e6315f2f5c4443da72a62c11b5d7cecb522dfdb77741196a8e44ac8360b03e813e8139d737499cb5b21a0b920c2bb4a113856e0b71a699874c4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c2b5ff73355398eaffe7731422d56c79
SHA1 cb122b50b55bcb2d36e153777a8aa1d0e8594e1d
SHA256 6c24066c1efb73a58905ff849f6450ae386b455c9a9a10e6dff94dbef34ff3be
SHA512 e183a3fd12f10245f2f5c4c84e3a48b33c4b101f0dc5e1a52ce37c2223b503f0700439456457ae88a08fd91845a137e464c92190cd990a9c09f619c12d423edf

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 688a5a4ec8d98b2eec37c8f1ea4cd57d
SHA1 d5b7fd97f4df57cb79ceb8297e0018fcac31a360
SHA256 e0081761ef9e7ca8abc5f602e70aeafffd950d8bf5d075eef738431ebe634aff
SHA512 606423458bcb8024e3e5d1d333c0f72d4b6d52e673a79a35b643477dae30c0c2cf4882715016dd17270c321ca72d8b2760fd5e0e27988aa82cfb16ae27447ee3

C:\ProgramData\resource-a.dat

MD5 98dda7fc0b3e548b68de836d333d1539
SHA1 d0cb784fa2bbd3bde2ba4400211c3b613638f1c6
SHA256 870555cdcba1f066d893554731ae99a21ae776d41bcb680cbd6510cb9f420e3d
SHA512 e79bd8c2e0426dbeba8ac2350da66dc0413f79860611a05210905506fef8b80a60bb7e76546b0ce9c6e6bc9ddd4bc66ff4c438548f26187eaaf6278f769b3ac1

C:\ProgramData\ts65.dat

MD5 53287ab32d833c8a851b131296391cda
SHA1 e11aaed9f14295b694fc9fd31af1f5252005ef69
SHA256 893dc532bd580454a3ce773aac68f4e396bc24a27d85dd8160b37a81a8a15024
SHA512 fbce8a3618aa59940a3fbbd11f43b8405202f374665784b3ccb06c92e6644bcf05bd145c3f6c3a6edb9efaf9303195f88ca380a6c5b2fbb0d08715fcaf4d048a