Malware Analysis Report

2024-11-30 04:48

Sample ID 240222-gpexmsch7z
Target 7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe
SHA256 7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71
Tags
glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence stealer trojan upx dcrat lumma infostealer rat spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71

Threat Level: Known bad

The file 7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence stealer trojan upx dcrat lumma infostealer rat spyware

Stealc

DcRat

Glupteba

Lumma Stealer

Glupteba payload

SmokeLoader

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing URLs to raw contents of a Github gist

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables packed with VMProtect.

Detects executables containing artifacts associated with disabling Widnows Defender

UPX dump on OEP (original entry point)

Detects executables Discord URL observed in first stage droppers

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Uses Task Scheduler COM API

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 05:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 05:58

Reported

2024-02-22 06:01

Platform

win7-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\D9C0.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\E3CB.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1616 set thread context of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\5B0D.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ebfjidu N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ebfjidu N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\ebfjidu N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ebfjidu N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 2776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1356 wrote to memory of 2776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1356 wrote to memory of 2776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1356 wrote to memory of 2776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1356 wrote to memory of 2776 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2776 wrote to memory of 2240 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1356 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3CB.exe
PID 1356 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3CB.exe
PID 1356 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3CB.exe
PID 1356 wrote to memory of 2452 N/A N/A C:\Users\Admin\AppData\Local\Temp\E3CB.exe
PID 1356 wrote to memory of 664 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe
PID 1356 wrote to memory of 664 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe
PID 1356 wrote to memory of 664 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe
PID 1356 wrote to memory of 664 N/A N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe
PID 664 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe C:\Windows\SysWOW64\WerFault.exe
PID 664 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe C:\Windows\SysWOW64\WerFault.exe
PID 664 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe C:\Windows\SysWOW64\WerFault.exe
PID 664 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\5B0D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2304 wrote to memory of 1692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ebfjidu
PID 2304 wrote to memory of 1692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ebfjidu
PID 2304 wrote to memory of 1692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ebfjidu
PID 2304 wrote to memory of 1692 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\ebfjidu
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1356 wrote to memory of 1524 N/A N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 1524 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\A95C.exe C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp
PID 2912 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2912 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1356 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1356 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1356 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1356 wrote to memory of 1616 N/A N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1616 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\D9C0.exe C:\Users\Admin\AppData\Local\Temp\D9C0.exe
PID 1356 wrote to memory of 2192 N/A N/A C:\Users\Admin\AppData\Local\Temp\DF2D.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe

"C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B2EB.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B2EB.dll

C:\Users\Admin\AppData\Local\Temp\E3CB.exe

C:\Users\Admin\AppData\Local\Temp\E3CB.exe

C:\Users\Admin\AppData\Local\Temp\5B0D.exe

C:\Users\Admin\AppData\Local\Temp\5B0D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 664 -s 128

C:\Windows\system32\taskeng.exe

taskeng.exe {14DEB414-58D3-4D2D-89A6-9378B09B0B79} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\ebfjidu

C:\Users\Admin\AppData\Roaming\ebfjidu

C:\Users\Admin\AppData\Local\Temp\A95C.exe

C:\Users\Admin\AppData\Local\Temp\A95C.exe

C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp

"C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp" /SL5="$2019C,3536428,54272,C:\Users\Admin\AppData\Local\Temp\A95C.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

C:\Users\Admin\AppData\Local\Temp\DF2D.exe

C:\Users\Admin\AppData\Local\Temp\DF2D.exe

C:\Users\Admin\AppData\Local\Temp\F7FC.exe

C:\Users\Admin\AppData\Local\Temp\F7FC.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\3CF.exe

C:\Users\Admin\AppData\Local\Temp\3CF.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\1DE5.exe

C:\Users\Admin\AppData\Local\Temp\1DE5.exe

C:\Users\Admin\AppData\Local\Temp\is-JDUCH.tmp\1DE5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JDUCH.tmp\1DE5.tmp" /SL5="$301BA,4081152,54272,C:\Users\Admin\AppData\Local\Temp\1DE5.exe"

C:\Users\Admin\AppData\Local\Temp\nsu197C.tmp

C:\Users\Admin\AppData\Local\Temp\nsu197C.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240222060037.log C:\Windows\Logs\CBS\CbsPersist_20240222060037.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
N/A 127.0.0.1:49468 tcp
DE 62.171.180.6:9001 tcp
US 8.8.8.8:53 trmpc.com udp
AR 190.195.60.212:80 trmpc.com tcp
DE 109.230.224.213:9001 tcp
FR 146.19.168.223:9000 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
DE 185.172.128.90:80 185.172.128.90 tcp
FR 146.19.168.223:9000 tcp
DE 109.230.224.213:9001 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 fb.bppez.cem udp
US 8.8.8.8:53 gmbol.cme udp
US 8.8.8.8:53 beez.cem.vz udp
US 8.8.8.8:53 fb.bppez.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 gmbol.cme udp
US 8.8.8.8:53 gmbol.cme udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 beez.cem.vz udp
US 8.8.8.8:53 beez.cem.vz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 solkzej.cem udp
US 8.8.8.8:53 solkzej.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 solkzej.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 xpe.cem udp
US 8.8.8.8:53 xpe.cem udp
US 8.8.8.8:53 mfubcz.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 xpe.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mfubcz.cem udp
US 8.8.8.8:53 mbol.bg udp
US 8.8.8.8:53 mbol.bg udp
US 8.8.8.8:53 mbol.bg udp

Files

memory/2124-1-0x0000000002F00000-0x0000000003000000-memory.dmp

memory/2124-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2124-3-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/1356-4-0x0000000002690000-0x00000000026A6000-memory.dmp

memory/2124-5-0x0000000000400000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B2EB.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/2240-14-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2240-15-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/2240-17-0x00000000021B0000-0x00000000022D4000-memory.dmp

memory/2240-18-0x00000000022E0000-0x00000000023E8000-memory.dmp

memory/2240-21-0x00000000022E0000-0x00000000023E8000-memory.dmp

memory/2240-22-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E3CB.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/2240-27-0x00000000022E0000-0x00000000023E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5B0D.exe

MD5 cf09881950646398749ac991700e91f5
SHA1 1417acfe1fb6962756de9b02558cfc37669f963c
SHA256 a124f8ebad911e6284aa48729d262b87707d4c61b84b32d2d4dcb7229276589b
SHA512 2febb4f2a579985cbbc483325d58c1f2c2732936a62ac01eefe526354081e246197e0a3bbc101ba59bd980c62852aa5b9ec57d8b2601a07771a3b1a72eefe9dc

memory/664-32-0x0000000000290000-0x0000000000D67000-memory.dmp

memory/664-37-0x0000000000140000-0x0000000000141000-memory.dmp

memory/664-39-0x0000000000290000-0x0000000000D67000-memory.dmp

memory/664-40-0x0000000000140000-0x0000000000141000-memory.dmp

memory/664-45-0x0000000000150000-0x0000000000151000-memory.dmp

memory/664-43-0x0000000000150000-0x0000000000151000-memory.dmp

memory/664-48-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-47-0x0000000000150000-0x0000000000151000-memory.dmp

memory/664-42-0x0000000000140000-0x0000000000141000-memory.dmp

memory/664-58-0x0000000000170000-0x0000000000171000-memory.dmp

memory/664-56-0x0000000000170000-0x0000000000171000-memory.dmp

memory/664-54-0x0000000000170000-0x0000000000171000-memory.dmp

memory/664-53-0x0000000000160000-0x0000000000161000-memory.dmp

memory/664-60-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

memory/664-61-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-59-0x0000000000180000-0x0000000000181000-memory.dmp

memory/664-51-0x0000000000160000-0x0000000000161000-memory.dmp

memory/664-49-0x0000000000160000-0x0000000000161000-memory.dmp

memory/664-65-0x0000000000180000-0x0000000000181000-memory.dmp

memory/664-63-0x0000000000180000-0x0000000000181000-memory.dmp

memory/664-66-0x0000000000190000-0x0000000000191000-memory.dmp

memory/664-71-0x0000000000190000-0x0000000000191000-memory.dmp

memory/664-69-0x0000000000190000-0x0000000000191000-memory.dmp

memory/664-72-0x0000000000220000-0x0000000000221000-memory.dmp

memory/664-74-0x0000000000220000-0x0000000000221000-memory.dmp

memory/664-76-0x0000000000220000-0x0000000000221000-memory.dmp

memory/664-67-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-78-0x0000000000230000-0x0000000000231000-memory.dmp

memory/664-77-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-82-0x0000000000230000-0x0000000000231000-memory.dmp

memory/664-83-0x0000000000240000-0x0000000000241000-memory.dmp

memory/664-80-0x0000000000230000-0x0000000000231000-memory.dmp

memory/664-87-0x0000000000240000-0x0000000000241000-memory.dmp

memory/664-85-0x0000000000240000-0x0000000000241000-memory.dmp

memory/664-88-0x0000000000250000-0x0000000000251000-memory.dmp

memory/664-89-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-106-0x0000000077AE0000-0x0000000077AE1000-memory.dmp

memory/664-105-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-111-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-123-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

memory/664-129-0x0000000077ADF000-0x0000000077AE0000-memory.dmp

\Users\Admin\AppData\Local\Temp\5B0D.exe

MD5 9f873ef55108d4f9f036b85eb82f1051
SHA1 2ac6f9b761746e30ef29e6a58dc5b92d8d98d9da
SHA256 1cbb4a7ee9beb7f6f0e5753345feccac60f73c24d56373e34d28daf59a745102
SHA512 1ef32136992db5f15fcb42775b0929310f14d5a4b28f32792b29b31452a70cb7fde839dcf2274fc351272e8c3619d99f07c74ddf1f917b18d62fcf0cb3b17c83

\Users\Admin\AppData\Local\Temp\5B0D.exe

MD5 17c37477dd15a8edc7f8489c02ad8ab3
SHA1 5c97c15966f058337c0f0310318f622574ddd89e
SHA256 c704889553eb4a95081370c7ea3e1993c03af66fbc7050a43c4e7d3b114ccffc
SHA512 b98d49a83cbff65755565e3d54a81ab4d5d70bf4beb61ba709ac81807f84a7e8263ee048504d1c6d9bb979907bb315d1e1ab4247347593234705276c7464301a

memory/664-134-0x0000000000290000-0x0000000000D67000-memory.dmp

\Users\Admin\AppData\Local\Temp\5B0D.exe

MD5 4d5fd584c2da3060ae2735d1fa095a8a
SHA1 bdb9fc7cc512ba86535ee523a55e95ebf071de24
SHA256 2c84dadaa602848628d8a6f3baf83e6f99bd417419e32d9a72499379ea1d2668
SHA512 871fa06faedf852b7d5d4d878a6aa219938813cb0b81b0f3580283c9987b2c9397f2fbbefa6cebea4f04d8084fdfcd9963b6d361f10b850da3728c6a8bf0304a

\Users\Admin\AppData\Local\Temp\5B0D.exe

MD5 ac5058830507cb0bf3aa243de36586ef
SHA1 85c7d0dbe1617249fdcfbb5ebc16528db1a61fdd
SHA256 5d0aceb575f838d1a72782f6f21bea089cff204c59030e8e2308b421cc118a60
SHA512 4b8aadfe7d4244a4d512ad117e6d4e2c9587bd492bbd1a703264fd4be40b0eb8066bf0271aa7f5dd2430585a5b749fb54d6a93b1bb6b1c6a8ffbddf08825faf7

memory/664-135-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

\Users\Admin\AppData\Local\Temp\5B0D.exe

MD5 a0ff935101985bb5af446ae04b5f5813
SHA1 5393fef43ed33e82aa10135a6ac0eeeb22bc3c4d
SHA256 70e4b20c3c276d90f5b486ee4e8b1c604de90c8b16a184c9d6a120836f73aed3
SHA512 94d312eaea85c9be7ec85f9a296184c9f6fd2cbe3a1c86544ecda82d57c481921bb08ed709f665a8045b7bf54e1a49ccb88b2258db198568765e6e061fa512c8

C:\Users\Admin\AppData\Roaming\ebfjidu

MD5 2788726bf2b63922bcf2df88bc268878
SHA1 bffd28b0d388401cf792d718634f6aab81d9b748
SHA256 7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71
SHA512 483aa2a212c13837b0d712b6f98979aa96fb5a9a168b861fb558fd1a9658cec38242dd8b87651fe1c7fdbb26b0b423c4d191c64a3068263e9c824b08412f9027

memory/1692-140-0x0000000002F00000-0x0000000003000000-memory.dmp

memory/1692-141-0x0000000000400000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A95C.exe

MD5 1a4548ff42e555ff434481e83066e079
SHA1 dcdf20d2880f437559d0b6347848a1b6df29d9d0
SHA256 75feee5085e7fcf51da73ed311fc796a7686174d52c5121662053a80746c2743
SHA512 5c0b643246d789249fb712af75efb131389aa0aac861d70bbbc96e6768672c185bf42a40102f7ab47bb262bfd31acf476cf9b6267becf44f99bdd51919df0a4c

memory/1524-149-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A95C.exe

MD5 f465d78d1601179235b7be666edc0163
SHA1 395c5861c54ba2f452b319f3e0d6f3c00395fd27
SHA256 6737d3fdf6dbb70f25e4a14fae8689d776a9eac8921c304c79b123dd5ef48857
SHA512 067e8217d73fe35aa8c99a42959ad4c480ae29aa17daf96e159da75553fcd9b23c858ced560e64cd5acde64073852b4238c689250503ee656e2f879154aa142d

\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp

MD5 b838566e246a1a0859b33270ea2bfcb1
SHA1 122ebb818698675ba277f033d323984247e274c0
SHA256 9268f3e9a7037a848151ee45887014a5f2ea2db769e7443fa39386be2a756ef3
SHA512 ff5a7f3e6e1700c1d15a5feb4707618e8c5ea3302bb9f25cedbc976fbc00898ce5ea8e5fbb3d09c5b24f026d3969ba1ca953e75f6a7083cb47c8f63def06511e

C:\Users\Admin\AppData\Local\Temp\is-091A7.tmp\A95C.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

\Users\Admin\AppData\Local\Temp\is-9KLSK.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2912-163-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9KLSK.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 ff5a180388a510c6676371f4d9b2044a
SHA1 3f50ebf4b803f61b2510b431f6ed7d5515b38304
SHA256 0feda44f964c38fd6ab029483e4928c448c4782573fd8f02748ea3a1ac3707df
SHA512 e9758a4f715773545ae0a3d66e522e6581a15320d96cde7fa8cb50d575aca0bcee88da522264fbddd4389fe06f26a443cf68b391b1de283880266d471a41d9c5

memory/2912-205-0x0000000003110000-0x0000000003446000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 bee94497d0b2e12dbe9f9411036dab30
SHA1 9aed694194be8c82933069bb03d21b9c63e5dbdd
SHA256 2247d676d89317064f38d0dc50f5166f2078c379be1f7e8487b849b4555648bc
SHA512 5379f0d66b487f6410f12ba015386ca315fedb399c1691d28186e7e168443a9186db2b4cd6c4f8fce2a3253ce3dee5bd0836f059a86a813ea760b7043cd15ccb

memory/2296-206-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1692-211-0x0000000000400000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 bae46d6b9509936eeab1c04d7eca8aa3
SHA1 bfb002082360499a8dbc829dce4b977b8bc481d5
SHA256 bf1e050d6469acae478690198e1913d46c3c1d3d402222d3da4121a6a66d5784
SHA512 5df08bdf61b9506b1ad425377dafb9c45655f8ba626715d40bb55cef53d208f6c4455043f2a50829a485dfbb71a245575eba5a8bd9def03da7a7e56554a775bd

memory/2296-215-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2296-217-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 4488901b95de11eac54f6f078f94fe27
SHA1 3fc94a219e3dc9dc63c81be73bb85d0efed237c3
SHA256 e9474b8bfe399f9e11b38285363ac59fba28bac69ea1fa5ad43bab526ec9d4db
SHA512 3ef6a5dba7c652ab8c307f02d72cc6545e37381cb693a01bd64ad7360c2eb68c370172d6f1c05084116a56ae43668535f2c7fad984d5242c4cdb4247b9923967

memory/2276-219-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

MD5 7136ce49f519635ca5d8e78430aba4fc
SHA1 f6c0768aa4f2b45d8507cb436e60289c0b4e1f68
SHA256 b171f3b75af9d422ebd9a4bcae82885d232ddffacf0131366e7a14964895a965
SHA512 ef42fe3ccce788e50803a8227c25281ec4a782fb2835e113f5ba25df92c3178f47c3cd28ea9888b1230fe1daa8d2906029af6af1c4b47e1f0b9cd38e17d02db3

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

MD5 4eb40f1a33f203f8dff454c3f3be4b46
SHA1 70fa6b39f06c95f3fda8c21ace5510a896d7fe1a
SHA256 0604f07976533d0969a7ab0d54f521702dbd9176145a813be284d8c7de1e8a20
SHA512 47cb541879aa2e438df0ddbcfb9b4e821a8b09d82e97a3ba7d6aa42db7f19a370c6a5e1caa95be63c6620c1052a24ebeca733476a597b1fbd054f9ab89b41308

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

MD5 04db4ecf2942e06417fa269d8ebccf86
SHA1 4b2110d1c7dfeaec8abf05184d5759d97b850da6
SHA256 e1b47696965242c90a20cff378b9b8de692858869664f765614e6cf6f3cd8ddf
SHA512 9f19a482e7d48b858d26f403c675988140b77d2261a72238c8b2a5240fd9f530e7aff371079d84a000d8dad8dcdb9dbac6da7f2175332b627f1eea32ad972fc7

\Users\Admin\AppData\Local\Temp\D9C0.exe

MD5 ccb287b65ccfb7f24baa5852513cbb93
SHA1 1f597bde7907926a814fefd855515745bca7c393
SHA256 1d86c20bd7fdd668e5d97c167df07dca42edd301474f3e554c32215a40ac3154
SHA512 fa5339c4e883cbbe73ae2746b8b628668c8dba56579e6b32b6b65878670db27f60ed216c89679bf73882ee5d7a52067d19be4992437c7efd4c658e7f685df5ec

memory/1616-230-0x0000000004A20000-0x0000000004BD7000-memory.dmp

memory/1616-229-0x0000000004860000-0x0000000004A18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D9C0.exe

MD5 7e7bbd453259e62ae1f697f75d5ce6c2
SHA1 a63c8094a61c188471d475ee14e88654af69dd53
SHA256 dad0370ec55c1d2fd27de2e569742db84caa7d3d23a6a12b8a2e0b6b07445343
SHA512 b622a4df391b9b918938ad5c8b1974076151daa4fad3381c49b68223b27b01d23bc4bba88e10a6f097370180a975a92aa54e49be97dd9b0c7ec3c190f71bf72d

memory/1508-238-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1524-240-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1508-241-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF2D.exe

MD5 ade01cac4a65fdca4420c118b3592265
SHA1 b15cdce166a232e8268f719bcc07f73d962638f6
SHA256 a0cd39447fd6029a07db30f05bcad8cfaf54ddc62dfa28f1056ab81f0baba4a8
SHA512 6fec21d17cc6d8cf3af2ff1b08619f023c6e52e8272a5e8041fbdba97aa25f7f4f898b4da538aac11a4bd661fe59b257d9b6262fef43a3fcbf9194a1278db691

memory/2912-248-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2276-250-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2912-249-0x0000000003110000-0x0000000003446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF2D.exe

MD5 6aa34e40309fc5045314bbacffa1f5a6
SHA1 5d4455bcdf5d4bfbb77c496a5fdeef7b924a8a94
SHA256 9ff16a5019d54ee311469e77de594f8767e4c674ab91a69bb64ff2750aa8e899
SHA512 914488168e0fc2650ddf755190cd66897d28a4cd31fcd6db4723d9e5f4b22ce68b090c074d63e3750d6447bb2a1984eae24add7b4e89def167d7212e14a18cac

\Users\Admin\AppData\Local\Temp\B2EB.dll

MD5 bf1f6e6b1ecbdca781101b69d84f2d38
SHA1 352d617497c816a2cd9dc4e40a66883cee990599
SHA256 31d3e2ea252e5d1c1b495025bcddf32659510ec388cd9bbffd2291890f113607
SHA512 b0f290157b286044cf0efa7d8db2924c73520844834dbcbdae58b5ccb00e48dbf96f99ce188660b9d37f3e5a0f52b8ad06e9994395f8ab07444332a3fd9721d5

memory/1508-253-0x0000000000350000-0x0000000000356000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F7FC.exe

MD5 551c4579d663594245d8d480a6e04ef3
SHA1 19e5c9ad957e86f48da673be7584c7a8af28ac97
SHA256 bcaf32b1c928dca42c74adc93825a62c306caa84e51a005fae046e81b115d5e9
SHA512 45b72e30dc846b82de569aeedadcc8904a06c6433f2d7fcaf91163d3e627968af5e6ee8cf3ade22d86cc071b8b223fe7a41c849591da888e65f878d2ee9fdd7e

C:\Users\Admin\AppData\Local\Temp\F7FC.exe

MD5 7f34877b284236a571c85a777d05128c
SHA1 5cfb8628ad088c6379c870a42a09d4caedb9fdcf
SHA256 abc759fb57214026dcf429413f54b13e76a7bcf06e0d0c8f10a03a8372175d3c
SHA512 bd7278f820e8d83c734b4b0c537591ebfda734ef5cc7b0c0dafd22de0e88054b09d157c3d56b2c12fcac80dbd14689a0398364b67fb3075d2fa118c94cd74d53

memory/2772-274-0x0000000073890000-0x0000000073F7E000-memory.dmp

memory/2772-275-0x0000000000370000-0x0000000000C26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 167d3d67c322a67d33bb8b4b2dc041e8
SHA1 6b64ab0817892f969fa3141afd467bbe5f9c8c00
SHA256 5c91b896721aab20defe9244568581e92cdb2ccef648e7e6f6ce6f4459aa95ff
SHA512 19891422afad93c70f105a46792a64ecd41ac0d419c019022e7ac0deeb48adce52680410e49e6ba6ce5da175fba7f09c38a984c645d76e10d9e2dd08771a2b48

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 dee6f72532b423c83b1483ef216a83d3
SHA1 06a812a3c174067dcf15447be310608fe0235a0b
SHA256 e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0
SHA512 7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 6bdb234305778c39ec1121b20dbb5b46
SHA1 9397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA256 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA512 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 69d8541afe9eb5d47b8a4ec080212d19
SHA1 2bd9cda3c37de1569edc024935374ef90a8d186b
SHA256 5731567f5316e5c8535d8b9aa0ec8c2c839b89dbba2dd9aacbc76e46b26080b7
SHA512 56aa8cc13b79695bf1c0e1ce51302d569411d22072dbfca1943e97a3d5fe5e6f7c66ce341f8f065de73a85c9d29c820570202aa6977d89e3e5a979ccceec0c95

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 5394ac777ecd313e1229ddfec9f29bc3
SHA1 dcf1a9feb6d7aa4f355889d777c94a739889afb6
SHA256 7bca12a102524174f6a64bc9c4eb64a35763ade3e030b1d931063fffd3e0991e
SHA512 8365eaf9c1c41ffba04d701619f7197d76363f8dc145417877fd28fb60678f6cb6bd6f972567a3142ba2cdba4c44c7ce7c8ed644709370ee4054f5bde4e7eb3e

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\3CF.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

memory/2776-309-0x0000000002550000-0x0000000002948000-memory.dmp

memory/2776-311-0x0000000002950000-0x000000000323B000-memory.dmp

memory/2276-312-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 65c145064bb3e087c2ec0ae6034c2df0
SHA1 5ec0f6d5fa4a931f5964c709ed79efae1520fefe
SHA256 2d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e
SHA512 7a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f

memory/2776-313-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2400-315-0x0000000000230000-0x0000000000330000-memory.dmp

memory/2400-316-0x00000000003A0000-0x00000000003AB000-memory.dmp

memory/2400-317-0x0000000000400000-0x0000000000818000-memory.dmp

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 2894bac8eef6977463a9b6b2b4ebfb45
SHA1 24e371157c3114cd29a54cd635ddb884046a3f6b
SHA256 d880568ca69cbd902df113d63331abce86cc5f454ceadac09c5cee53942a5762
SHA512 903c63b84eb3f5c8dabe8e95388779fb50408eb58f80c8fdbfaec363fdaaff921089d00c117636304eaa2602c76ed53667472c6a983e9fcfd19d1b8b103a92a6

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 2ca32a64d491385b9191b77cd9e1245e
SHA1 3689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256 eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512 a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f

\Users\Admin\AppData\Local\Temp\nsjA4E.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/1468-327-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ac37a77b268afe3463035a826c5233aa
SHA1 0b1f9549cd160dbc38ed5aefe4a4ad0b11dec672
SHA256 3c5e94dbf117b1063b20203c7498c4324126cbd94ae3a30969e17e54d6bcf03c
SHA512 8eb08d42ecaa7254703971ccc83c766753abddadea219b3b3cc86fac1ef861b201c448341c555e4e186d5130a1221175b454c057626cd2a0657741657b2e5fb8

memory/2772-335-0x0000000073890000-0x0000000073F7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d7e4b9b1c47a1c5e43e40c56157a147f
SHA1 3d1afa4a1377bd808054add241e150c375a539a3
SHA256 4cfc04acddae5f5f2867e218cef35f327361af9c157267abbf9ef431af361f4d
SHA512 f07d7d22b92e61ea196f2c913ba4c6501b7f2acf1570baa7c748717325f67dc219d7a3f92405c06f8f157f0cff5cddcfa39e6a6e828fab565d57356cb567582d

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 62fb6e9c5d9d7542af9c141a0f860992
SHA1 ee0836d9c9c259d1e75cc8a9a8ebdd88ea1b01db
SHA256 69a2e13a0b31019893de9fee03eefd52ae3aef1a37c9ab4f21f9dc0155f16ef5
SHA512 e3c9e2dd1da1a19ffd1cf5edfec1dcf7d287505fc2951264e6ddb27c96f4857ebed60640ece133120091806523af06004a5fb0f0ce7a68e98027298eb304707a

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 293540d49b082b33a5b90f862cee513c
SHA1 fce1f069059573bb29042aec52811bc25c94b3bd
SHA256 a9bf23a5e82c6c1d1080cc104d6cfba492fa997f636fee12483a763d066ed126
SHA512 444e7b121dddd74a57b4f1cef4de435748892493909969c2d51370a8de5b24ab950c60ee9e391fd1d07cad6e45552ca1c22eab41708ad85be5c7ee4ef6a1f343

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 0c6f4bd9b4c691b6a6e170645b250abc
SHA1 c9a7b17737a9748701bbb788d2618e77af914118
SHA256 40e777cfd8f95d1533a4fe9937c48513140d2e1bb76cd2c7659b4e5abef9196e
SHA512 d84438cbe4387bca0c7d7b3d1e5e6288ff7bc518bb5a52c41974898bb85c0ef37dde587940bfe4875bd61fad0b14445de9fd5d30f88eb9a4c58d16a167674367

C:\Users\Admin\AppData\Local\Temp\1DE5.exe

MD5 0522918a55c2ac5a0e7393713fdf48e4
SHA1 7982cbcc3e5bcb6712b72b9e8b1a5f39626cf6e7
SHA256 d2a47ef496c9540a7244c6623ffcf356e82352857d2046090934b1315d3345f3
SHA512 d2d3c059056c7223cfd2802bfd7590afdc7de2cebff46d5d4386f17ef37a66e42daa99d3c748feeda76fef78003e7ff48ce4694ab1857e411c8c64f5e84cfa67

C:\Users\Admin\AppData\Local\Temp\1DE5.exe

MD5 bb99abbf4ad8c749a2a742989968bfc2
SHA1 5b02893b44746138da69c675e34802b1911f6f7d
SHA256 af1a63e295fa55fa0306b4058f1df67bf5fcbd3621f6e0900c8b0c50e7139437
SHA512 766e463cc3e02d94300f5889584bf5bcc6f62e6b38ab1cdb209b69d84287e6785a3ee93c3491ac155aa1a17328712f494c47bba1a7f04e4e15245ad0113d602e

C:\Users\Admin\AppData\Local\Temp\1DE5.exe

MD5 ce2bd96ca6e75558e77bb359132f7221
SHA1 daa5053385a7f519aedc2927d2ba54ff105cec1f
SHA256 a2de77c73d19d1ae0b6ce372a81a1142db7cc40b84cdb25584dfd0404e8f19d7
SHA512 6162ac548077376a138a77836ce812b50148558e179f00343b96c037134d4e0c4d5699c22e56dc43fee0a3d24a3cb60273eae9e90ef49ca6b9691941e720bd68

memory/1508-367-0x0000000000400000-0x0000000000848000-memory.dmp

memory/276-368-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JDUCH.tmp\1DE5.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Temp\is-JDUCH.tmp\1DE5.tmp

MD5 2b4f34d02fbabd51824e959a76ff576f
SHA1 706beb6b7b8759541ecd51b3138344cd2fb0a67b
SHA256 b56ab93d2539681890b288377ec88ba092f9aee7ef660834206bfb3e150dfcaa
SHA512 4af610a144b64c7f931545f548c5918ea760200536b473c4e94da5c6b2f61de9d1f9de3c53ff981b812b07bba850db8aee59bbcba872ed90ba1d72787d60fc76

memory/1508-390-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-L8OD8.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2272-391-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-TLDDN.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

\Users\Admin\AppData\Local\Temp\nsu197C.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2276-421-0x0000000000400000-0x0000000000736000-memory.dmp

memory/300-423-0x0000000000270000-0x0000000000370000-memory.dmp

memory/300-424-0x0000000000830000-0x0000000000864000-memory.dmp

memory/300-425-0x0000000000400000-0x0000000000822000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c0cbbc37afd3038489867a901c78525d
SHA1 45c528c015647624bd72cca399115a4f77a98a2e
SHA256 85d8fa5ebfc3fc150872fd0fb5dd3388dd58af0aea8ce0f6f8408dddd2bb0247
SHA512 994e3bc4058cc285cf3439e1611a7365b9a38aa95de924038e9242d100308d3f5d7be51460e5777913daba683714cf53242a06ec9d84576a9fd999a3c56d586f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 760fe387d7c560f53f0f9c728a66d3b0
SHA1 543c5b5f57e01ec1744b098ef24e52ed08d81e42
SHA256 aa9ec255d6b490b747edeaf60a5dd617411feae80944d62cc2276551e6095efc
SHA512 2b4d0a18ade76d12236c7a698e48a6875c85e3a9df61727f5070edf4f63d30af380bb40a1d647cb907af25bb2fec4ce6076e7a5d39944ac76e92594bc54522b7

memory/2776-433-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2776-435-0x0000000002950000-0x000000000323B000-memory.dmp

memory/1304-481-0x0000000002780000-0x0000000002B78000-memory.dmp

memory/1304-482-0x0000000000400000-0x0000000000D1C000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\Windows\rss\csrss.exe

MD5 dd76b1ea2a8bf2f7e800e0a11f01f5e9
SHA1 d31c1ff5b3bfff45af20f5fce0579b80819c5390
SHA256 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89
SHA512 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508

\Windows\rss\csrss.exe

MD5 d8fd6ee086168ae33101a622914ea1aa
SHA1 087e83ecd19f56d7e1613dd3ec4397790a56bcdc
SHA256 8c83aa0ca592ee93a216ce28bb14385acafe2568df56ad4b28a8d2e36e32ed3d
SHA512 84227739f05c24c889086a4ec8ca1b92b62d85fb687a49c13024fe223129bb4af98cec4ddf1cf72c0ca0f5b63f3a55a3b3e01c97f4a34eba0dedd3f9da86bfde

memory/1304-543-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 05:58

Reported

2024-02-22 06:01

Platform

win10v2004-20240221-en

Max time kernel

104s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2828415587-3732861812-1919322417-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\A2C9.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\5BDB.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\D998.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 992 set thread context of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ADB7.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ADB7.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vhhevij N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vhhevij N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\ADB7.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vhhevij N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nssBE3C.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nssBE3C.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3272 wrote to memory of 4408 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3272 wrote to memory of 4408 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4408 wrote to memory of 4516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4408 wrote to memory of 4516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4408 wrote to memory of 4516 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3272 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\D998.exe
PID 3272 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\D998.exe
PID 3272 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\D998.exe
PID 3272 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\102A.exe
PID 3272 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\102A.exe
PID 3272 wrote to memory of 888 N/A N/A C:\Users\Admin\AppData\Local\Temp\102A.exe
PID 3272 wrote to memory of 8 N/A N/A C:\Users\Admin\AppData\Local\Temp\33A1.exe
PID 3272 wrote to memory of 8 N/A N/A C:\Users\Admin\AppData\Local\Temp\33A1.exe
PID 3272 wrote to memory of 8 N/A N/A C:\Users\Admin\AppData\Local\Temp\33A1.exe
PID 8 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\33A1.exe C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp
PID 8 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\33A1.exe C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp
PID 8 wrote to memory of 660 N/A C:\Users\Admin\AppData\Local\Temp\33A1.exe C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp
PID 660 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 660 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 660 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 660 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 660 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 660 wrote to memory of 4316 N/A C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3272 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 3272 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 3272 wrote to memory of 992 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 992 wrote to memory of 4264 N/A C:\Users\Admin\AppData\Local\Temp\5BDB.exe C:\Users\Admin\AppData\Local\Temp\5BDB.exe
PID 3272 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\6794.exe
PID 3272 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\6794.exe
PID 3272 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\6794.exe
PID 3272 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe
PID 3272 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe
PID 3272 wrote to memory of 4540 N/A N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe
PID 3272 wrote to memory of 3572 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADB7.exe
PID 3272 wrote to memory of 3572 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADB7.exe
PID 3272 wrote to memory of 3572 N/A N/A C:\Users\Admin\AppData\Local\Temp\ADB7.exe
PID 4540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4540 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4540 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4540 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4540 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\A2C9.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 228 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 228 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 228 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3272 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B876.exe
PID 3272 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B876.exe
PID 3272 wrote to memory of 1016 N/A N/A C:\Users\Admin\AppData\Local\Temp\B876.exe
PID 1016 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\B876.exe C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp
PID 1016 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\B876.exe C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp
PID 1016 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\B876.exe C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp
PID 3116 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp C:\Windows\system32\svchost.exe
PID 3116 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp C:\Windows\system32\svchost.exe
PID 3116 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp C:\Windows\system32\svchost.exe
PID 228 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssBE3C.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe

"C:\Users\Admin\AppData\Local\Temp\7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D764.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D764.dll

C:\Users\Admin\AppData\Local\Temp\D998.exe

C:\Users\Admin\AppData\Local\Temp\D998.exe

C:\Users\Admin\AppData\Local\Temp\102A.exe

C:\Users\Admin\AppData\Local\Temp\102A.exe

C:\Users\Admin\AppData\Local\Temp\33A1.exe

C:\Users\Admin\AppData\Local\Temp\33A1.exe

C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp" /SL5="$600DE,3536428,54272,C:\Users\Admin\AppData\Local\Temp\33A1.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\5BDB.exe

C:\Users\Admin\AppData\Local\Temp\5BDB.exe

C:\Users\Admin\AppData\Local\Temp\5BDB.exe

C:\Users\Admin\AppData\Local\Temp\5BDB.exe

C:\Users\Admin\AppData\Local\Temp\6794.exe

C:\Users\Admin\AppData\Local\Temp\6794.exe

C:\Users\Admin\AppData\Local\Temp\A2C9.exe

C:\Users\Admin\AppData\Local\Temp\A2C9.exe

C:\Users\Admin\AppData\Local\Temp\ADB7.exe

C:\Users\Admin\AppData\Local\Temp\ADB7.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\B876.exe

C:\Users\Admin\AppData\Local\Temp\B876.exe

C:\Users\Admin\AppData\Roaming\vhhevij

C:\Users\Admin\AppData\Roaming\vhhevij

C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp

"C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp" /SL5="$70162,4081152,54272,C:\Users\Admin\AppData\Local\Temp\B876.exe"

C:\Users\Admin\AppData\Local\Temp\nssBE3C.tmp

C:\Users\Admin\AppData\Local\Temp\nssBE3C.tmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -i

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -s

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4560 -ip 4560

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 2388

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2936 -ip 2936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2936 -s 860

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
N/A 127.0.0.1:58943 tcp
CA 198.100.149.77:443 tcp
PL 145.239.84.172:80 tcp
US 8.8.8.8:53 172.84.239.145.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
AR 190.195.60.212:80 trmpc.com tcp
SG 192.46.225.58:9001 tcp
US 8.8.8.8:53 212.60.195.190.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 244.244.23.193.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
AE 62.210.83.207:8080 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FR 37.187.23.232:80 tcp
AT 86.59.21.38:443 tcp
US 8.8.8.8:53 232.23.187.37.in-addr.arpa udp
US 8.8.8.8:53 38.21.59.86.in-addr.arpa udp
US 62.151.180.251:443 tcp
SE 85.30.131.60:9001 tcp
US 8.8.8.8:53 60.131.30.85.in-addr.arpa udp
US 8.8.8.8:53 251.180.151.62.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
SE 85.30.131.60:9001 tcp
US 62.151.180.251:443 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.89.13:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 13.89.15.51.in-addr.arpa udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 orbzmbrcepele.cem udp
US 8.8.8.8:53 orbzmbrcepele.cem udp
US 8.8.8.8:53 jhezejbshbmed.erg udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 jhezejbshbmed.erg udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 bell64voejzbm.vz udp
US 8.8.8.8:53 bell64voejzbm.vz udp
US 8.8.8.8:53 ybhee.ce.od udp
GB 35.176.106.252:22 hejmbol.ce.uk tcp
GB 35.176.106.252:21 hejmbol.ce.uk tcp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 brosjejeloe.gr udp
US 8.8.8.8:53 mail.ce.uk udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 orbzmbrcepele.cem udp
GB 35.176.106.252:443 mail.ce.uk tcp
US 8.8.8.8:53 252.106.176.35.in-addr.arpa udp
US 8.8.8.8:53 love.oj udp
US 8.8.8.8:53 jhezejbshbmed.erg udp
US 8.8.8.8:53 love.oj udp
US 8.8.8.8:53 eujleek.fr udp
US 8.8.8.8:53 ce.uk udp
GB 35.176.106.252:22 ce.uk tcp
GB 35.176.106.252:143 ce.uk tcp
GB 35.176.106.252:465 ce.uk tcp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 bell64voejzbm.vz udp
US 8.8.8.8:53 eujleek.fr udp
US 8.8.8.8:53 spexoum.oz udp
US 8.8.8.8:53 brosjejeloe.gr udp
US 8.8.8.8:53 ybhee.ce.od udp
GB 35.176.106.252:995 ce.uk tcp
US 8.8.8.8:53 spexoum.oz udp
US 8.8.8.8:53 yepmbol.cem udp
US 8.8.8.8:53 mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 orbzmbrcepele.cem udp
US 8.8.8.8:53 yepmbol.cem udp
US 8.8.8.8:53 love.oj udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 bell64voejzbm.vz udp
US 8.8.8.8:53 eujleek.fr udp
GB 35.176.106.252:22 ce.uk tcp
US 8.8.8.8:53 hejmbol.es udp
GB 35.176.106.252:443 ce.uk tcp
US 8.8.8.8:53 soswb365.um.edu.my udp
US 8.8.8.8:53 jhezejbshbmed.erg udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 orbzmbrcepele.cem udp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 brosjejeloe.gr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 soswb365.um.edu.my udp
US 8.8.8.8:53 gmbol.develeper3.cem udp
US 8.8.8.8:53 spexoum.oz udp
US 8.8.8.8:53 yepmbol.cem udp
US 8.8.8.8:53 eujleek.fr udp
GB 35.176.106.252:21 ce.uk tcp
US 8.8.8.8:53 gmbol.develeper3.cem udp
US 8.8.8.8:53 ohbseserob.cem udp
US 8.8.8.8:53 jhezejbshbmed.erg udp
US 8.8.8.8:53 love.oj udp
GB 35.176.106.252:143 ce.uk tcp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 brosjejeloe.gr udp
US 8.8.8.8:53 mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 ohbseserob.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 yepmbol.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 ftp.mgs.ge-cezjbcj.cem udp
US 8.8.8.8:53 bell64voejzbm.vz udp
US 8.8.8.8:53 orbzmbrcepele.cem udp
GB 35.176.106.252:22 ce.uk tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
GB 35.176.106.252:465 ce.uk tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 love.oj udp
US 8.8.8.8:53 soswb365.um.edu.my udp
US 8.8.8.8:53 jhezejbshbmed.erg udp
US 8.8.8.8:53 eujleek.fr udp

Files

memory/4344-1-0x0000000002E20000-0x0000000002F20000-memory.dmp

memory/4344-2-0x0000000002DC0000-0x0000000002DCB000-memory.dmp

memory/4344-3-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/3272-4-0x0000000002660000-0x0000000002676000-memory.dmp

memory/4344-5-0x0000000000400000-0x0000000002D34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D764.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/4516-17-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D998.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/4516-16-0x0000000000FF0000-0x0000000000FF6000-memory.dmp

memory/4516-21-0x0000000002F80000-0x00000000030A4000-memory.dmp

memory/4516-22-0x00000000030B0000-0x00000000031B8000-memory.dmp

memory/4516-25-0x00000000030B0000-0x00000000031B8000-memory.dmp

memory/4516-26-0x00000000030B0000-0x00000000031B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\102A.exe

MD5 479342d62078aaf31881972c7574f6f2
SHA1 382fa9a95746ca6199e7dfb9ae2bd035f4000fb4
SHA256 a6b59e0a275b5314935a3f812a5ba7dd5d5cc9524d3a6efdeb3a103eea386f6d
SHA512 0e74e3e0b993968220e712ffd94a76c00d35f0452494d62b3f6780c80cc0cae2e9982978830c54bed3a57d17a5a84abbdc4c0cbb5961afcae785048ac4ac47da

memory/888-30-0x0000000000B50000-0x0000000001627000-memory.dmp

memory/888-35-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

memory/888-36-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/888-38-0x0000000000B50000-0x0000000001627000-memory.dmp

memory/888-37-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/888-40-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

memory/888-39-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

memory/888-41-0x0000000001C00000-0x0000000001C01000-memory.dmp

memory/888-42-0x00000000037B0000-0x00000000037B1000-memory.dmp

memory/888-43-0x00000000037C0000-0x00000000037C1000-memory.dmp

memory/888-44-0x00000000037E0000-0x00000000037E1000-memory.dmp

memory/888-45-0x00000000037F0000-0x00000000037F1000-memory.dmp

memory/888-46-0x0000000003800000-0x0000000003801000-memory.dmp

memory/888-47-0x0000000003810000-0x0000000003811000-memory.dmp

memory/888-51-0x0000000003850000-0x0000000003851000-memory.dmp

memory/888-50-0x0000000003840000-0x0000000003841000-memory.dmp

memory/888-49-0x0000000003830000-0x0000000003831000-memory.dmp

memory/888-48-0x0000000003820000-0x0000000003821000-memory.dmp

memory/888-52-0x0000000003860000-0x0000000003861000-memory.dmp

memory/888-53-0x0000000003870000-0x0000000003871000-memory.dmp

memory/888-54-0x0000000003880000-0x0000000003881000-memory.dmp

memory/888-55-0x0000000000B50000-0x0000000001627000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\102A.exe

MD5 8825bef22b7e5c52193a395bafc3f7c1
SHA1 7a87031fdca5404f274d832cdbb45c60993026fb
SHA256 f0b1b555840fde6f959b0922cd361661a1da4e1d54dd1ae231babf5f4f3a07c4
SHA512 c681c9c1ec07a11fc23f5c652d743ebd3f49495442436a4de7107c60cb1a23b0f6f2d7c5013b2b3ef766aeedba781d1420112a81fd5727590852f8e766990a1e

memory/888-58-0x0000000003890000-0x00000000038C2000-memory.dmp

memory/888-57-0x0000000003890000-0x0000000003891000-memory.dmp

memory/888-59-0x0000000003890000-0x00000000038C2000-memory.dmp

memory/888-60-0x0000000003890000-0x00000000038C2000-memory.dmp

memory/888-62-0x0000000000B50000-0x0000000001627000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\33A1.exe

MD5 92b6eb3be43bd6c8de415fb41628b81d
SHA1 ad9045e21879e09f7daeb1e684eb111186b0dc2a
SHA256 f2f378bed9f1a0aafbbd7f31afaa25fc5e7c0bea9297c7e007b8a37b6c254d9e
SHA512 fc981ad7c88c96fcf856dd009d67e17c2c227baf675dd12ae560adb48e3fb2cbdbb196827f76645802be71afc62c5cda49428856e14b3f31b5841e436048d7ea

memory/8-67-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HOS8C.tmp\33A1.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/660-74-0x0000000000660000-0x0000000000661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LE5HD.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 2ce897a9577ff1774efb95a2d35f130e
SHA1 9951684228920e42da16d13a5b2ac2bc190c4cfd
SHA256 3526fac093f8955417286e31e88b43aa24be6340102d59914cf196a1cb96718c
SHA512 b37aef42d086a24e81fdf5eccc8aca2410539f6f4289d2d9ac11ff8138975463542dffee730be3ff9d8c84127aff01fbbb8a7ded114836b454f539503e2f274b

memory/552-120-0x0000000000400000-0x0000000000736000-memory.dmp

memory/552-121-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 c7d4a0ebfd3403baa9b681801845725f
SHA1 c7130898c4c40ba53d27446172a4720c8a8a3892
SHA256 10fad26de26d05985e34e1474ab357033fcf310b4aa17c720c219bcc648d479f
SHA512 55c7ba74b689e4485fe303f53528e0f1906f00b0c274407e68f094e19d1ca13c2d20ae4f9e848e9597cddd400b0abdbec2efcf21f7557d2a3496e308f968639e

memory/552-124-0x0000000000400000-0x0000000000736000-memory.dmp

memory/552-125-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4316-127-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4316-129-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5BDB.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/8-135-0x0000000000400000-0x0000000000414000-memory.dmp

memory/992-136-0x0000000004AE0000-0x0000000004CA6000-memory.dmp

memory/992-137-0x0000000004DB0000-0x0000000004F67000-memory.dmp

memory/4264-138-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4264-141-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4264-142-0x0000000000400000-0x0000000000848000-memory.dmp

memory/660-143-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/4264-144-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4264-145-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4264-146-0x0000000000400000-0x0000000000848000-memory.dmp

memory/660-148-0x0000000000660000-0x0000000000661000-memory.dmp

memory/4264-151-0x0000000000910000-0x0000000000916000-memory.dmp

memory/4316-156-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4264-159-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4316-161-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4264-162-0x0000000002D00000-0x0000000002E24000-memory.dmp

memory/4264-163-0x0000000002E30000-0x0000000002F38000-memory.dmp

memory/4264-166-0x0000000002E30000-0x0000000002F38000-memory.dmp

memory/4264-167-0x0000000002E30000-0x0000000002F38000-memory.dmp

memory/4316-172-0x0000000000400000-0x0000000000736000-memory.dmp

memory/4316-173-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A2C9.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

memory/4540-179-0x0000000000A90000-0x0000000001346000-memory.dmp

memory/4540-178-0x0000000072D80000-0x0000000073530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ADB7.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 3d4d4c98a7c0da0b89781da49414ec02
SHA1 a39f44b391eef1cebddbbf22cfffc90fb20b1995
SHA256 1d3fc0023ad81827f99d2d6758cbfa954805e549aa24ba5f59a044d2d2e91fee
SHA512 c772a9894bf95b1845aea9eaa0bd6e2fb2f17ad3231728d0539cedbd6f037f1b50089f3611d255ba8532a367ace87de8bfb5cdceec00690c411c82978775d77c

memory/3572-197-0x0000000000860000-0x000000000086B000-memory.dmp

memory/3572-196-0x0000000000970000-0x0000000000A70000-memory.dmp

memory/3572-198-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 bbf5a2ac4c88c119d625e1a1454632cb
SHA1 e20a65016f765dff8a181091c6fc5e576d1d28c1
SHA256 321152babee255c19931b7d33021dc50b6349afe328a6c3566695756c3341cb0
SHA512 23a1fc44e345aa3aa467aa1f5024b52037a0c4afa67844df31cc6a9b2e98f5fd41ebd64c4c49370270733b63ee087b17f506124ba096a58bc70b3b710dd7fcb3

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 653b3840686c3a4ca9aabeaab7c7dab6
SHA1 374ccbaa38c9ff31928401f498fb00825882dedf
SHA256 7b7d9e629088c0e46cb6ada93287a9bb93ce1e2b8599c3e1839590e8a9bd481b
SHA512 dbf7e42777544a42a8160f0d9245220ecc151a4dfe0a341640ea6961f9d1f66861a004cd89980c0024b504de54e393337af50cde252e92702ddcd7c5bb0abe80

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 bf254ad5640e2dadab1c1aee4847c749
SHA1 41cdb51034f2c66207eb9e601d547f080858da66
SHA256 d923708674e9ea58024997745047f6613c80f1c03003b6e6304b80b3e57dfeff
SHA512 ff99bac22e234ed344c6231c69ca3caed5dcfdcb5e13c2ceaa3bd499e7168817643bd9ebbed6662039d73c03779de19f1e6231e08697259dc674f199d102da68

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a0aa8c513c7913d5cfdfaf2bc64e86af
SHA1 45bb9d5f8fdc4f79970f6e28317596762507f803
SHA256 56a63749120e776abb491b942b6a1e10422f7e80cefce3d6a8e6671fa1f341cd
SHA512 efbce7a203f68f0fd6ab4366967ed54311e9e53a90f5e59c1c429b8f5c4348bdf6e0c620b90495d6d68aad5758ab2ce0a519caa295ee29d302a6b3f964e4e2f9

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 716b6e79efee22fe3f3503a241a5eb8c
SHA1 94ddf83d37704bccf33929fb1c9cb9972375dfb6
SHA256 9a9e270e138b57ce4cac1c2d159ad093f200076721548f144a9c241dd3189b2c
SHA512 d7b2a61c3f964ac49bf09a91fb2a50ef8bcb242af1b3541e8f0af808936ac828780dfaf93329b3d38a165ce223579fdfe909c56f786e76d737a80f0d5925131a

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d5ac8347ec7fe6b3267af60cf71255a7
SHA1 f8258729ec532f3161b0affd5082fbb5b194805d
SHA256 ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA512 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296

memory/4540-224-0x0000000072D80000-0x0000000073530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 682fc35530a6dc6f2bdfad98ecd7eae2
SHA1 10666b26129587b4a564fb59d367539f57c76ca3
SHA256 83414b912a4ba1cbfea8b625890291ae866860408ed45da5923d1a67ea7c4101
SHA512 ea68038310a51b183dfee7acabd61cad8d93372f30321ec0ed9ccf53016c82b7133b90930fcff107f42582f7a65315f2cf5ba8078597cf275fb45c6881da25da

C:\Users\Admin\AppData\Local\Temp\nskB717.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 9a033b4dd6e1edbc204bd2f9f30aaaa5
SHA1 f6a713f35ca974c912e83bba97e54ee75bed6a00
SHA256 70c3a8f2b72ea4c3cb5e755e45d3c0d3827079da6960ae1db20ac6cece55545e
SHA512 4d5ce05f8be046e8731070042e7b128246e2acf255fb4db2b945a3b9acf4a8241f4001dbe1bde3e012e43165db0030e14818bbe63f9115bcab57b1cf42c0489e

C:\Users\Admin\AppData\Local\Temp\B876.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\vhhevij

MD5 2788726bf2b63922bcf2df88bc268878
SHA1 bffd28b0d388401cf792d718634f6aab81d9b748
SHA256 7b78d121a7fff35d2efdbabeac9ace888d0c6e917b27a258058cd4b075ebcb71
SHA512 483aa2a212c13837b0d712b6f98979aa96fb5a9a168b861fb558fd1a9658cec38242dd8b87651fe1c7fdbb26b0b423c4d191c64a3068263e9c824b08412f9027

C:\Users\Admin\AppData\Local\Temp\B876.exe

MD5 28681f3d11689bdc5b33b326f00a76df
SHA1 3ca9ee071454e840932f05b0bd1aebfc84db01a1
SHA256 c9257181dbcfaeafbfb60c9b81dedc9e37a15f84188a8eeabe75cd1f9bfbb050
SHA512 7b4c6fc1d4ed46eb4322a9d35a53a063e178905153e85054b09b6b6a77f5ef3eda5dce51e093b2ad94cac69b3f20d3d4887c4940a408583512f88c52ed0c6bc8

memory/1016-240-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4264-238-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4500-233-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-OAMG3.tmp\B876.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Temp\is-L57VF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3116-264-0x0000000000600000-0x0000000000601000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-O6PN4.tmp

MD5 ce429ae5f7442dd294030ce9e56c9d9b
SHA1 55a174fa0a215d0d988e97549a6b3eef1a46657f
SHA256 e66ea7a89accdb0bc1bf79d1e927469473fbd9b11fb08cd4675da4761d9437e5
SHA512 e4b444afd3266757175f464ee70c3d76ab83394e9a6753aa18335f2beea8db7e84cee4eac632c121a7918218f0c23dac2ab955f63fa90752cd0e27f3e9f65548

C:\Users\Admin\AppData\Local\Temp\is-L57VF.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 771c3567916f04eec919138d3a120ae7
SHA1 1c770720ecbb39cb509b56a02e9bbec8d2e77382
SHA256 08031eea43a69b59f694016708e40027b136ecefd4969655fc41e91d544d87eb
SHA512 bde2bff4d5dc1eb5f3e7fa218c2a66f29521411fd1dfc99e99035ccb45e8853a8f03a3bbf9d533b347e1ec20350009613eb1a61a04cbdb3b69e5e9a8ba6c2254

memory/1824-307-0x0000000000400000-0x0000000000746000-memory.dmp

memory/2936-308-0x0000000002A40000-0x0000000002E44000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 d7bce47530f6828ad5c38c0cea251741
SHA1 d37d6ef12e8e4ce330730dc2b3fe50beea24490c
SHA256 40b757e7db119dbf50c8b443de0f0eb0ea7898ff3872de8d08df5dd462b53541
SHA512 8627da9d47a6ff436e1ec93f1ae46f213eeb0fd9d873187d2dac77cc61327fbfa5eece2cfe58ff41dbbbbeddd5eaca73ecab093d6dcf2c62c008fc2877e86ead

memory/1824-313-0x0000000000400000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 3a0bb726051578eea6e8c3439fadfaf4
SHA1 6faabf979b4c3499751465fcd42dfc98faf545d4
SHA256 2069d0b8f1cf5a06885da80af242a87f3eb510af55c8fe57ee3d582c52782ba2
SHA512 bb0f126002d3fc6d3794d699b39b71ac76b82055a05e6d8f9606c200083c11f296537a67ff49e07903546d7934ec5235c633ebd20feae10eea334bb7408d6cbb

memory/3572-324-0x0000000000400000-0x0000000000818000-memory.dmp

memory/2936-322-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3304-325-0x0000000000400000-0x0000000000746000-memory.dmp

memory/2936-316-0x0000000002E50000-0x000000000373B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssBE3C.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4560-333-0x0000000000980000-0x00000000009B4000-memory.dmp

memory/4560-332-0x0000000000B70000-0x0000000000C70000-memory.dmp

memory/4560-334-0x0000000000400000-0x0000000000822000-memory.dmp

memory/2968-335-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

memory/804-338-0x00000000030D0000-0x0000000003106000-memory.dmp

memory/804-340-0x0000000005810000-0x0000000005E38000-memory.dmp

memory/2968-339-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/804-342-0x0000000003110000-0x0000000003120000-memory.dmp

memory/804-343-0x0000000003110000-0x0000000003120000-memory.dmp

memory/3304-344-0x0000000000400000-0x0000000000746000-memory.dmp

memory/804-345-0x0000000005760000-0x0000000005782000-memory.dmp

memory/804-346-0x0000000072290000-0x0000000072A40000-memory.dmp

memory/804-349-0x0000000005FB0000-0x0000000006016000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yfw0vllq.xc3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/804-351-0x0000000006020000-0x0000000006086000-memory.dmp

memory/804-370-0x00000000062D0000-0x0000000006624000-memory.dmp

memory/804-393-0x00000000066E0000-0x00000000066FE000-memory.dmp

memory/804-398-0x0000000006790000-0x00000000067DC000-memory.dmp

memory/2968-405-0x0000000000400000-0x0000000002D34000-memory.dmp

memory/804-415-0x0000000006C20000-0x0000000006C64000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 9be6b1d7d03d2bdeaaeea908d4c996da
SHA1 b938bb55e334a50b32ae48a19efd7af5b201af44
SHA256 f6612f580c867a99768fef6a38e786010fd72b9757e1f6059679c1726f5e9037
SHA512 f58e098e0c595b72e5a40bcba8c0e8f3a388ae0acb2537273465034b18e5b4748df9e7a34e26221d6e9a384dcb37a78d747faf925f0cc482addd391e305bdf88

memory/804-434-0x0000000003110000-0x0000000003120000-memory.dmp

memory/804-433-0x0000000007800000-0x0000000007876000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/804-451-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/804-452-0x00000000078A0000-0x00000000078BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 c7f82adf978854ae07e14e4ab8a7ab39
SHA1 be382b8e7202dff9803ea6f67c529d5d2a02a049
SHA256 7962afb4bf2344bf1214cdda8e1e8c0890c04f3d19a968a81fb62f6ac6c35f67
SHA512 9d5d127ebd07f7fe0a3a8eaa060dba65b27f1683c47b4ea4b7cb22fb71f7f4698e731fe1476c3a3a69342e9035b25abed82981ec861b0afec329ea49333f9334

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 b55c5cb3c7b15315bed334f267fcd79b
SHA1 093060831d577fe812e20b9ae5e8eaecec3a62c7
SHA256 e2cb40c94f8a5294a4177d91cd3e9cb48ebe2d31a07622b22b3684e158248106
SHA512 a5b849f44710370502ae62a8146beb875e7c721c22a477ec80445ddc5f47cd4f4565ab90fcbdd754355b42d476f824e0abadfa7bb39d2a51b982d9b008e759f6

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5fbe23d707d687b055d18557c958a5b6
SHA1 a7c3afcfb1530a5b76b5f515be96624846aeccc7
SHA256 62c94b53034841dcd01635d584dc45bed966f68127b490eeabb53bb099175046
SHA512 e09436f8a22105cfb64784870a539622a0d21da38088f78da6a96a7075ec27d16ae1ac782c2fc12766281c37797063c65146a7fbb806ff9bd66a0638cbdf2e3b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d9d061656a9e59507cac708fa897c10a
SHA1 91add9a6e728609f05c17443c42a01c51b79083f
SHA256 43e37a84d6589a189a14eb1de221078e6315d747f3784ef8022c77776f8e46ef
SHA512 013fef67af37511c7caa52d3447bad9e911f0a66a89e44221a03da7cc7a362c913d22ec8b42703b136844343f5db055c7505f75fd01d2e7de4c5c9c0062786f0