Malware Analysis Report

2024-11-30 04:49

Sample ID 240222-gyzcmsdb8w
Target c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe
SHA256 c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194
Tags
glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence stealer trojan upx lumma socks5systemz botnet
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194

Threat Level: Known bad

The file c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader stealc pub1 backdoor bootkit discovery dropper evasion loader persistence stealer trojan upx lumma socks5systemz botnet

Glupteba

Detect Socks5Systemz Payload

SmokeLoader

Lumma Stealer

Glupteba payload

Socks5Systemz

Stealc

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables Discord URL observed in first stage droppers

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects Windows executables referencing non-Windows User-Agents

UPX dump on OEP (original entry point)

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables containing URLs to raw contents of a Github gist

Detects executables packed with VMProtect.

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

UPX packed file

Checks computer location settings

Deletes itself

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 06:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 06:13

Reported

2024-02-22 06:16

Platform

win7-20240221-en

Max time kernel

64s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F606.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\CB9A.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2916 set thread context of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1392 wrote to memory of 3064 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1392 wrote to memory of 3064 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1392 wrote to memory of 3064 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1392 wrote to memory of 3064 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1392 wrote to memory of 3064 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3064 wrote to memory of 2884 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1392 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB9A.exe
PID 1392 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB9A.exe
PID 1392 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB9A.exe
PID 1392 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\CB9A.exe
PID 1392 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC7C.exe
PID 1392 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC7C.exe
PID 1392 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC7C.exe
PID 1392 wrote to memory of 2576 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC7C.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 1392 wrote to memory of 2188 N/A N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2188 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Local\Temp\EE48.exe C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp
PID 2792 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2792 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2792 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2792 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1392 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 1392 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 1392 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 1392 wrote to memory of 2916 N/A N/A C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 2916 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\F606.exe C:\Users\Admin\AppData\Local\Temp\F606.exe
PID 1392 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\67B.exe
PID 1392 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\67B.exe
PID 1392 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\67B.exe
PID 1392 wrote to memory of 1796 N/A N/A C:\Users\Admin\AppData\Local\Temp\67B.exe
PID 2792 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2792 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2792 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 2792 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1392 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F27.exe
PID 1392 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F27.exe
PID 1392 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F27.exe
PID 1392 wrote to memory of 1696 N/A N/A C:\Users\Admin\AppData\Local\Temp\5F27.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe

"C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C7C2.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C7C2.dll

C:\Users\Admin\AppData\Local\Temp\CB9A.exe

C:\Users\Admin\AppData\Local\Temp\CB9A.exe

C:\Users\Admin\AppData\Local\Temp\DC7C.exe

C:\Users\Admin\AppData\Local\Temp\DC7C.exe

C:\Users\Admin\AppData\Local\Temp\EE48.exe

C:\Users\Admin\AppData\Local\Temp\EE48.exe

C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp" /SL5="$6015A,3536428,54272,C:\Users\Admin\AppData\Local\Temp\EE48.exe"

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\Temp\F606.exe

C:\Users\Admin\AppData\Local\Temp\F606.exe

C:\Users\Admin\AppData\Local\Temp\F606.exe

C:\Users\Admin\AppData\Local\Temp\F606.exe

C:\Users\Admin\AppData\Local\Temp\67B.exe

C:\Users\Admin\AppData\Local\Temp\67B.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\5F27.exe

C:\Users\Admin\AppData\Local\Temp\5F27.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\6B38.exe

C:\Users\Admin\AppData\Local\Temp\6B38.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\9545.exe

C:\Users\Admin\AppData\Local\Temp\9545.exe

C:\Users\Admin\AppData\Local\Temp\nso91C6.tmp

C:\Users\Admin\AppData\Local\Temp\nso91C6.tmp

C:\Users\Admin\AppData\Local\Temp\is-JDJFN.tmp\9545.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JDJFN.tmp\9545.tmp" /SL5="$7015E,4081152,54272,C:\Users\Admin\AppData\Local\Temp\9545.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 185.220.100.251:9000 tcp
FR 45.158.77.29:9000 tcp
DE 145.239.136.129:443 tcp
N/A 127.0.0.1:49455 tcp
US 8.8.8.8:53 trmpc.com udp
MX 189.232.56.10:80 trmpc.com tcp
US 8.8.8.8:53 en.bestsup.su udp
CH 85.195.230.249:9002 tcp
US 104.21.29.103:80 en.bestsup.su tcp
DE 145.239.136.129:443 tcp
FR 45.158.77.29:9000 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 destinywealth.iboostmark.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 44numbers.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 dmo.gameking.com udp
US 8.8.8.8:53 destinywealth.iboostmark.com udp
US 8.8.8.8:53 brousstudio.com udp
US 8.8.8.8:53 secure01b.chase.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 44numbers.com udp
US 8.8.8.8:53 44numbers.com udp
US 8.8.8.8:53 dmo.gameking.com udp
US 8.8.8.8:53 brousstudio.com udp
US 8.8.8.8:53 techbits.co.in udp
US 8.8.8.8:53 brousstudio.com udp
US 8.8.8.8:53 techbits.co.in udp
US 8.8.8.8:53 brousstudio.com udp
US 8.8.8.8:53 alt4.gmr-smtp-in.l.google.com udp
US 8.8.8.8:53 secure01b.chase.com udp
US 8.8.8.8:53 park-mx.above.com udp
US 8.8.8.8:53 bg.bitefight.gameforge.com udp
US 8.8.8.8:53 atomy.com udp
US 8.8.8.8:53 24hlamdep.net udp
US 8.8.8.8:53 login.blockchain.com udp
US 8.8.8.8:53 digital.anz.co.nz udp
US 8.8.8.8:53 club.pokemon.com udp
US 8.8.8.8:53 accounts.autodesk.com udp
US 8.8.8.8:53 bg.bitefight.gameforge.com udp
US 8.8.8.8:53 bg.bitefight.gameforge.com udp
US 8.8.8.8:53 us-smtp-inbound-2.mimecast.com udp
US 8.8.8.8:53 bg.bitefight.gameforge.com udp
US 8.8.8.8:53 24hlamdep.net udp
US 8.8.8.8:53 secure01b.chase.com udp
US 8.8.8.8:53 atomy.com udp
US 8.8.8.8:53 login.blockchain.com udp
US 8.8.8.8:53 mail.brousstudio.com udp
US 8.8.8.8:53 atomy.com udp
US 8.8.8.8:53 atomy.com udp
US 8.8.8.8:53 digital.anz.co.nz udp
US 8.8.8.8:53 bloctel.gouv.fr udp
US 8.8.8.8:53 digital.anz.co.nz udp
US 8.8.8.8:53 aulavirtual2.ing.uc.edu.ve udp
US 8.8.8.8:53 spam2.atomy.kr udp
US 8.8.8.8:53 spam2.atomy.kr udp
US 8.8.8.8:53 club.pokemon.com udp
US 8.8.8.8:53 club.pokemon.com udp
US 8.8.8.8:53 accounts.autodesk.com udp
US 8.8.8.8:53 spam2.atomy.kr udp
US 8.8.8.8:53 authpssim.minvu.cl udp
US 8.8.8.8:53 redclinica.cl udp
US 8.8.8.8:53 dabizzi.it udp
US 8.8.8.8:53 midialocaldownloads.forumeiros.com udp
US 8.8.8.8:53 aulavirtual2.ing.uc.edu.ve udp
US 8.8.8.8:53 bloctel.gouv.fr udp
US 8.8.8.8:53 brainly.co.id udp
US 8.8.8.8:53 topminecraftservers.org udp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 dabizzi.it udp
US 8.8.8.8:53 authpssim.minvu.cl udp
US 8.8.8.8:53 relaismsg.finances.gouv.fr udp
US 173.194.202.14:465 alt4.gmr-smtp-in.l.google.com tcp
NL 35.214.188.162:22 dabizzi.it tcp
CL 163.247.53.156:22 authpssim.minvu.cl tcp
GB 108.156.39.23:465 accounts.autodesk.com tcp
US 8.8.8.8:53 lottery.toto.bg udp
US 8.8.8.8:53 midialocaldownloads.forumeiros.com udp
US 8.8.8.8:53 redclinica.cl udp
US 8.8.8.8:53 redclinica.cl udp
US 8.8.8.8:53 lottery.toto.bg udp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 mx01.cbsolt.net udp
US 8.8.8.8:53 topminecraftservers.org udp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 brainly.co.id udp
US 8.8.8.8:53 animelab.forumcommunity.net udp
US 8.8.8.8:53 animelab.forumcommunity.net udp
NL 173.194.69.84:80 accounts.google.com tcp
BG 193.30.118.126:22 lottery.toto.bg tcp
FR 178.33.43.150:80 midialocaldownloads.forumeiros.com tcp
CL 163.247.53.156:995 authpssim.minvu.cl tcp
US 173.194.202.14:995 alt4.gmr-smtp-in.l.google.com tcp
US 170.114.52.5:143 us05web.zoom.us tcp
US 8.8.8.8:53 dmo.gameking.com udp
NL 173.194.69.84:80 accounts.google.com tcp
FR 160.92.71.200:80 bloctel.gouv.fr tcp
GB 108.156.39.23:80 accounts.autodesk.com tcp
CL 163.247.53.156:80 authpssim.minvu.cl tcp
US 104.26.4.122:80 redclinica.cl tcp
US 104.18.165.48:80 brainly.co.id tcp
NL 108.177.127.26:465 aspmx.l.google.com tcp
BG 193.30.118.126:21 lottery.toto.bg tcp
NL 108.177.127.26:995 aspmx.l.google.com tcp
NL 173.194.69.84:80 accounts.google.com tcp
US 172.67.139.74:22 animelab.forumcommunity.net tcp
US 170.114.52.5:465 us05web.zoom.us tcp
NL 35.214.188.162:80 dabizzi.it tcp
US 20.237.143.188:21 dmo.gameking.com tcp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 steamcommunity.com udp
IT 185.97.217.85:995 mx01.cbsolt.net tcp
US 170.114.52.5:80 us05web.zoom.us tcp
US 103.224.212.210:21 destinywealth.iboostmark.com tcp
FR 160.92.71.200:80 bloctel.gouv.fr tcp
US 8.8.8.8:53 signup.kr.riotgames.com udp
US 8.8.8.8:53 prismaradio.gr udp
US 8.8.8.8:53 lottery.toto.bg udp
US 8.8.8.8:53 8did.com udp
NL 35.214.188.162:80 dabizzi.it tcp
FR 193.17.19.75:465 relaismsg.finances.gouv.fr tcp
FR 178.33.43.150:80 midialocaldownloads.forumeiros.com tcp
US 173.194.202.14:143 alt4.gmr-smtp-in.l.google.com tcp
NL 35.214.188.162:21 dabizzi.it tcp
FR 178.33.43.150:465 midialocaldownloads.forumeiros.com tcp
US 170.114.52.5:21 us05web.zoom.us tcp
CL 163.247.53.156:143 authpssim.minvu.cl tcp
US 104.26.6.65:80 topminecraftservers.org tcp
US 8.8.8.8:53 declaracion.declaranet.gob.mx udp
US 8.8.8.8:53 signup.kr.riotgames.com udp
US 8.8.8.8:53 prismaradio.gr udp
US 8.8.8.8:53 dmo.gameking.com udp
NL 173.194.69.84:443 accounts.google.com tcp
GB 108.156.39.23:443 accounts.autodesk.com tcp
US 104.26.4.122:443 redclinica.cl tcp
NL 173.194.69.84:443 accounts.google.com tcp
US 104.18.165.48:443 brainly.co.id tcp
US 8.8.8.8:53 declaracion.declaranet.gob.mx udp
US 8.8.8.8:53 club.pokemon.com udp
US 8.8.8.8:53 lottery.toto.bg udp
NL 35.214.188.162:80 dabizzi.it tcp
US 172.67.139.74:80 animelab.forumcommunity.net tcp
US 8.8.8.8:53 super-mecha-champions.br.uptodown.com udp
US 8.8.8.8:53 super-mecha-champions.br.uptodown.com udp
US 8.8.8.8:53 aspmx4.googlemail.com udp
US 8.8.8.8:53 www.forumeiros.com udp
US 8.8.8.8:53 relaismsg.finances.gouv.fr udp
US 8.8.8.8:53 mail.prismaradio.gr udp
BG 193.30.118.126:80 lottery.toto.bg tcp
US 8.8.8.8:53 secure.logomaker.com udp
CL 163.247.53.156:443 authpssim.minvu.cl tcp
US 170.114.52.5:443 us05web.zoom.us tcp
FR 160.92.71.200:80 bloctel.gouv.fr tcp
FR 87.98.230.220:443 www.forumeiros.com tcp
US 104.26.6.65:443 topminecraftservers.org tcp
NL 173.194.69.84:80 accounts.google.com tcp
GB 108.156.39.23:80 accounts.autodesk.com tcp
US 8.8.8.8:53 lottery.toto.bg udp
US 8.8.8.8:53 secure.logomaker.com udp
US 104.26.4.122:80 redclinica.cl tcp
DE 78.46.67.48:80 prismaradio.gr tcp
FR 160.92.71.200:80 bloctel.gouv.fr tcp
US 8.8.8.8:53 tuttur.com udp
US 8.8.8.8:53 biounsmama.kemdikbud.go.id udp
GB 108.156.39.78:80 signup.kr.riotgames.com tcp
DE 78.46.67.48:80 prismaradio.gr tcp
US 8.8.8.8:53 tuttur.com udp
US 8.8.8.8:53 dmo.gameking.com udp
US 8.8.8.8:53 steamcommunity.com udp
US 8.8.8.8:53 biounsmama.kemdikbud.go.id udp
AR 66.97.42.30:80 8did.com tcp
US 104.18.165.48:80 brainly.co.id tcp
BG 193.30.118.126:443 lottery.toto.bg tcp
NL 173.194.69.84:80 accounts.google.com tcp
US 172.67.139.74:443 animelab.forumcommunity.net tcp
US 8.8.8.8:53 id.argentina.gob.ar udp
NL 35.214.188.162:80 dabizzi.it tcp
NL 173.194.69.84:443 accounts.google.com tcp
US 170.114.52.5:80 us05web.zoom.us tcp
MX 200.33.31.224:80 declaracion.declaranet.gob.mx tcp

Files

memory/3024-1-0x0000000000250000-0x0000000000350000-memory.dmp

memory/3024-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/3024-3-0x0000000000400000-0x0000000000818000-memory.dmp

memory/3024-5-0x0000000000400000-0x0000000000818000-memory.dmp

memory/1392-4-0x00000000025E0000-0x00000000025F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7C2.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/2884-14-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2884-15-0x0000000010000000-0x00000000101A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CB9A.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

C:\Users\Admin\AppData\Local\Temp\DC7C.exe

MD5 22fefe7ab99dd3561ac07199f3fea58d
SHA1 9ca00fade7d0155c17801bdf8aca0fb46607c9ae
SHA256 ba3425646e0295c3e5bf5a641a37790dd2ee831f7cd6fd235ced8876b365e71b
SHA512 0d14a45a1d0769b2890b2eafc594db42ac32eff0c8a707b94e6866ab07e34164c434d02d7f04c51082e4d7c1f4f7fae408ffe93a6af210768ecc476cdaf01111

memory/2884-25-0x00000000020E0000-0x0000000002204000-memory.dmp

memory/2576-26-0x00000000000B0000-0x0000000000B87000-memory.dmp

memory/2884-29-0x0000000002210000-0x0000000002318000-memory.dmp

memory/2884-33-0x0000000002210000-0x0000000002318000-memory.dmp

memory/2576-35-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2576-37-0x00000000000B0000-0x0000000000B87000-memory.dmp

memory/2576-38-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2576-40-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2576-42-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2576-41-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-44-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2576-46-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2576-47-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2576-49-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2576-52-0x0000000077B50000-0x0000000077B51000-memory.dmp

memory/2576-51-0x0000000000C00000-0x0000000000C01000-memory.dmp

memory/2576-53-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2884-55-0x0000000002210000-0x0000000002318000-memory.dmp

memory/2576-56-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2576-59-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-58-0x0000000000D10000-0x0000000000D11000-memory.dmp

memory/2576-67-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/2576-75-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/2576-76-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2576-79-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-78-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2576-81-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2576-88-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/2576-87-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2576-96-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-85-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2576-110-0x0000000077B50000-0x0000000077B51000-memory.dmp

memory/2576-112-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-83-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

memory/2576-82-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-73-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/2576-123-0x00000000000B0000-0x0000000000B87000-memory.dmp

memory/2576-125-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-71-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/2576-70-0x0000000077B4F000-0x0000000077B50000-memory.dmp

memory/2576-69-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/2576-65-0x0000000000E70000-0x0000000000E71000-memory.dmp

memory/2576-64-0x0000000000E60000-0x0000000000E61000-memory.dmp

memory/2576-62-0x0000000000E60000-0x0000000000E61000-memory.dmp

memory/2576-60-0x0000000000E60000-0x0000000000E61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE48.exe

MD5 7f4bf4523e93eeab1701e0aa60052f8f
SHA1 9e09ef10a4511558722b0815843286d37d6d4729
SHA256 4af047e0191aab61bb541ce14519441ace1ec527023193b0edec68df4c6370ef
SHA512 5bb3588060ec0084e0f1a003151b02932ce925801300f875c90eec450e3dc81ebbb636be4667f78ff9765c16276c3a715ffa0af295ee02296bbfcd176df4f13e

memory/2188-132-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EE48.exe

MD5 049f337e6e6a3b2e21306e039e8de7f0
SHA1 3448a9d8e2f880116568bef7a15494de410ffc70
SHA256 1309f9cd128e58a66a036b20fa6760b5a0b23d5c580e1599b5f1f95a3abd3803
SHA512 eca349124795ccbfe04a92667a4dd63fd19f97ac5484609c0a4503769f550e4828f4cc27a0c21da4f743ce9ac04b90facc73ac4466aab447f530949f8927a7ef

C:\Users\Admin\AppData\Local\Temp\is-M4HOL.tmp\EE48.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/2792-141-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-IP9VR.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-IP9VR.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 e98837c21607e3b6c5c92366bdc50639
SHA1 dd92888c9249f81a1e73a21ab6a9aefea289ad43
SHA256 9c6d90544afb7f2f96fe666b363ec3957f17397c8db9f4414e3b7ec59d951c97
SHA512 94970d676c98dafd4947e9e0e4ffabecfebdcb129382bea94a1bc98d95fdec11b66932fc5c64d66b49114bd1aaa5e98d35847453cc54b4f495a7cb1e83106ef2

memory/2792-190-0x0000000003110000-0x0000000003446000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 3283af9bb431058ce8ef010c45b30af5
SHA1 79810c4b68762ee76a1d579dc3a259c82ef771b2
SHA256 fba1d6d94dda41d54f358e211ceeb4eb39c2e6f40c7034deefac2e1870fd4dbc
SHA512 109ebe41bf4e289ac7bb5a13d4a80ff37749e21350f505136f79f0921ed37f0299ebc89626e81b1f110d704358d0eddb31883d0625996b6c89d60659fac2a843

memory/1948-191-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F606.exe

MD5 b89d0b5310db5d320963b3c508488316
SHA1 95543107187fb69add1f318fdebea2e557cd1e8b
SHA256 bc9810618b142db11d9c340b84b9150fa0e87116aa64ab3c35b105d91c5f1ed6
SHA512 a48b21d0b11768c8afaac4fa2997bd809bf570a166e9095330b096ff0326a43ea19e4471c6cf9391971ebf27e7749c1bf36e1ee29ff3169797d7ec3318f3875a

C:\Users\Admin\AppData\Local\Temp\F606.exe

MD5 b63f70bf14be37731c8071111705490d
SHA1 e8260b04bbc51c60c9cd7bc0dcd5fe3c28313ef8
SHA256 52f8f186181b185057a19620f55e8879f001029abe9b7b12e32f4603eb3c8351
SHA512 563b0e0d1d7b6c5bd69466b1f922ba185ac331fe3d1eafa622a4b0c4f6a7bb0c71cbecac9ea8b91c148570f46ef83d270da25d71a5cb2448b4ebfb6ee99d582f

memory/2916-202-0x0000000004A30000-0x0000000004BE7000-memory.dmp

memory/2916-199-0x0000000004870000-0x0000000004A28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F606.exe

MD5 274ea3d46ea3963a17b88c4a8f857e0b
SHA1 7d6e6893a682087a9be8b7ef1bf1442e0dfa969b
SHA256 1c4dbe346d39d98d40b76590fde0f2b9dc8f606275b2fb14766683cc8d0f745c
SHA512 be4ff35a4262443dc272d6c7c19d6fdaed6794c7bc59e4441d39259bb04de58aabf1d7bacf33fb87ab5a8640116da3ae0745817c7add764c3c4c030b49865e56

\Users\Admin\AppData\Local\Temp\F606.exe

MD5 994aaed081a136129b7e9c0b21e3fb6f
SHA1 ea86b8427cd9af670fb07558b98d3746fe2b8000
SHA256 a3437f088ee0f712eeb8b68cf50073c876562097938ae0ed2684117f67986418
SHA512 478adfef9e37dafbba7dc602e1698218c0e5c0daf4359826b85a591a7cf11763a3253e298cb8ce32ba5113ac6f14f31fe69291189a35e3b40d3b3277dea51069

C:\Users\Admin\AppData\Local\Temp\F606.exe

MD5 247c47483cf0e34f9e0cc0fbe4f62c5f
SHA1 37ab13e1b2a42f918471c0903e2eb0160f6bfe81
SHA256 8f82ad96d1529c156b3770283661a0dbaa18bfb587d8055eff4de731e65b0ab7
SHA512 4f52d45c85181290ba5f42a39f470a8817d060696b7a74e544bd133e1d88323dbdea9eccc8b89a1e42515f87d3c73913943fb836c276ebd10fbb043640adcac1

memory/3016-208-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3016-210-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\C7C2.dll

MD5 7b2eb9a57b909ecf386ff13f99fe7d19
SHA1 7e113e288fc7b2d60d84864fdad2ca5dfff0e72d
SHA256 fb33bd671d33f9dee97804860ff7dda6472645d125e48bfa831c33ca48c19b63
SHA512 c8e15fe56709f9eab987b181b308571477eabd66061f4fe8ae5ec3b7b8c73e6a4bd27a153ccb4a552b388324f4e2888000658134bbc92b09fb2b2c056047a10a

memory/3016-218-0x0000000000310000-0x0000000000316000-memory.dmp

memory/1948-222-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 a40bc47d64684f302e8726737498dd27
SHA1 2adb8140f507a6ba1718b8ca7c522d57094a1688
SHA256 561fc4d45c0c961b68e69768859c7aba61de5b75f87f114112fd5eb4a94e622d
SHA512 8afbf11110e00ddd2556e22d5a99491b716e61950eec99bd6313b29d1d306c89c5b8fba004b33202633c0ac660e5f53842fa7fc6698de386429a6527ae4cbf36

memory/1948-226-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 21758269d65ca9d42a848cec76e68295
SHA1 d9cb587222cc97d5f333f542a7a57d9e47ea183d
SHA256 7299c76fe3805962fa89c783387a1a0adba1d2b0e08fec046a8a2566b3a323b3
SHA512 29dd2a6c2659281af09c2d797a542dc4e25a11d3d201bcaebf04727883ad04f861a4131042bda3556273edfa62045f8d0814462552f5cc16b71049a4578dc059

memory/1836-230-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2188-234-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1836-235-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2792-243-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2792-246-0x0000000003110000-0x0000000003446000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5F27.exe

MD5 78edb1e158d0402751f1844592eb09fd
SHA1 03c8ba2346ae190985f6b209545eb38d0cf9aa6c
SHA256 d75cacba035d1cd50f6c1db9ec0b6ad2c922acb820319a14400dd266b1d50c53
SHA512 90e2249dbb6529a55cba194fe57728326556f65578449df293a7dc64c25cc91ab83a4cbc13ed9bc0c1084b790b35d84eaa5f9a42b4e31558e3c217d92e6a5fae

C:\Users\Admin\AppData\Local\Temp\5F27.exe

MD5 08547ac524905783070ef51ab39c8164
SHA1 dfebad8d154bbe38ff01ade25c7f61259e0b5998
SHA256 4878f2ee9bc0760f38d4ac7dd4e4c4ea3bbbed0b697e04eee8bd15fc08d70f74
SHA512 28f5876cd0092d4b8503ee260d8725dfcb04e257fad3808af43f4828fde4fcf0188c6af471e11feecc7f623b937cdeb70a4bb3fedd011eab65d3a2ac306964f0

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 2532b6bad46e6036b56b7a0c59728450
SHA1 55e47c6e4e4c84b6cfd9b66075ed1829f5f5611a
SHA256 72a7ca8c6e82704c3342c32639743789ce2220ffd814a46693a03cb051f17f3c
SHA512 59b9f56696c58420e9b81f395ef311b38daee4ee4a1f5eacf963b693573f6cff9dcd130b6f060fc04c6ecdb70ae651b271c877da77a0bed4567df16c2d737e9d

memory/1696-269-0x0000000000E10000-0x00000000016C6000-memory.dmp

memory/1696-270-0x0000000073850000-0x0000000073F3E000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 692b60cd024f2947a3ae77111fad92e8
SHA1 a6ee6429c26f0c2bc5245166e32376f39561175b
SHA256 c990830e5ff3d727c1bf209855279de221bd626fa35ea3506d0f6ee82474245f
SHA512 a3bd42235eb322aff241148f0e22b15b376227fe9263145e8c35fa88d48a09e0e8083098dad105eb18cc9b626a297677ce7b7975fcc8bfcd19a5402e5dcf1821

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a4bbeeb624739f5efebed6bb76b9a525
SHA1 973a26dfcd613aaa991e8ab3212ec1a8db5278b1
SHA256 a1aeba02dbc706d5313eefc519b3a92dca2d50dcc69ad8807c27d0b43936276c
SHA512 f1ea36be94aded47fdc9e90e126aee144c1e0de88b39840085cea872189ce18ceb2e00be7e0bef7e33bad282f7e709bdf06affa0a8b1be15745bd5b1b858d985

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fc38310973cf92ef5d0eaf23758c5420
SHA1 f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256 b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512 a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7d9d72a615b02ca409a84fa682f94ec8
SHA1 a22805b6f41f993de344ff2d39f0d68408865492
SHA256 56a68f73f0675f934d50c1f136a632f62e41c78da877accf8f68f6e78eeb22ff
SHA512 1ecfe33ff0536562e90579e73cd8f8e00a4612458c7cb857f7c843e8b2e9ee05fd50d400cb274219b8b983797d6a205f648462a0ddc9ffdbd5bd0797f5c78fcd

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 121e52947289b9bea04694794b1c4f0e
SHA1 ac5f987650b02f01808fb5226ca9ec10ab1fc3a8
SHA256 5c7ba98991404fa58e677fefdb58f4922465e3970ca050fac9d972f235ff0d70
SHA512 58f9429caffcd1385bc8c806830ec59c43b030ba73c64191b99759c8b02cb99b9d5fd25d2d0fe9adf5c2ba01e9e1e6fdf5eb035e14a51b4cf5d21734e6f8d108

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 74ca8dc3e0f1b9ab02ba89752a5d42a4
SHA1 3409fef8743749edac23a3420636a0c5f0b56697
SHA256 1af7b42bbcd78f933ff87c972933f85bb7477f92e253a5b53c34cf25460eb6cc
SHA512 4ac05c283e7f4231c1a71509c79d81f9496b4938821c808b6350a6e11111c262a44ce28fad1326f01168e0eafcbce3d66716f988faff94f0882da33c167a55a0

C:\Users\Admin\AppData\Local\Temp\6B38.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 70815986c9fb6438ee8a550a8272a748
SHA1 82e68c6dd45fb7fb2f2762d68f6f2bdf942ebf5f
SHA256 d86abc59636dc55004d2ad05d262578702d713164e664c87c356f1af57418435
SHA512 64777ee4473d6e36c04dfaf4e38297c0bd0499d58690da257a713771450f7923200bfe1fa1e0c5b04ab0565bc7b0c561fd499536acca43d99dcf9e8dd2f98388

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 58056754294625dade330e8cc365cd6b
SHA1 7c0846ea9026d398389b2c7605bf8ade913ab052
SHA256 ce0a8369d17981f9f00917ef2ce4d3ce48a2b60634d600bc0a1372aa671ba462
SHA512 50a0418f5f13fd57d5f71cb316142736a3c3d33202737e39ace5a7ada389616a99bc65df01b12cbc77e8108016c456e7aa6bc33e50521798c33a5bc654367d07

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b5bcca71189aeb610a034d5b506cc9c0
SHA1 29edfbf168d5eaf5a7451acbd322b52b9de64ce1
SHA256 52201c0116aba90d6d320a9551ef4369fe0fc57afc34fa02011053eaac6512ff
SHA512 cc0db2ab2a77e91b10090f5d72ba8c50d3f6a2a5147176a59fa675942a1e005491c693872ba8a319216ea979700506bfa53158ac84ae3cb297a028177d599d9f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 370d2aebd6461b866b74c95b2b36883c
SHA1 978348f6c420c3d0ec18908c73d14a29161ba485
SHA256 ef2c0d57264f21a27f1f6e845487d19322536e172ce2d0efe2178866b3c0eec9
SHA512 74a4efeb16c2ae43b13c0381010ac44e935df217da4386fdc9c44826718523a8c40d2b03000b18cfde76dbbd990aa07a64ff63443e8d704d0fe52365f77d8763

memory/1696-313-0x0000000073850000-0x0000000073F3E000-memory.dmp

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 068ae56c37ac3c50a76df55fd30d1a1e
SHA1 f8a5944e75e37b13aa7d4536af651574b53f85fd
SHA256 4d69bc5984bc5bb8f880d705ab9e649c2580efe0123240cdb64a3fbe2cfa657a
SHA512 3a1947a3b333c0c71dddc03198a75847f93057e51ab3bffb86416613c09df8c8dc6bdf4691dd4b8f2aa3732be30b1eb8a0fa6a5758e119c35e780c74ee11420e

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ff90daded3760755b71b418eb84c3a88
SHA1 ca8eba6fd5b98ca12aca0641f3c4fb6e39044e51
SHA256 534e7ad1ee56e5b729ce6e11212c22363700b43701030c89c23db4ec8acc4ab3
SHA512 43fd47375e0dccc461027b65328f3eba69206c54a2ea4890d7ea0b5a60ebe34fcf912f2de8d3d34320d782d1f3ad6758d7bbb8c4f9057babf88cf4e74bc6e998

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 a313c68cd480c4dd246374629d8164d8
SHA1 2c74ba1d1cef5313f43aa41099ddec35ab47f844
SHA256 9dedf7409afc945d6625a1b33d4b5d1da9b068562f03935dbc20535f8b4ccc6f
SHA512 04063e02faf0164273faa781c214c8256eca219655c0c1381e37f2b6801c6a720b76a9eb9af45775fa08b0b8026f0b42e8fa9300874e337ba7863a67f3e655ca

\Users\Admin\AppData\Local\Temp\nst7408.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 63f5044202ec6c520dc149eeb8eaf868
SHA1 5281bfd2578d1cd865fe680ce19e6c9e74b3792d
SHA256 ec4731c338e9ea87c68b5367b06c64de206db1d28891fc1a76154afb62472af1
SHA512 aec3c68b6b1a91d01f1969441c582486a2ea1614720c05886f78f0f033ecb1a76e9713b2bbe57b154659fade20fd846d84076bb24d692a4b11eebd472addfdb7

memory/2524-331-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2628-334-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2628-333-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2628-336-0x0000000000400000-0x0000000000818000-memory.dmp

memory/3016-338-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1984-339-0x0000000002540000-0x0000000002938000-memory.dmp

memory/1984-340-0x0000000002940000-0x000000000322B000-memory.dmp

memory/3016-341-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1984-342-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2628-347-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9545.exe

MD5 db33b9bdc1c79768675f59e69dd247c1
SHA1 08478594fdfddee7ba709c0621ad9da8745fb530
SHA256 8cb8824541f685083dfedda60c83c78cf0f07f4f3e43b08e9736185ff55ad6b2
SHA512 354cc97d40c16b013b7102d1dd1beaca4c5bc14f5fcb8bf0dab9fd18602a685e9d3142cc33f326ccbc47caeea53cc573a680cf6146f8c1356db0e2370cf49bf3

C:\Users\Admin\AppData\Local\Temp\9545.exe

MD5 ebc2cc86e14ab47818f50a023dbb5142
SHA1 d16fdd5ca9ad9682b04e21cb80254476e181cdb3
SHA256 19b4767d27db6a6074cf2ebf70e6c0d71bd75f2e7f7dbf58b448da62a86ff9ab
SHA512 e5e1acee0d56122cb9a0c7c9dd6ff73ef3ec3801e88a87df432f4b4425def699263a5c4cb8d37fc0da77f8d9fcdcc7d6da3f43fa8fd6bf89877061c2210db60a

C:\Users\Admin\AppData\Local\Temp\9545.exe

MD5 aa4222a390e928f520b795007861f833
SHA1 174bf2cd44a784bfc9f86aafe3f9dcb1bddd2a1c
SHA256 adfe4e4c052afa489c86a347db76b4788b7dc0e6fdb7747196d564b8809683e3
SHA512 635cc318a785b9f43eb38c330cbef4e8d7b2ea52a997a2e1a619b940b1c559a27e6baa214c0bc5219a6a7bb8d86fb84f7af96560f2f0f8a99281b8809bcef36a

\Users\Admin\AppData\Local\Temp\nso91C6.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

memory/2664-375-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JDJFN.tmp\9545.tmp

MD5 c3a3d0d188510255a7bc3fd9faadf58a
SHA1 19512d1f63103ef5aa89b3cfda2798bc069a4c6a
SHA256 fa350d3f9bfa95fecb9d699220c66430081d9c6464a2bc5680614cdca21775e7
SHA512 c9bae4dde409eed0c5625021d4c5e7103b49ed72abddb00ec1a9345a82e9dfbaa9e0461a09dd7d03f4c1448e447eb39325db08de7f26da407e2dc87b23eb589e

C:\Users\Admin\AppData\Local\Temp\is-JDJFN.tmp\9545.tmp

MD5 f23db5a9d1c7a42c005d984eda5a3bfe
SHA1 f6569353de06cc59e9a3d9f455db86728b2b64cc
SHA256 17c529fb24775be63f479ffcbb982e28d621864fc775802486d7cbfb05234aed
SHA512 2bda35e81cda241949cfb6866971896fc5ea7ccaee09e702d8e0c0a96632261e670ed8f1d885f49329806f8817020805b96a18c20c38f84f420c5b26dfa7bd68

C:\Users\Admin\AppData\Local\Temp\is-JDJFN.tmp\9545.tmp

MD5 56019e54f9bd0c919342fe83568332b5
SHA1 658fb9b61c297b0b9f946dccc2424c9c55859fd0
SHA256 a4e8d5cb2c71df2ac42cde26bba201b91451c15bd2c31412130c7a9843903515
SHA512 610df695d36553413af42ab764b6665abc336c73613c58670eac7b177390c04985bbff1cc4088d67b7d682dd816431b7036bc0802746d788cbf16c03e6ad9d99

\??\c:\users\admin\appdata\local\temp\is-jdjfn.tmp\9545.tmp

MD5 230e81a62eec36cf6b73fd4594f90b47
SHA1 0b0c72500058355589954f8a5ac0f2ffcee19afe
SHA256 f6ef4f7fe2375893a1ef3b4d90b532d2d723296812fd837a6249b0ac22630935
SHA512 a6b78c3b5e2daa4c2197ea7dc5a5c90071d1ea6f680dac10e457e63f1987262f1caaf30aa08b3f1132999b2f6d7cf491d5690386bae4f1a8e704284f6af1ac51

memory/852-383-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-KS1G7.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-MMF0E.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

memory/1836-533-0x0000000000400000-0x0000000000736000-memory.dmp

memory/816-675-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/816-687-0x00000000001B0000-0x00000000001E4000-memory.dmp

memory/816-692-0x0000000000400000-0x0000000000822000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 06:13

Reported

2024-02-22 06:16

Platform

win10v2004-20240221-en

Max time kernel

60s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe"

Signatures

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Stealc

stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\37C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\AAE7.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3744 set thread context of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D70.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D70.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\D70.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3532 wrote to memory of 2468 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3532 wrote to memory of 2468 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2468 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2468 wrote to memory of 1588 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3532 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\AAE7.exe
PID 3532 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\AAE7.exe
PID 3532 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\AAE7.exe
PID 3532 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAC4.exe
PID 3532 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAC4.exe
PID 3532 wrote to memory of 4904 N/A N/A C:\Users\Admin\AppData\Local\Temp\CAC4.exe
PID 3532 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\D6CB.exe
PID 3532 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\D6CB.exe
PID 3532 wrote to memory of 2384 N/A N/A C:\Users\Admin\AppData\Local\Temp\D6CB.exe
PID 2384 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\D6CB.exe C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp
PID 2384 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\D6CB.exe C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp
PID 2384 wrote to memory of 1112 N/A C:\Users\Admin\AppData\Local\Temp\D6CB.exe C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp
PID 1112 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1112 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1112 wrote to memory of 4508 N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3532 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3532 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3532 wrote to memory of 3744 N/A N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 3744 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\DE10.exe C:\Users\Admin\AppData\Local\Temp\DE10.exe
PID 1112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 1112 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe
PID 3532 wrote to memory of 4148 N/A N/A C:\Users\Admin\AppData\Local\Temp\E331.exe
PID 3532 wrote to memory of 4148 N/A N/A C:\Users\Admin\AppData\Local\Temp\E331.exe
PID 3532 wrote to memory of 4148 N/A N/A C:\Users\Admin\AppData\Local\Temp\E331.exe
PID 3532 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\37C.exe
PID 3532 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\37C.exe
PID 3532 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\37C.exe
PID 2132 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2132 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2132 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2132 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2132 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2132 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2132 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 2132 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Local\Temp\37C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3532 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D70.exe
PID 3532 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D70.exe
PID 3532 wrote to memory of 3712 N/A N/A C:\Users\Admin\AppData\Local\Temp\D70.exe
PID 1900 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1900 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1900 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\System32\Conhost.exe
PID 1048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\System32\Conhost.exe
PID 1048 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\System32\Conhost.exe
PID 1900 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp
PID 1900 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp
PID 1900 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe

"C:\Users\Admin\AppData\Local\Temp\c36d9a5680ece3f4ceb44ed997961422d13e6b7eba7ea1d678a0efc561934194.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A613.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A613.dll

C:\Users\Admin\AppData\Local\Temp\AAE7.exe

C:\Users\Admin\AppData\Local\Temp\AAE7.exe

C:\Users\Admin\AppData\Local\Temp\CAC4.exe

C:\Users\Admin\AppData\Local\Temp\CAC4.exe

C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp" /SL5="$30214,3536428,54272,C:\Users\Admin\AppData\Local\Temp\D6CB.exe"

C:\Users\Admin\AppData\Local\Temp\D6CB.exe

C:\Users\Admin\AppData\Local\Temp\D6CB.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -i

C:\Users\Admin\AppData\Local\Temp\DE10.exe

C:\Users\Admin\AppData\Local\Temp\DE10.exe

C:\Users\Admin\AppData\Local\Temp\DE10.exe

C:\Users\Admin\AppData\Local\Temp\DE10.exe

C:\Users\Admin\AppData\Local\Temp\E331.exe

C:\Users\Admin\AppData\Local\Temp\E331.exe

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

"C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe" -s

C:\Users\Admin\AppData\Local\Temp\37C.exe

C:\Users\Admin\AppData\Local\Temp\37C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\D70.exe

C:\Users\Admin\AppData\Local\Temp\D70.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp

C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp

C:\Users\Admin\AppData\Local\Temp\26D5.exe

C:\Users\Admin\AppData\Local\Temp\26D5.exe

C:\Users\Admin\AppData\Local\Temp\is-0H9NP.tmp\26D5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0H9NP.tmp\26D5.tmp" /SL5="$5021E,4081152,54272,C:\Users\Admin\AppData\Local\Temp\26D5.exe"

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -i

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

"C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe" -s

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3364 -ip 3364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
BA 109.175.29.39:80 trmpc.com tcp
US 8.8.8.8:53 39.29.175.109.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1768-1-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/1768-2-0x0000000000400000-0x0000000000818000-memory.dmp

memory/1768-3-0x0000000002420000-0x000000000242B000-memory.dmp

memory/3532-4-0x0000000002AE0000-0x0000000002AF6000-memory.dmp

memory/1768-5-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A613.dll

MD5 ec6878849a30cad1ddb5ab3ff4921124
SHA1 0c1208b6d2e153352b8c4ccc345ff30281ab2af9
SHA256 3bc2c7cc924b87108429a7d64fdfe54f6804d158c853e5375e61cb4c871e2639
SHA512 773e7e196bec58000b626b0ea12adf300381ca324e0c70dc7e262da8d0a12b6c41fd673d78010886233888435a7d426fe1b9fe1f60546ac821992c067c120edb

memory/1588-14-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/1588-16-0x0000000001420000-0x0000000001426000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AAE7.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

memory/1588-21-0x0000000003020000-0x0000000003144000-memory.dmp

memory/1588-22-0x0000000003150000-0x0000000003258000-memory.dmp

memory/1588-25-0x0000000003150000-0x0000000003258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAC4.exe

MD5 12fbfc01f4fece1f19ef2cb3558fbbc4
SHA1 014fd912c485a334ad1ff324911aba598ff6dbf8
SHA256 9f86e56c119646141d6640ce905597ae6edf5420ac35fce33d0aca819a3164f7
SHA512 4a8e4d88626d73c28b0cb319a1d2b587dd11cf3af2e9d2a0afd63da6166c083c3ac41b3667723529ac0d84039bc8e1deb792b292a63c6ce3922f4095131f1b83

memory/4904-29-0x0000000000EA0000-0x0000000001977000-memory.dmp

memory/4904-34-0x0000000000850000-0x0000000000851000-memory.dmp

memory/4904-38-0x0000000000EA0000-0x0000000001977000-memory.dmp

memory/4904-37-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/4904-36-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/1588-35-0x0000000010000000-0x00000000101A5000-memory.dmp

memory/4904-39-0x0000000003020000-0x0000000003021000-memory.dmp

memory/4904-41-0x0000000003040000-0x0000000003041000-memory.dmp

memory/4904-40-0x0000000003030000-0x0000000003031000-memory.dmp

memory/4904-42-0x0000000003050000-0x0000000003051000-memory.dmp

memory/4904-43-0x0000000003060000-0x0000000003061000-memory.dmp

memory/4904-45-0x0000000003080000-0x0000000003081000-memory.dmp

memory/4904-46-0x0000000003090000-0x0000000003091000-memory.dmp

memory/4904-44-0x0000000003070000-0x0000000003071000-memory.dmp

memory/4904-47-0x00000000030A0000-0x00000000030A1000-memory.dmp

memory/4904-48-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/4904-49-0x00000000030C0000-0x00000000030C1000-memory.dmp

memory/4904-50-0x00000000030E0000-0x00000000030E1000-memory.dmp

memory/4904-51-0x00000000030F0000-0x00000000030F1000-memory.dmp

memory/4904-52-0x0000000003100000-0x0000000003101000-memory.dmp

memory/4904-53-0x0000000003110000-0x0000000003111000-memory.dmp

memory/4904-54-0x0000000003120000-0x0000000003121000-memory.dmp

memory/4904-57-0x00000000032E0000-0x00000000032E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CAC4.exe

MD5 6ac48873f3053963255fd1c9bfa6fc52
SHA1 385f778fb0abf8b2fb3699940b192e0c02d454cc
SHA256 8b0ee35ed3d795c078ca345cf7007489bde9a9ef358318bfb39f8809707930da
SHA512 dff1e929775f9d9cd797d84cb95b1d6ed5ec2d3b4b44128eab76ce186a16c3090d48965b83a979a3c99f0bfa4174ca150d3bc59778c6cdd334da66efed405d24

memory/4904-58-0x0000000003130000-0x0000000003162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6CB.exe

MD5 a725bdafbeed72ef8c2985feb59b5c1d
SHA1 f15c838044ac71d181f247d8caad3de08c346670
SHA256 ae7fdc392bca4f09b1e8814c2c5321b1f558a752cd35ef348a29ddb199ea1209
SHA512 f2d429256b8fb2f501f14d10a01c3a5e76c45265fac4bf48ad975bac1f4ab560500835c33f0a6ba64d11f826b33efaecf498e126f4abbf9bb8837510b39ae047

C:\Users\Admin\AppData\Local\Temp\D6CB.exe

MD5 2621bd2f87073e83aea96853ca62bdb9
SHA1 f42f877607d3e4d2fd620132964c25ea2864a86a
SHA256 8388c6575a6cb7e442a0dad7143e597b9be8399e4067483d49d5709119d42201
SHA512 5113f8dfb1186c2e0b5cf2bbeae2f4201092abd2bf98c8e689975e3cb502f06792fd465c95e96954a6bfa237f712f71dcd2b05ebf5414207e88995c8fb3949c0

memory/2384-65-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4904-67-0x0000000003130000-0x0000000003162000-memory.dmp

memory/2384-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4904-68-0x0000000003130000-0x0000000003162000-memory.dmp

memory/4904-64-0x0000000003130000-0x0000000003162000-memory.dmp

memory/4904-61-0x0000000003130000-0x0000000003162000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QPTAE.tmp\D6CB.tmp

MD5 1ba055823154222509be8b1cb57f0d49
SHA1 a11bdd1f4106f1de2dd075801987965f97c5c2b2
SHA256 c2994637d1dca3be7b8237176a71a5dca9a68f1442345f2f950a5b4bf3b0d841
SHA512 2a1372383e7ddb3a238c5e38cd5687689f9040f227cb75dffc422fcdf91be4086935cf4a8885b1a571ec3ea5dec150b72cce029e6f389ce6129e318061dfd41a

memory/1112-75-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TJAJ8.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\DE10.exe

MD5 9974fc4e3b723c5d2b4cfe9960cb678b
SHA1 5cda65bcec43aefce7709b1e40ef9049ddfff227
SHA256 5327df45ba7a55a68b4f5b0c38e19c68f66e1f6083646e91d5836ae7b7246668
SHA512 38671acec6ac7bbd7fc317c4449a4e574ebdeeb2a699fdeb4427782f83d50d59216de26afbf3cb5d2d71348395daeccdb804f763be88d4623752f3f3d8809335

C:\Users\Admin\AppData\Local\Temp\DE10.exe

MD5 d8c737fe89b9cd71eda2cb96c53f058a
SHA1 e1f7acc79a8aa902c1c6b913c6dd71383ba3a6b4
SHA256 f73452f0f414bca5f67f9a4d3e9b37284961bc7cacdbc7a6ee19a53e9a3d91da
SHA512 900fca6f0d356ef4ba1567c2db0373e649ec7192e2237201d6c6ae7168d5d171335764ad9d3b3e8a8b3b9eb8e3900ce1ec38dd7a1b33a0e3a608e23c64cd54a0

memory/4508-123-0x0000000000400000-0x0000000000736000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 403efea73df7a481c59ec3cb80e8ecef
SHA1 abe5c4e2b0541d6700269a3be8faa14b7ccd2555
SHA256 394e4020c62baa6ddc1dce74828d3814165a89ea4c880343577b72354700e1be
SHA512 da9693ff9099649bf1e735a6957d92a526c8a318d2e9018a51f2a257743ccc6331e85deeac597bdc4050367c6dc5a9ddfc06505d1e2ab8dfc6c32bee7eaf3826

memory/3744-127-0x0000000004AB0000-0x0000000004C74000-memory.dmp

memory/3744-129-0x0000000004D80000-0x0000000004F37000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE10.exe

MD5 3e74cf9df89f4fd58d709364d000fc15
SHA1 dd4da8dad155607312477c0524c31fa2ba48f093
SHA256 138516c338dca99b4a0b6a8f6a97cd0302653e0de8075e419e1e86a57a33f66b
SHA512 4b587978525c9f0f879310f1af2d80eeba734b89e3c90ca232c095cea996d4338d1b35ffeeb1ed535157dc5cdee1dc7ba5fb2e35b26f3199f6bfb330bb11329c

memory/2392-138-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2392-137-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2392-133-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4508-132-0x0000000000400000-0x0000000000736000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 3b66557b08111e0f88d2929a0f912d54
SHA1 395d4d43ffb7de91181c2def0ca7df444ba7d20f
SHA256 d9ff5549256d46c3befb517124b8b650c466572242be5066be76f6628083829d
SHA512 e809231114bdfb6591faaf0b8442911bc6838c67d78483168de20c21dc754ff0bb681f0b4083900f7c33d69f011b421476bbde6cdb7b0eb63668974ba2afbabd

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 344a760c2777f4bf07311fb956f11685
SHA1 12bda6db311abef44838f5479fedb3e95e77bb59
SHA256 37806ba861d54958d091c7ea286dcf8082d29c6966ecadf5bcfc5e19e02b5ae5
SHA512 6e5598ac49ca7bbc85e212fb49bb74301a8e5ef3c7ab9b520af3cd28236398900d934a7375c9bd7262d3cc5a43fc60a4a8ae38d97e31bd8e853e1c587bf3eb74

memory/4508-128-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2392-139-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\DVD32 Plug-in\dvd32plugin.exe

MD5 55d04dc6a287925cd72bde8e62e0fe05
SHA1 4812688a8b3202e65b42c97cd738be5103951509
SHA256 9da653b8931f8e838ce8b2142f92df9044e9ef06d6ba4db62f29b455af64dd2a
SHA512 eb0493fde0cd7f56c0a91b0773a4084427dc4d051b11c9a13d7523b58bdb3d37bfb451ff332ac64d9f12c91b07f762985cccfc9883d0e92d0c2206f9fcc1e492

memory/2392-145-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A613.dll

MD5 b2775469a6b53a121bfe86b2f6442a6b
SHA1 a26a21ea315fba625fe5fee085935da5be2da717
SHA256 3629fc5ff81fc0b80571f25d5e63ba241ba2d03dace7f10558ec14abfc4713f3
SHA512 9baee097941695b518594b40f924768cc017b798e74831aa3d89a8f9a734599fb6639725171be76d6678e441f317216910503ac2c985349e73cd25e421d6269d

C:\Users\Admin\AppData\Local\Temp\E331.exe

MD5 f260ce80e61a0fe8caa68cfa3e414d4f
SHA1 a733d93bb60931db440afe633e1480127c8f8375
SHA256 de71f2993ca9c29da47a0a17557dc53352daeee0264767787df3c6f69b66affd
SHA512 62ea7351d8abca676cf958bf1d081ebdf2f82cf0235f634f3ebbb3c4569c26d1bb832e55fc6055c5150e0119cc5705b102a58e81403bd5a210fae6fe386e54c8

memory/4904-151-0x0000000000EA0000-0x0000000001977000-memory.dmp

memory/4904-152-0x0000000003130000-0x0000000003162000-memory.dmp

memory/2392-143-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4364-154-0x0000000000400000-0x0000000000736000-memory.dmp

memory/2392-153-0x0000000002510000-0x0000000002516000-memory.dmp

memory/4904-155-0x0000000000EA0000-0x0000000001977000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37C.exe

MD5 24a972893bc04e2c75be1a68556e9c54
SHA1 6e3d301fb46a760493e4593fef066e1c7ab65800
SHA256 bd99bdc14b68e64797dcc2da53b2937e2d2fe4cbc1f5a62e3c898fe19a9a044f
SHA512 a7be4c82e9a883379ff2b2ed87c30a9cb15a7cfd2c56a2185aff81fef40602dca224e3216f070d35437d39d61dbf26bbf665e6008d012a3431f6c677415236fd

memory/2384-161-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37C.exe

MD5 e1bb7bde6ec13f4fde302d3a3a1063f9
SHA1 14bb11297dfbbd2aed172c9df2575142bb13747a
SHA256 870e98726481317063d3e7300ddf022744875f333f5a1bf3451442b334898a03
SHA512 0404c009c7ef07f6cc8013c17389d5ccee08c50926ad5de1514094da27cec74636e224553ff3897eb471625aef7544121321646b8d927cdf523e9a80b2600db5

memory/2132-162-0x0000000000830000-0x00000000010E6000-memory.dmp

memory/1112-163-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2132-164-0x0000000072FD0000-0x0000000073780000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 05289f5848a855ff3d7a78b862498e26
SHA1 1021a66f15e425f33047d76a247680e916e736b0
SHA256 9c6d6f161b0253f9a78cd099ed0aa225b6ac00d3801859ff7405abd08b501407
SHA512 46265b61d4bdaeaf8af057fe5d49062f69b5ba7ca28198724c0767750af9705bf2f203183b7d33713ba45a9a02009539c5a2253ba567e7b4a4c0a79e85c200a7

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 167d3d67c322a67d33bb8b4b2dc041e8
SHA1 6b64ab0817892f969fa3141afd467bbe5f9c8c00
SHA256 5c91b896721aab20defe9244568581e92cdb2ccef648e7e6f6ce6f4459aa95ff
SHA512 19891422afad93c70f105a46792a64ecd41ac0d419c019022e7ac0deeb48adce52680410e49e6ba6ce5da175fba7f09c38a984c645d76e10d9e2dd08771a2b48

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b17be9c9cd31a7c69c5dccc4222f3241
SHA1 0c4f24a70c3f555d8ebee3397a850a08f68051d1
SHA256 45c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea
SHA512 ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 9e3c0fbd879284ddc1a24e3ae2310922
SHA1 ec7dc55591baa85b28453ddfbebc7e5b5bffe02c
SHA256 4c3812e784e2b73faa15262bd1126be8479fb3246f5f18bd519c71e70b59594d
SHA512 1d82ec2ea8538aad5d74b31053860634825f3b62c0e8dce40d3576791cdef71967eb42792af18e8d088e85ca705365fefa8e635e2e0f6d4b1b0b2a2bab6fa21f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 6a190e993f065d939995adfdb07cc8a1
SHA1 9664f606593178eb502cc38b5431189cc4c2cd5e
SHA256 6c8188b31f1c40c05d61e65ea787b2fdde140b631a41a72318d33c5ca475df21
SHA512 a6c1421c487bb344f8bb7ebe9cf2ac2a72cea9c9b70fd9a4092f0891e2de2a3f8150f7ad213bd46300639f21649c79a8360ab917833cbfcb7460bc06de2d17e2

C:\Users\Admin\AppData\Local\Temp\D70.exe

MD5 0d06a607b3d18299d41b13f466f5d196
SHA1 f9287516ccc738416c643277f064b5727717c9c7
SHA256 a744a59bae89bcbe2003a864182fe49effbddee3a4026775a778cedb0732925d
SHA512 d546dce46ebf2c4a493fbd07abeca323ca30003399c7ddb54f1e8f3c204fadb7263bd9704091bfabe9b0f8c52e7e0eaec3e03105a395a50e1216ee03e1ea5654

C:\Users\Admin\AppData\Local\Temp\nse1019.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 95bf71504e0b7d40a0b230128eda2910
SHA1 d544e844f5bdbe1ddc3df0bdc5dd47fbc89c0aca
SHA256 f5bc93a03932e8dae0bf721685ac6bcc7052662ed709013617806cb6294fc373
SHA512 c008a5ef865a50dfe40e8a8c7c64200265a8ed41987651b0e0915294f4d43019ad8aaf53c49881596dc0088a589f45e223ced97c12de6dab36b7284620f3babd

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/2132-199-0x0000000072FD0000-0x0000000073780000-memory.dmp

memory/2392-198-0x0000000002C70000-0x0000000002D94000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 ebb513d4d6d769ae21e14c45f491ca1b
SHA1 5f97e01f98b58a17e538a71b81b7a24c999c1859
SHA256 5e467197e806babc85b146d0456992a2a72060494e4dd0a00dc05813f71381c6
SHA512 6e28db09bb87188eeb331f695e9505e80a06286191c29599d0d113e64013a818c0d537040eb527a5da4298adac057ae08928e84cca85d08301c9312e5da36a21

memory/2392-211-0x0000000002DA0000-0x0000000002EA8000-memory.dmp

memory/2392-216-0x0000000002DA0000-0x0000000002EA8000-memory.dmp

memory/4364-217-0x0000000000400000-0x0000000000736000-memory.dmp

memory/1048-218-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/3712-219-0x00000000008A0000-0x00000000009A0000-memory.dmp

memory/3712-220-0x0000000000860000-0x000000000086B000-memory.dmp

memory/3712-221-0x0000000000400000-0x0000000000818000-memory.dmp

memory/3360-222-0x00000000028E0000-0x0000000002CE5000-memory.dmp

memory/3360-223-0x0000000002DF0000-0x00000000036DB000-memory.dmp

memory/3360-228-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1112-230-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsi1A2C.tmp

MD5 a28dacaf0cbbf1492125a80597ee1315
SHA1 a89f610af8cbe1944c770a8f7792b56234d98042
SHA256 88b1beec7215b7d1201b6dedd2d9a12df840da9d45a4c115b4e28775d7e742e1
SHA512 82e8239786bcc5dd95cd4a1366ef557c83ed4b9dfb5f70971cb199c305fc2e868dcb1dc72e74f3de156d7bf466118708275593ade4ea8dda1ffb8539e0e4f88e

memory/3364-239-0x0000000000B70000-0x0000000000C70000-memory.dmp

memory/3364-240-0x0000000000980000-0x00000000009B4000-memory.dmp

memory/3364-241-0x0000000000400000-0x0000000000822000-memory.dmp

memory/3532-243-0x0000000007410000-0x0000000007426000-memory.dmp

memory/3712-245-0x0000000000400000-0x0000000000818000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\26D5.exe

MD5 dd5a32a7f2fab74f19a49e2c37798ab8
SHA1 925b6abd47bfe2ee9cfa3aa06702cc38779c6f4d
SHA256 f087a526570e1c5af6ec0cf3a6b30ef13a0d1cbb49ad25353b00a7f9860053ac
SHA512 397004ede888de708b751aa6ffb1309d48ed8e0048f40e64d4666d9361bee967003cb6a9ad438f671b2117701f3e6e1997487f498e0d1a67af93cd2d1e7ec705

C:\Users\Admin\AppData\Local\Temp\26D5.exe

MD5 6fa5b5f58c7f6bf1ab302ed8968d9a05
SHA1 5fa529e564aedeeaaf88c02dc8358ae3cb82f7bd
SHA256 50c9651d77dd948fdd25dfc918fe42853db2d2a58a13d54a756907ace3697bba
SHA512 4cd81bbc01782e6f640b0aba5f95cf659c71498da6cd35848edac918f95e4adde44f809861e8d7ddbf125c4ee8af68919973f894cfd74780867c5c9796fe0495

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2108-256-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-0H9NP.tmp\26D5.tmp

MD5 49becb0626a04b87221c00d30c3d14a2
SHA1 96e2f9ea00aa118ce62a368ded287f6b888c0cd4
SHA256 95480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f
SHA512 a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2

C:\Users\Admin\AppData\Local\Temp\is-0H9NP.tmp\26D5.tmp

MD5 b11909d5e4e08b1a6da220eca474d49f
SHA1 b42582ab65d400f3450907ddc0857092c4daa4a8
SHA256 97f2d72a0547bb1de12ce60bb94c8550574637d3b9982be7ba4ae55348eb00ff
SHA512 8e98b2ad7437da3f35adbbbe92c55b966982df33267cd9959dd6bdc36936693b38789c19624a0e6c6a816f0bfc2cf15f23bdfe1ff060f7d49ac8c0e03682efab

C:\Users\Admin\AppData\Local\Temp\is-GP73V.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/3476-267-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\is-92695.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\Users\Admin\AppData\Local\Temp\is-GP73V.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 90a2639262122ba670be32a445d39efa
SHA1 b7522a96f52f2a6084a54b46c0e6cf0196450477
SHA256 48a732a7761ce99c290ed06680a08c0129ef9ad7d68dd6bbf7798afc7bb53382
SHA512 e49841a1050aa538808116fe6c992576e2a8f89049fe355b21c0bc13e4b5b6441d99e603794ed6257fa987946772e1cedde663a59f84b0364905eea1f6c0682b

memory/2204-316-0x0000000000400000-0x0000000000746000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 905b0eeb751396756f968a52926c134e
SHA1 786d7ee38db121dd8b84aeb2f1d48158be74ceb5
SHA256 28a92840928959ad3edc674b0e3e8fbb5dd93298453db6ea596d63ff81b18dae
SHA512 eca7fddbe3c5586a2f44ce9bf480ff3a05b1fbecaac23aa6230bd4870850de2912a0651893f9185c7e3cd8eb7a6ec153ef5fcd6f4d9009b1da97287afe011126

memory/2204-321-0x0000000000400000-0x0000000000746000-memory.dmp

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 8c29320b32c1f3cf800aa34c96756a42
SHA1 823e9ef67f0fcbfb1be464c97f7c205e003c4eec
SHA256 98692e74996d92216326a2969ad9f6124b6626fb3aa133dd0cd6fae5d17af1a0
SHA512 92d0f084ab5a28be812cfc29bd4cfbfda447fd2a576dac7c0c679fd4781ed4de6478e41d14cd17a02a17d7f1fffa09c0719eedb94702c8f1cbe7eea11b0395a4

C:\Users\Admin\AppData\Local\Folder To Iso 2.0\foldertoiso20.exe

MD5 ee91f96e1135a1806ffd9954bea257de
SHA1 7cdffa4537f4c4a5d4c226f63ed8f4d40e123265
SHA256 9833db9a94db7193563f430a0b9b99e6df95a9132f8f9e75a1ccb28863121af2
SHA512 3d3ca90802e8b15d6d1ec283c3ff55666a0faee3fef3c66de6a6f27a2eaf6888c2264e0e1a73072b188bf9b5cf5b8cffa546dcca63c912972a0481ef799fee61

memory/4364-328-0x0000000000400000-0x0000000000736000-memory.dmp

memory/696-331-0x0000000000400000-0x0000000000746000-memory.dmp

memory/696-335-0x0000000000400000-0x0000000000746000-memory.dmp

memory/4364-333-0x0000000000400000-0x0000000000736000-memory.dmp

C:\ProgramData\nss3.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/1048-418-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/3364-435-0x0000000000400000-0x0000000000822000-memory.dmp

memory/3360-439-0x00000000028E0000-0x0000000002CE5000-memory.dmp

memory/2436-443-0x00007FFA41C50000-0x00007FFA42711000-memory.dmp

memory/2436-444-0x0000027F09CA0000-0x0000027F09CB0000-memory.dmp

memory/2436-445-0x0000027F09CA0000-0x0000027F09CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33cdwlte.ht3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2436-457-0x0000027F25D10000-0x0000027F25D32000-memory.dmp

memory/3360-469-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4364-481-0x00000000009E0000-0x0000000000A82000-memory.dmp

memory/3692-485-0x0000000005010000-0x0000000005046000-memory.dmp

memory/3692-490-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/2108-498-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3692-499-0x0000000072630000-0x0000000072DE0000-memory.dmp

memory/3692-500-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3476-503-0x0000000000620000-0x0000000000621000-memory.dmp

memory/3692-504-0x0000000005630000-0x0000000005652000-memory.dmp

memory/3692-502-0x0000000005110000-0x0000000005120000-memory.dmp

memory/3692-514-0x0000000006030000-0x0000000006096000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 2894bac8eef6977463a9b6b2b4ebfb45
SHA1 24e371157c3114cd29a54cd635ddb884046a3f6b
SHA256 d880568ca69cbd902df113d63331abce86cc5f454ceadac09c5cee53942a5762
SHA512 903c63b84eb3f5c8dabe8e95388779fb50408eb58f80c8fdbfaec363fdaaff921089d00c117636304eaa2602c76ed53667472c6a983e9fcfd19d1b8b103a92a6

C:\ProgramData\resource-a.dat

MD5 98dda7fc0b3e548b68de836d333d1539
SHA1 d0cb784fa2bbd3bde2ba4400211c3b613638f1c6
SHA256 870555cdcba1f066d893554731ae99a21ae776d41bcb680cbd6510cb9f420e3d
SHA512 e79bd8c2e0426dbeba8ac2350da66dc0413f79860611a05210905506fef8b80a60bb7e76546b0ce9c6e6bc9ddd4bc66ff4c438548f26187eaaf6278f769b3ac1

C:\ProgramData\ts65.dat

MD5 1001197e33d3862607d1714b65fb8894
SHA1 199361cc0827a98d5250d7d863af09faa6179aca
SHA256 19bb2b46321fdca19ddaf68eac7aff0433305479b32965e6bdc26dd8bc0ea085
SHA512 61bca33f70291c08098ef6e588fe0b765f0a53057d414300f1667128a8102b5e47bbee733d0c67b032d8d8c2b2b62f75293dd3415f40a92571c9f89e1ad93daa