Analysis Overview
SHA256
cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
Threat Level: Known bad
The file 5212ecaf2c3880d92f371356d84105be.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
SmokeLoader
Glupteba
DcRat
Stealc
Glupteba payload
Creates new service(s)
Stops running service(s)
Modifies Windows Firewall
Downloads MZ/PE file
Reads user/profile data of web browsers
Deletes itself
Reads data files stored by FTP clients
Checks computer location settings
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Program crash
Enumerates physical storage devices
Checks processor information in registry
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-24 23:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-24 23:38
Reported
2024-02-24 23:40
Platform
win7-20240221-en
Max time kernel
127s
Max time network
142s
Command Line
Signatures
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81CD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81CD.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\98E7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C89F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1691.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71FA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA7F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F53F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81CD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\81CD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA7F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1691.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1691.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\C89F.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2696 set thread context of 2732 | N/A | C:\Users\Admin\AppData\Local\Temp\81CD.exe | C:\Users\Admin\AppData\Local\Temp\81CD.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\98E7.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\71FA.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\71FA.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\71FA.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\71FA.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe
"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"
C:\Users\Admin\AppData\Local\Temp\81CD.exe
C:\Users\Admin\AppData\Local\Temp\81CD.exe
C:\Users\Admin\AppData\Local\Temp\81CD.exe
C:\Users\Admin\AppData\Local\Temp\81CD.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8815.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\8815.dll
C:\Users\Admin\AppData\Local\Temp\98E7.exe
C:\Users\Admin\AppData\Local\Temp\98E7.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 124
C:\Users\Admin\AppData\Local\Temp\C89F.exe
C:\Users\Admin\AppData\Local\Temp\C89F.exe
C:\Users\Admin\AppData\Local\Temp\1691.exe
C:\Users\Admin\AppData\Local\Temp\1691.exe
C:\Users\Admin\AppData\Local\Temp\71FA.exe
C:\Users\Admin\AppData\Local\Temp\71FA.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {A0908533-2672-457E-A75B-CFB7876BF3FB} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\BA7F.exe
C:\Users\Admin\AppData\Local\Temp\BA7F.exe
C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp" /SL5="$60120,4323177,54272,C:\Users\Admin\AppData\Local\Temp\BA7F.exe"
C:\Users\Admin\AppData\Local\Temp\F53F.exe
C:\Users\Admin\AppData\Local\Temp\F53F.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Roaming\wvsdgbi
C:\Users\Admin\AppData\Roaming\wvsdgbi
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| BA | 109.175.29.39:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 104.21.29.103:80 | en.bestsup.su | tcp |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| KR | 211.168.53.110:80 | kamsmad.com | tcp |
| KR | 211.168.53.110:80 | kamsmad.com | tcp |
Files
memory/2120-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp
memory/2120-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2120-3-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/1208-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp
memory/2120-5-0x0000000000400000-0x0000000002D3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\81CD.exe
| MD5 | 147f5f5bbc80b2ad753993e15f3f32c2 |
| SHA1 | 16d73b4abeef12cf76414338901eb7bbef46775f |
| SHA256 | 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990 |
| SHA512 | 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6 |
memory/2696-17-0x0000000004990000-0x0000000004B48000-memory.dmp
memory/2696-18-0x0000000004990000-0x0000000004B48000-memory.dmp
memory/2732-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2696-21-0x0000000004B50000-0x0000000004D07000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\81CD.exe
| MD5 | b616caf2b54103fcf72e6151adac0d46 |
| SHA1 | 5d29d9ef0ff53427fa8ffbc4bd3f58c389ef3783 |
| SHA256 | 2f57d61873f49865c3bcaa2acf7049c810a24c308594def9f28278e59a644fb0 |
| SHA512 | f8b0971dbcfc8a5de2ccd1f0d5696bbd81c6c4044a1bc36c07f083085e47d8f13b41bf1da9617fce46e93f1560e43f6b62687ca49a2380780f5ad2dbbe5f68c7 |
\Users\Admin\AppData\Local\Temp\81CD.exe
| MD5 | ec107905993c0e3ea3796938a7703089 |
| SHA1 | 4a8808f5bb1417798986fe5c6ceee88054fe3e7c |
| SHA256 | 88ea05c6230cc8c381064df526862873b066a8103c60b901c74a07354fe9e17d |
| SHA512 | c9773f0045f684e98c6d44140c4865cb0508b4748913157e0a1ce4dfed491cd214ef73717fa7e458f8aeb8ce5b365ab9deac88ca4ad1517ef95b616b1f80b030 |
memory/2732-28-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2732-29-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2732-32-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2732-31-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2732-25-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8815.dll
| MD5 | b66379323022a073f1f7cdefed747401 |
| SHA1 | 14cfd615676b85960154df8273ca841f4a0e268b |
| SHA256 | 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db |
| SHA512 | 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b |
\Users\Admin\AppData\Local\Temp\8815.dll
| MD5 | c931486255b9c380f896c33d143ef6b1 |
| SHA1 | 9be428ebd706d03688beea3149f3558d0df2c206 |
| SHA256 | 48bb51efe6e7a7f4aa37e3563a9095d5ccac4535152604314dcfb91b487d4c6d |
| SHA512 | 9cff9c19d17406d826beffc5c7111f8aa84594da7a42f372f8e73ca137445aa52be3aa751c91bad810c12ad7dcb559932b34656848c4be67eb764fa1c6809ae3 |
memory/2732-33-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2472-36-0x0000000000140000-0x0000000000146000-memory.dmp
memory/2472-35-0x0000000010000000-0x000000001020C000-memory.dmp
\Users\Admin\AppData\Local\Temp\8815.dll
| MD5 | 02c83601301167faeb74495444d6590e |
| SHA1 | 7fb880beff3b8fb64f37d42decc74b04ce0b9e84 |
| SHA256 | 91d39b36e4fb9afd9170ffa1d6d67ab5061fc4ef4ab6487e8dadc14e8832ad76 |
| SHA512 | ee1912737514199238210a0d5d34fe005aa3cd12bc97851aa09c6da21a9acb84bbe19b5e90bb935ade2856e74be910259c20dc279d8190c9760107108a0a2753 |
memory/2732-40-0x0000000000280000-0x0000000000286000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\98E7.exe
| MD5 | e06282697d839fc8dcc478cb22cfeb5b |
| SHA1 | 7d3f2ca8affc4d3140e4f1db85d08a89cea944c3 |
| SHA256 | 375e852ed9c6e2b246d823b07cfebf845481a52dbe1d088ebdd9ada3756aa0ee |
| SHA512 | d11ebe71e0dde27a1cf6629a3aaa1fc0557ffa03a7132373bcb1846b44401a0d763225a72ed4c666a019a87836fbc5c2c34b7d965728a5b99060cf25555ed1ad |
C:\Users\Admin\AppData\Local\Temp\98E7.exe
| MD5 | c7b647893b52c1b36181304002961423 |
| SHA1 | e43d7d3c3223134e57144ef90382f1c78217f6f1 |
| SHA256 | 6a84875c462e57fb65f7f34085d63b5a1eab2727d8d054f3729ce9aa018d7adc |
| SHA512 | 23bfe8eca534a96449d6f7608ae400f32a91ed9a007810d3f7c3c52cdd2ed3a383dae034e1b072e3754cc35cc3e4e2af1c719adf08056a1da6d0ea96d7c1a0e3 |
memory/2468-47-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2468-50-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2468-49-0x0000000000D00000-0x00000000015AF000-memory.dmp
memory/2468-52-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2468-55-0x00000000775A0000-0x00000000775A1000-memory.dmp
memory/2468-58-0x0000000000140000-0x0000000000141000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C89F.exe
| MD5 | df2076b7ede154d455fdd1035115de54 |
| SHA1 | 62df9325ff2fce5e5a2cf121e84065221a513d77 |
| SHA256 | 0730675048e9e0a97e9ad20f73712d7e3ba6ed114a7cdfbf8b50075656c4395c |
| SHA512 | 5f55d313b2451f14f101d7383e03cdc3a9b36a9f6487a7c164def8018b76983e6fe74288f4457a2f4273d117f1a10a886409f713173bb1f791e86205caf80430 |
memory/2884-67-0x0000000002F60000-0x0000000003060000-memory.dmp
memory/2884-68-0x0000000000220000-0x000000000028B000-memory.dmp
memory/2884-71-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2732-69-0x0000000002A90000-0x0000000002BCC000-memory.dmp
memory/2884-75-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2732-73-0x0000000002BD0000-0x0000000002CEB000-memory.dmp
memory/2732-72-0x0000000010000000-0x000000001020C000-memory.dmp
memory/2732-77-0x0000000002BD0000-0x0000000002CEB000-memory.dmp
memory/2472-78-0x0000000000BE0000-0x0000000000D1C000-memory.dmp
memory/2472-79-0x0000000002770000-0x000000000288B000-memory.dmp
memory/2472-82-0x0000000002770000-0x000000000288B000-memory.dmp
\Users\Admin\AppData\Local\Temp\98E7.exe
| MD5 | f9bb28763560357668845c53eeb31a3f |
| SHA1 | 54f4d6b3196c1578049999be4ff714d8f9f5bb0c |
| SHA256 | 2e0238b7a233ca044c5a1fd2732d80a63b9277a3fdf668095a6ee9cfa02706b7 |
| SHA512 | a6830bdc2468a28fdb57fc07e9085ba2cb673b4c8b148391a228155f7a31ade151bc6f872e162111c8254a11ce35f2cc9ec3d670e9e81c6ae1769a80117e54e7 |
\Users\Admin\AppData\Local\Temp\98E7.exe
| MD5 | a61f7b2d959ae679f200b29d0c01a66b |
| SHA1 | a41b1fae529bc2eae5534c2b5fe127ab9bc7bc59 |
| SHA256 | 3e24125978e4544fb1dc8bfb49fa4d1cce7c5a19519b356c999b43a63ebad59e |
| SHA512 | b971bddbe88379a5085634ce305ba3de7958125417ddc569af68b6ad06b240bf448555ce20f18b77af886d81fe1a999833d04f6fd30e7071a8349cb2424c4d98 |
memory/1532-90-0x0000000000D70000-0x0000000001626000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1691.exe
| MD5 | fd244ee8b33bd29d464da59a42e004be |
| SHA1 | 4e8af53e7d4f4c7dfe760309da320a4525528e0f |
| SHA256 | 251dfaa20ff2ce38a7a0b74255bd585b7a09ee2164ac20da6da84ad0463a78a5 |
| SHA512 | 79333e02b2adba42eb6bdcbd495334991400e52d5b9cebb35b1c71eefc4704eea69aea8c71f508079c976af6888d9fb1041c13f78c37d7928cbcd6d464678a59 |
memory/2884-94-0x0000000000400000-0x0000000002D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\71FA.exe
| MD5 | 3893d9674f9791363d8f92edae4427a7 |
| SHA1 | 93603d9de7c259c8437f320f032ba171be67e200 |
| SHA256 | ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce |
| SHA512 | 9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6 |
C:\Users\Admin\AppData\Local\Temp\71FA.exe
| MD5 | 3fa5e88a9e8bd660c006932ec3845228 |
| SHA1 | 80a085e19a9587ac268e8dc6cfd1621b50155279 |
| SHA256 | 8848be5d2e2df5d044fdf6b6bd8e79e5c5176a27b97c18707194e768731f658d |
| SHA512 | 108d4d9e03747d05ba46307b2b6bb64ca0f7e8afca6c913b6f87da5c05749821ed5a15c21eb5c3068201b923b7f24114c856a0eb475d03c9e4708c3820e09a3b |
memory/1208-107-0x0000000002DA0000-0x0000000002DB6000-memory.dmp
memory/1380-108-0x0000000000400000-0x0000000002D3E000-memory.dmp
memory/1380-110-0x0000000002E32000-0x0000000002E48000-memory.dmp
memory/1380-111-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1704-117-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA7F.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\BA7F.exe
| MD5 | e48b303a406230ddb31007a3ea0d27a2 |
| SHA1 | 8df366aa720491a63af411e0e0a26645773b55f1 |
| SHA256 | c7433bf662afa8fd5fe8bf7ba195be675663556d71709ed7bcab124393adb30b |
| SHA512 | bd9d5b526a27aa6d3f24884f280edb550665fc29be4585b499cf649c41c1f6d382f6438c8a817341c48936d8964fac2d9d55e2702e25b6ccafc46b3a5c9b715c |
C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
| MD5 | 17a8697f12a3c6196f9af529950bda6a |
| SHA1 | 95ffe3ac2e052da21827e107ce49d5a09b9f7b34 |
| SHA256 | c28497147101366a323a5c0040823d9fdd7905b7d190bc645d31b6e2b3d741c5 |
| SHA512 | 0befe7903b827a78eb7297d560db27c6cad0324203e8a29fc91cd1cb7ead2f903ccb00caa21a8c28abf820f21334f9f56cb439bcb9dc247c08cea6119a3d1b74 |
\Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\AppData\Local\Temp\F53F.exe
| MD5 | a31328e6b465a963c2b205c482aedf25 |
| SHA1 | d1013c617f538e22c9013169fee642e98d830700 |
| SHA256 | c8fc9768f9045b6cab7a18ef570d328362dfba04b31dec4c75b169d992215ff6 |
| SHA512 | a522fb6091d0bd1b61f9006903b6e355c9a11afbf3d6dfe10c0b417cc17974c9b88fd20b024d60c771a6829597190a4ea519ef8d5afbc5654b10f2fc673029a5 |
memory/1164-160-0x0000000000400000-0x0000000002D8C000-memory.dmp
\Users\Admin\AppData\Local\Temp\98E7.exe
| MD5 | 792d533d0d2b84ccc8f2d789e7ca689a |
| SHA1 | 3544294922fd322470e28223d761d52b8e354684 |
| SHA256 | 64745a7b5f17c59ac594897efacbac9c5a70a2d7bdcf280c952a27a83a2590c2 |
| SHA512 | 4429675ccc21a8c6d6c5065f96115a39e6f94c37ba922bf445af577b5965e80e1bfc4d9fbd0e111dd7977a694315168afd1eb9b272a61c204adb5090b3df7f0c |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 33173a5f01c70ff647485f5427453242 |
| SHA1 | 5a8b4455ed301b4c0d9870625d7b642ad843902e |
| SHA256 | 415ae01e28996f7ac8c5178d401e04aaf324527ebd8ac050a7c0ad4632df8b18 |
| SHA512 | 0a236b0ec3162ab9fa51fda9672b69cc9d6762d06bd04d2fc6ab261b2341ed854c5896ae4bd2108ad019211330e5437c0a2afd6b10093346d667cef47932cafc |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | dee6f72532b423c83b1483ef216a83d3 |
| SHA1 | 06a812a3c174067dcf15447be310608fe0235a0b |
| SHA256 | e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0 |
| SHA512 | 7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 7c277165dcead3616b33d9432afcb485 |
| SHA1 | b725f0009bb07f8c3f434adc10ccc8d78967ea62 |
| SHA256 | a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30 |
| SHA512 | 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105 |
memory/1164-172-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/360-171-0x0000000002660000-0x0000000002A58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d3c015d761ac4697c31779ebd67685fe |
| SHA1 | 6eda243187265592a404feca52bf612ddc66e396 |
| SHA256 | 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea |
| SHA512 | 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab |
memory/1164-173-0x0000000002F22000-0x0000000002F83000-memory.dmp
memory/1164-174-0x0000000000220000-0x000000000028B000-memory.dmp
C:\Users\Admin\AppData\Roaming\wvsdgbi
| MD5 | 2d5fd1a161ead4bbc4d3d9a4d24088ac |
| SHA1 | f103187c99590f719834d61edb68a971ee846f70 |
| SHA256 | 7e6065957202b3839e1b85e1efa258b80575df942a66e0f6d18ee3a74981416e |
| SHA512 | 770cb619ef55e0f52060a63a2eb7f58c0901a41a07bfed2a27dc6a0e3f4775f3d6b28617e0f87b16dedf4e47512bb4b40016bb73566315c8a938283f0bb2025a |
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28158c533348f213e23e5bdac3b09369 |
| SHA1 | ce453cdc9510ea68131ba32f86430e98920ab21c |
| SHA256 | c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4 |
| SHA512 | 974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-24 23:38
Reported
2024-02-24 23:40
Platform
win10v2004-20240221-en
Max time kernel
82s
Max time network
158s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\AC2E.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Stealc
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\D323.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AC2E.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\AC2E.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\C3EF.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Windows\windefender.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2336 set thread context of 3724 | N/A | C:\Users\Admin\AppData\Local\Temp\AC2E.exe | C:\Users\Admin\AppData\Local\Temp\AC2E.exe |
| PID 668 set thread context of 3900 | N/A | C:\Windows\windefender.exe | C:\Windows\system32\conhost.exe |
| PID 668 set thread context of 4396 | N/A | C:\Windows\windefender.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\E507.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe
"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"
C:\Users\Admin\AppData\Local\Temp\AC2E.exe
C:\Users\Admin\AppData\Local\Temp\AC2E.exe
C:\Users\Admin\AppData\Local\Temp\AC2E.exe
C:\Users\Admin\AppData\Local\Temp\AC2E.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B269.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\B269.dll
C:\Users\Admin\AppData\Local\Temp\BEBE.exe
C:\Users\Admin\AppData\Local\Temp\BEBE.exe
C:\Users\Admin\AppData\Local\Temp\C3EF.exe
C:\Users\Admin\AppData\Local\Temp\C3EF.exe
C:\Users\Admin\AppData\Local\Temp\D323.exe
C:\Users\Admin\AppData\Local\Temp\D323.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\E11E.exe
C:\Users\Admin\AppData\Local\Temp\E11E.exe
C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp" /SL5="$D01D6,4323177,54272,C:\Users\Admin\AppData\Local\Temp\E11E.exe"
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
"C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe" -i
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
"C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe" -s
C:\Users\Admin\AppData\Local\Temp\E507.exe
C:\Users\Admin\AppData\Local\Temp\E507.exe
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4288 -ip 4288
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 544
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2460 -ip 2460
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1980
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1868 -ip 1868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 604
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Roaming\hvhiscv
C:\Users\Admin\AppData\Roaming\hvhiscv
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| KR | 175.119.10.231:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 172.67.171.112:80 | en.bestsup.su | tcp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 231.10.119.175.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| FR | 176.31.116.155:8443 | tcp | |
| FR | 91.121.181.6:9001 | tcp | |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 75.176.45.87:9001 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| JP | 163.44.174.129:80 | tcp | |
| US | 154.35.175.225:443 | tcp | |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| NL | 185.227.82.7:443 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| DE | 51.195.43.17:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 17.43.195.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| N/A | 127.0.0.1:54271 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| CA | 198.245.61.196:443 | tcp | |
| US | 128.31.0.39:9101 | tcp | |
| US | 8.8.8.8:53 | 2e606f98-a33f-4887-951a-cba760356e8f.uuid.statsexplorer.org | udp |
| GB | 185.65.205.10:443 | tcp | |
| US | 8.8.8.8:53 | 10.205.65.185.in-addr.arpa | udp |
| SG | 209.58.180.90:443 | tcp | |
| US | 8.8.8.8:53 | 90.180.58.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| DE | 157.90.183.103:9001 | tcp | |
| DE | 212.132.78.65:9111 | tcp | |
| US | 8.8.8.8:53 | 65.78.132.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.183.90.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server1.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server1.statsexplorer.org | tcp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 172.67.221.71:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.221.67.172.in-addr.arpa | udp |
| DE | 157.90.183.103:9001 | tcp | |
| DE | 212.132.78.65:9111 | tcp | |
| US | 8.8.8.8:53 | testmoz.com | udp |
| US | 8.8.8.8:53 | connect.garena.com | udp |
| US | 8.8.8.8:53 | testmoz.com | udp |
| US | 8.8.8.8:53 | connect.garena.com | udp |
| US | 8.8.8.8:53 | elements.envato.com | udp |
| US | 8.8.8.8:53 | elements.envato.com | udp |
| US | 8.8.8.8:53 | areaprivata.sisal.it | udp |
| SG | 202.81.112.199:22 | connect.garena.com | tcp |
| US | 8.8.8.8:53 | areaprivata.sisal.it | udp |
| US | 8.8.8.8:53 | trakteer.id | udp |
| CA | 198.100.157.237:22 | testmoz.com | tcp |
| CA | 198.100.157.237:21 | testmoz.com | tcp |
| CA | 198.100.157.237:443 | testmoz.com | tcp |
| SG | 202.81.112.199:21 | connect.garena.com | tcp |
| US | 8.8.8.8:53 | trakteer.id | udp |
| US | 8.8.8.8:53 | eagle-research.com | udp |
| SG | 202.81.112.199:443 | connect.garena.com | tcp |
| US | 104.18.34.126:22 | elements.envato.com | tcp |
| US | 104.18.34.126:21 | elements.envato.com | tcp |
| GB | 173.222.8.199:22 | areaprivata.sisal.it | tcp |
| GB | 173.222.8.199:21 | areaprivata.sisal.it | tcp |
| US | 8.8.8.8:53 | eagle-research.com | udp |
| US | 8.8.8.8:53 | in1-smtp.messagingengine.com | udp |
| US | 104.18.34.126:443 | elements.envato.com | tcp |
| US | 8.8.8.8:53 | jupiter.ch.uj.edu.pl | udp |
| US | 8.8.8.8:53 | jupiter.ch.uj.edu.pl | udp |
| SG | 202.81.112.199:143 | connect.garena.com | tcp |
| GB | 173.222.8.199:443 | areaprivata.sisal.it | tcp |
| US | 104.26.4.203:22 | trakteer.id | tcp |
| US | 104.26.4.203:21 | trakteer.id | tcp |
| US | 8.8.8.8:53 | shopee.co.id | udp |
| US | 8.8.8.8:53 | 237.157.100.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mxa.mailgun.org | udp |
| US | 8.8.8.8:53 | megadev.info | udp |
| US | 8.8.8.8:53 | shopee.co.id | udp |
| US | 192.124.249.32:22 | eagle-research.com | tcp |
| CA | 198.100.157.237:80 | testmoz.com | tcp |
| SG | 202.81.112.199:465 | connect.garena.com | tcp |
| US | 104.18.34.126:143 | elements.envato.com | tcp |
| SG | 202.81.112.199:80 | connect.garena.com | tcp |
| US | 104.26.4.203:443 | trakteer.id | tcp |
| US | 192.124.249.32:21 | eagle-research.com | tcp |
| US | 103.168.172.218:143 | in1-smtp.messagingengine.com | tcp |
| US | 103.168.172.218:995 | in1-smtp.messagingengine.com | tcp |
| US | 8.8.8.8:53 | 199.112.81.202.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.34.18.104.in-addr.arpa | udp |
| PL | 149.156.235.14:22 | jupiter.ch.uj.edu.pl | tcp |
| US | 8.8.8.8:53 | megadev.info | udp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| US | 104.18.34.126:465 | elements.envato.com | tcp |
| US | 104.18.34.126:80 | elements.envato.com | tcp |
| GB | 173.222.8.199:143 | areaprivata.sisal.it | tcp |
| SG | 202.81.112.199:995 | connect.garena.com | tcp |
| US | 192.124.249.32:443 | eagle-research.com | tcp |
| US | 34.160.157.95:143 | mxa.mailgun.org | tcp |
| US | 103.168.172.218:465 | in1-smtp.messagingengine.com | tcp |
| PL | 149.156.235.14:21 | jupiter.ch.uj.edu.pl | tcp |
| US | 8.8.8.8:53 | alt2.aspmx.l.google.com | udp |
| US | 8.8.8.8:53 | sg.carousell.com | udp |
| CA | 198.100.157.237:80 | testmoz.com | tcp |
| US | 172.64.153.130:22 | elements.envato.com | tcp |
| US | 172.64.153.130:21 | elements.envato.com | tcp |
| US | 8.8.8.8:53 | 199.8.222.173.in-addr.arpa | udp |
| US | 104.18.34.126:995 | elements.envato.com | tcp |
| GB | 173.222.8.199:465 | areaprivata.sisal.it | tcp |
| US | 34.160.157.95:465 | mxa.mailgun.org | tcp |
| GB | 173.222.8.199:80 | areaprivata.sisal.it | tcp |
| SG | 202.181.90.248:22 | shopee.co.id | tcp |
| NL | 20.105.216.13:22 | megadev.info | tcp |
| PL | 149.156.235.14:443 | jupiter.ch.uj.edu.pl | tcp |
| US | 104.18.34.126:80 | elements.envato.com | tcp |
| US | 8.8.8.8:53 | adobeid.services.adobe.com | udp |
| US | 8.8.8.8:53 | sg.carousell.com | udp |
| PL | 149.156.235.14:443 | jupiter.ch.uj.edu.pl | tcp |
| US | 8.8.8.8:53 | account.91.com | udp |
| SG | 202.181.90.248:21 | shopee.co.id | tcp |
| US | 34.160.157.95:995 | mxa.mailgun.org | tcp |
| GB | 173.222.8.199:995 | areaprivata.sisal.it | tcp |
| NL | 20.105.216.13:21 | megadev.info | tcp |
| US | 104.26.4.203:80 | trakteer.id | tcp |
| US | 8.8.8.8:53 | mxa-004fae02.gslb.pphosted.com | udp |
| US | 8.8.8.8:53 | 14.235.156.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.4.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.249.124.192.in-addr.arpa | udp |
| SG | 74.125.200.27:143 | alt2.aspmx.l.google.com | tcp |
| US | 103.168.172.219:143 | in1-smtp.messagingengine.com | tcp |
| US | 172.67.74.68:22 | trakteer.id | tcp |
| US | 8.8.8.8:53 | account.91.com | udp |
| SG | 202.181.90.248:443 | shopee.co.id | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 172.67.74.68:21 | trakteer.id | tcp |
| CA | 198.100.157.237:22 | testmoz.com | tcp |
| PL | 149.156.235.14:143 | jupiter.ch.uj.edu.pl | tcp |
| CA | 198.100.157.237:443 | testmoz.com | tcp |
| US | 192.124.249.32:80 | eagle-research.com | tcp |
| US | 103.168.172.219:465 | in1-smtp.messagingengine.com | tcp |
| NL | 20.105.216.13:443 | megadev.info | tcp |
| US | 172.64.153.130:143 | elements.envato.com | tcp |
| US | 104.16.209.133:22 | sg.carousell.com | tcp |
| US | 8.8.8.8:53 | megadev-info.mail.protection.outlook.com | udp |
| US | 8.8.8.8:53 | 95.157.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 103.168.172.219:995 | in1-smtp.messagingengine.com | tcp |
| US | 8.8.8.8:53 | id.arduino.cc | udp |
| PL | 149.156.235.14:80 | jupiter.ch.uj.edu.pl | tcp |
| PL | 149.156.235.14:465 | jupiter.ch.uj.edu.pl | tcp |
| SG | 74.125.200.27:465 | alt2.aspmx.l.google.com | tcp |
| US | 104.18.34.126:443 | elements.envato.com | tcp |
| US | 103.168.172.221:143 | in1-smtp.messagingengine.com | tcp |
| US | 172.64.153.130:995 | elements.envato.com | tcp |
| US | 172.64.153.130:465 | elements.envato.com | tcp |
| US | 104.26.5.203:22 | trakteer.id | tcp |
| US | 104.26.4.203:80 | trakteer.id | tcp |
| NL | 205.220.185.59:143 | mxa-004fae02.gslb.pphosted.com | tcp |
| IE | 18.200.206.88:22 | adobeid.services.adobe.com | tcp |
| IE | 18.200.206.88:21 | adobeid.services.adobe.com | tcp |
| IE | 18.200.206.88:443 | adobeid.services.adobe.com | tcp |
| US | 104.16.209.133:21 | sg.carousell.com | tcp |
| US | 8.8.8.8:53 | id.arduino.cc | udp |
| US | 104.26.5.203:21 | trakteer.id | tcp |
| US | 8.8.8.8:53 | aceflareaccount.com | udp |
| PL | 149.156.235.14:995 | jupiter.ch.uj.edu.pl | tcp |
| SG | 74.125.200.27:995 | alt2.aspmx.l.google.com | tcp |
| US | 103.168.172.221:465 | in1-smtp.messagingengine.com | tcp |
| US | 8.8.8.8:53 | 248.90.181.202.in-addr.arpa | udp |
| SG | 202.81.112.199:443 | connect.garena.com | tcp |
| NL | 52.101.73.26:143 | megadev-info.mail.protection.outlook.com | tcp |
| US | 104.18.34.126:443 | elements.envato.com | tcp |
| SG | 202.81.112.199:80 | connect.garena.com | tcp |
| US | 103.168.172.221:995 | in1-smtp.messagingengine.com | tcp |
| US | 104.16.209.133:443 | sg.carousell.com | tcp |
| US | 8.8.8.8:53 | aceflareaccount.com | udp |
| US | 8.8.8.8:53 | dutchis.net | udp |
| PL | 149.156.235.14:22 | jupiter.ch.uj.edu.pl | tcp |
| NL | 205.220.185.59:995 | mxa-004fae02.gslb.pphosted.com | tcp |
| PL | 149.156.235.14:80 | jupiter.ch.uj.edu.pl | tcp |
| NL | 205.220.185.59:465 | mxa-004fae02.gslb.pphosted.com | tcp |
| SG | 202.181.90.248:80 | shopee.co.id | tcp |
| US | 104.16.208.133:22 | sg.carousell.com | tcp |
| US | 104.26.4.203:443 | trakteer.id | tcp |
| NL | 52.101.73.26:465 | megadev-info.mail.protection.outlook.com | tcp |
| IE | 18.200.206.88:143 | adobeid.services.adobe.com | tcp |
| NL | 20.105.216.13:80 | megadev.info | tcp |
| NL | 108.177.119.84:22 | accounts.google.com | tcp |
| NL | 108.177.119.84:21 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 88.206.200.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.216.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dutchis.net | udp |
| US | 192.124.249.32:80 | eagle-research.com | tcp |
| US | 104.16.208.133:21 | sg.carousell.com | tcp |
| US | 192.124.249.32:443 | eagle-research.com | tcp |
| US | 104.18.34.126:22 | elements.envato.com | tcp |
| NL | 52.101.73.26:995 | megadev-info.mail.protection.outlook.com | tcp |
| PL | 149.156.235.14:443 | jupiter.ch.uj.edu.pl | tcp |
| IE | 18.200.206.88:465 | adobeid.services.adobe.com | tcp |
| US | 8.8.8.8:53 | flirtmagnifique.com | udp |
| US | 8.8.8.8:53 | account.91.com | udp |
| PL | 149.156.235.14:443 | jupiter.ch.uj.edu.pl | tcp |
| US | 104.16.209.133:143 | sg.carousell.com | tcp |
| CA | 198.100.157.237:80 | testmoz.com | tcp |
| NL | 108.177.119.84:443 | accounts.google.com | tcp |
| US | 104.18.12.135:22 | id.arduino.cc | tcp |
| US | 104.18.12.135:21 | id.arduino.cc | tcp |
| PL | 149.156.235.14:80 | jupiter.ch.uj.edu.pl | tcp |
| PL | 149.156.235.14:443 | jupiter.ch.uj.edu.pl | tcp |
| US | 8.8.8.8:53 | alt4.gmr-smtp-in.l.google.com | udp |
| US | 8.8.8.8:53 | www.carousell.sg | udp |
| PL | 149.156.235.14:443 | jupiter.ch.uj.edu.pl | tcp |
| CA | 198.100.157.237:21 | testmoz.com | tcp |
| US | 107.162.189.184:22 | aceflareaccount.com | tcp |
| NL | 52.101.73.15:143 | megadev-info.mail.protection.outlook.com | tcp |
| US | 104.18.34.126:21 | elements.envato.com | tcp |
| US | 104.16.209.133:465 | sg.carousell.com | tcp |
| IE | 18.200.206.88:995 | adobeid.services.adobe.com | tcp |
| US | 8.8.8.8:53 | 133.209.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | flirtmagnifique.com | udp |
| US | 8.8.8.8:53 | welcome2.wifi.id | udp |
| SG | 202.181.90.248:80 | shopee.co.id | tcp |
| US | 104.26.4.203:22 | trakteer.id | tcp |
| US | 8.8.8.8:53 | www.plitch.com | udp |
| SG | 202.81.112.199:21 | connect.garena.com | tcp |
| US | 104.16.209.133:80 | sg.carousell.com | tcp |
| IE | 18.200.206.88:80 | adobeid.services.adobe.com | tcp |
| US | 104.18.13.135:22 | id.arduino.cc | tcp |
| US | 107.162.189.184:21 | aceflareaccount.com | tcp |
| NL | 52.101.73.15:465 | megadev-info.mail.protection.outlook.com | tcp |
| SG | 202.181.90.248:21 | shopee.co.id | tcp |
| SG | 202.81.112.199:143 | connect.garena.com | tcp |
| GB | 173.222.8.199:22 | areaprivata.sisal.it | tcp |
| GB | 173.222.8.199:21 | areaprivata.sisal.it | tcp |
| US | 104.18.34.126:143 | elements.envato.com | tcp |
| US | 104.18.34.126:80 | elements.envato.com | tcp |
| US | 172.64.153.130:21 | elements.envato.com | tcp |
| US | 104.16.209.133:995 | sg.carousell.com | tcp |
| US | 172.64.153.130:22 | elements.envato.com | tcp |
| US | 104.16.208.133:465 | sg.carousell.com | tcp |
| US | 8.8.8.8:53 | welcome2.wifi.id | udp |
| US | 8.8.8.8:53 | sse3.pajak.go.id | udp |
| US | 8.8.8.8:53 | 84.119.177.108.in-addr.arpa | udp |
| NL | 52.101.73.15:995 | megadev-info.mail.protection.outlook.com | tcp |
| IE | 18.200.206.88:80 | adobeid.services.adobe.com | tcp |
| US | 104.16.208.133:143 | sg.carousell.com | tcp |
| US | 103.168.172.218:143 | in1-smtp.messagingengine.com | tcp |
| US | 104.18.13.135:21 | id.arduino.cc | tcp |
| US | 173.194.202.14:143 | alt4.gmr-smtp-in.l.google.com | tcp |
| NL | 89.47.1.10:21 | dutchis.net | tcp |
| US | 107.162.189.184:443 | aceflareaccount.com | tcp |
| SG | 202.81.112.199:22 | connect.garena.com | tcp |
| SG | 202.81.112.199:465 | connect.garena.com | tcp |
| US | 192.124.249.32:22 | eagle-research.com | tcp |
| US | 104.26.4.203:21 | trakteer.id | tcp |
| US | 104.18.12.135:143 | id.arduino.cc | tcp |
| US | 192.124.249.32:21 | eagle-research.com | tcp |
| US | 104.18.34.126:995 | elements.envato.com | tcp |
| GB | 173.222.8.199:80 | areaprivata.sisal.it | tcp |
| US | 34.96.71.207:22 | flirtmagnifique.com | tcp |
| US | 172.64.153.130:143 | elements.envato.com | tcp |
| US | 104.18.34.126:80 | elements.envato.com | tcp |
| US | 104.18.34.126:465 | elements.envato.com | tcp |
| US | 103.168.172.218:465 | in1-smtp.messagingengine.com | tcp |
| US | 104.16.208.133:995 | sg.carousell.com | tcp |
| US | 173.194.202.14:465 | alt4.gmr-smtp-in.l.google.com | tcp |
| CA | 198.100.157.237:80 | testmoz.com | tcp |
| US | 8.8.8.8:53 | sse3.pajak.go.id | udp |
| US | 8.8.8.8:53 | ww7.french-bookys.org | udp |
| US | 8.8.8.8:53 | mxb-00308701.gslb.pphosted.com | udp |
| US | 103.168.172.218:995 | in1-smtp.messagingengine.com | tcp |
| US | 172.67.74.68:22 | trakteer.id | tcp |
| US | 103.168.172.219:143 | in1-smtp.messagingengine.com | tcp |
| NL | 89.47.1.10:443 | dutchis.net | tcp |
| PL | 149.156.235.14:143 | jupiter.ch.uj.edu.pl | tcp |
| CA | 198.100.157.237:22 | testmoz.com | tcp |
| US | 104.18.12.135:465 | id.arduino.cc | tcp |
| GB | 173.222.8.199:143 | areaprivata.sisal.it | tcp |
| US | 104.26.4.203:80 | trakteer.id | tcp |
| SG | 202.81.112.199:995 | connect.garena.com | tcp |
| US | 172.67.74.68:21 | trakteer.id | tcp |
| US | 34.96.71.207:21 | flirtmagnifique.com | tcp |
| US | 104.18.12.135:80 | id.arduino.cc | tcp |
| US | 104.18.13.135:143 | id.arduino.cc | tcp |
| SG | 202.181.90.248:22 | shopee.co.id | tcp |
| US | 172.64.153.130:995 | elements.envato.com | tcp |
| US | 172.64.153.130:465 | elements.envato.com | tcp |
Files
memory/3988-1-0x0000000002DA0000-0x0000000002EA0000-memory.dmp
memory/3988-2-0x0000000002F00000-0x0000000002F0B000-memory.dmp
memory/3988-3-0x0000000000400000-0x0000000002D3F000-memory.dmp
memory/3372-4-0x0000000002C00000-0x0000000002C16000-memory.dmp
memory/3988-5-0x0000000000400000-0x0000000002D3F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AC2E.exe
| MD5 | 147f5f5bbc80b2ad753993e15f3f32c2 |
| SHA1 | 16d73b4abeef12cf76414338901eb7bbef46775f |
| SHA256 | 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990 |
| SHA512 | 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6 |
memory/2336-16-0x0000000004C70000-0x0000000004E2D000-memory.dmp
memory/3724-17-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2336-18-0x0000000004E30000-0x0000000004FE7000-memory.dmp
memory/3724-20-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3724-21-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3724-22-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B269.dll
| MD5 | b66379323022a073f1f7cdefed747401 |
| SHA1 | 14cfd615676b85960154df8273ca841f4a0e268b |
| SHA256 | 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db |
| SHA512 | 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b |
memory/2880-26-0x0000000010000000-0x000000001020C000-memory.dmp
memory/2880-27-0x00000000007E0000-0x00000000007E6000-memory.dmp
memory/3724-29-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3724-30-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B269.dll
| MD5 | d3d95f1cc5b650d22b7ed57ba3a22a21 |
| SHA1 | 53c9bee12417a661ad62eaa2bd6026124b07b10d |
| SHA256 | d7481ea51076dddf99dfaaa197a8e586c8f80e6f116a5d62b984af0903ccda64 |
| SHA512 | 8c8108e7b4ce4a7b5ac07e64ba1c7cda19d653010d49de5635d33eafc0dc8151fd9f00d983c52ed91fe5b13d71c521eb06c7cf3f3084955be3f26f47f9da2fb5 |
memory/3724-33-0x0000000000950000-0x0000000000956000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BEBE.exe
| MD5 | acd072a27fbf42bc036802413e4eaf4e |
| SHA1 | 0809cd2d902abb1b08f1baecee9a7a5b3c576eb4 |
| SHA256 | 4035730ac652c1b60915e87640812ca98cab3659b9606a2560f47f0926a2261e |
| SHA512 | 06d709ac73067720aa18bb1af52e44ce2850014882b68394505abc5f88d147f62c45332fd6b5bf94fdffe26ae6210bc474fa17217f68494e636b54006578884b |
C:\Users\Admin\AppData\Local\Temp\BEBE.exe
| MD5 | 5914dfecbcaf98a93fdb043df706df1f |
| SHA1 | 79ea43b28ff425338045b46ff0246668b0bf9a1e |
| SHA256 | c083f31e9d48652ee47464c3fde4e7d92a63a6110fa1602e20c6e4f6c11f7f48 |
| SHA512 | 0763827ea5b942e79fc57bad80ac4e0a7ff345ca02b8749f02415c0a82f97c9c81587aeef056a51765033b084dcc78de3875f24979225268a2f131f007f320d8 |
memory/2800-39-0x00000000015E0000-0x00000000015E1000-memory.dmp
memory/2800-40-0x0000000000BC0000-0x000000000146F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C3EF.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/2864-48-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/2864-49-0x00000000049A0000-0x0000000004A0B000-memory.dmp
memory/2864-51-0x0000000000400000-0x0000000002D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D323.exe
| MD5 | 5432ccce8ac6890762a57543fc7fc6fe |
| SHA1 | 2a0dd2d54d22635f370cafc0a228fc1fe36eccce |
| SHA256 | ad38ac932048d0129f07dd0e2149605115949f7f22fb865b279a154b247363ab |
| SHA512 | 8e4448b923f0306acfa0c7b3e5113235c1fad45f49d9a0210cd50fac2e458c03a037892ae613ec8cfc53d1e003d8be72336a3b993dc74c7beeea29e292664a88 |
C:\Users\Admin\AppData\Local\Temp\D323.exe
| MD5 | c7c8b71baee8f80c0acedc1db40c7824 |
| SHA1 | c7a28bd64fb3fa4bebef1bff7578670ad9163af4 |
| SHA256 | a1c20a49291d74e860492e5f87e48a2faef4236c4c0f95212b56d2909775cdb4 |
| SHA512 | 829722298eb7950cb7a63d844fd0cdaa1ede33f87d6997e146a5bf185f546aaa43ec58eaeceab739d070366acbaf67f33d29b1a9e51d917d6d087b57fc44dc9b |
memory/3336-58-0x0000000000E70000-0x0000000001726000-memory.dmp
memory/3336-59-0x0000000073D90000-0x0000000074540000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 7c277165dcead3616b33d9432afcb485 |
| SHA1 | b725f0009bb07f8c3f434adc10ccc8d78967ea62 |
| SHA256 | a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30 |
| SHA512 | 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105 |
memory/2880-68-0x0000000002740000-0x000000000287C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 8c9607a8c8359d15ec05a327be0b80a8 |
| SHA1 | 645ef703da82d57f169789d42c5c88625548bcc1 |
| SHA256 | 924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233 |
| SHA512 | 60880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c641189e2f1dca765716924b00fb0541 |
| SHA1 | 5020e7e18acafb0a699ec8bcbb0db81448a2a756 |
| SHA256 | ee15357441bf9b47d392fb578324ccd39c386f2b7794b35930887e2df90da548 |
| SHA512 | 4919a6acf4ceb57ff9db4f9ab687406a63503e9c9d4261f727d1b285409f24f876b8c578690ef441f3130525a73588546801d41dcdd97b5327fe321c55fb0318 |
memory/1596-79-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3724-81-0x0000000002DC0000-0x0000000002EFC000-memory.dmp
memory/2880-83-0x0000000010000000-0x000000001020C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 65c145064bb3e087c2ec0ae6034c2df0 |
| SHA1 | 5ec0f6d5fa4a931f5964c709ed79efae1520fefe |
| SHA256 | 2d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e |
| SHA512 | 7a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 56b83c068dc6c8df9c02236e9587cd42 |
| SHA1 | 9803091206a0fff470768e67577426cce937a939 |
| SHA256 | 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e |
| SHA512 | e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 02df76a7b45d874395b4274c2e5b7b1f |
| SHA1 | 1b8d7060e9fa5204fa74efeb4192a168b778e9ca |
| SHA256 | 2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9 |
| SHA512 | 5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e |
C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp
| MD5 | 5cc29afdf740599b3a6cba5b64b9d4ae |
| SHA1 | 249103d58e2f09c1452de388fc101f3e425954bf |
| SHA256 | 9cd4688f7c3fe38c579a6a8d28a9d4c6b9652336b885cc1fe5cee4f5e293e69a |
| SHA512 | 1311e3f4590577942d742b660f1ab1e805c66a71dc6d358722084d2e6571e1e2f8c029b4ae7a4ebbad27df99f915b9cca81c1c9a0596862f11be17bbf792bf76 |
C:\Users\Admin\AppData\Local\Temp\is-HL7NP.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-HL7NP.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2880-129-0x0000000002880000-0x000000000299B000-memory.dmp
memory/2880-169-0x0000000002880000-0x000000000299B000-memory.dmp
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
| MD5 | fbfe6bc7887cc98ffe373edf03621841 |
| SHA1 | 346afa7ff4d42a241dfe443cdecefd0961c08412 |
| SHA256 | 1921c256755b2ca3d97216df201b6233737937f28d735267166a7f782b878942 |
| SHA512 | 0e743487d9ab2de6db60941def2d1e950134834f0c847b968270ba85cfee2d9abf0b9a516883f0477e8b409afd9945fb77c3e9f836e71aa4cd0b415db3c1a89b |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 7e16dda41b2ae464d9612815f0d3d6eb |
| SHA1 | 1b2486381b4e1cade80e200638f64d9fc4693ed5 |
| SHA256 | 492a2edab7086f7989f9fb74f662683b7a12f47691c04ee6c764e335a0cbf2b1 |
| SHA512 | 4549699fa1fdb320b22b5ac456a72d219c09a83b11cccdb9d49cfac26428721b710873304cc7109a6802bd79b52325ff6380e55c5b14a42dda6b1221c4f8e72b |
memory/3724-176-0x0000000002F00000-0x000000000301B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsgEE49.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/3228-183-0x0000000000400000-0x0000000000790000-memory.dmp
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
| MD5 | 24ee18fc0b741e34a244b5c7db9b76d9 |
| SHA1 | bc0f432ee01e052479e735d0155b46ff5edf9232 |
| SHA256 | 8eb891ab450fcd0a88e10125c74c4ebe46900eea3fe2f54fb788f8a1d3fa9664 |
| SHA512 | eeedf4d0905938807f7c481eb1cc7f843ed5339575c457ef36847979316227a21ec2958090726559bb3704cdca23371625da3aa75fc123994205424e7add3c84 |
memory/3228-187-0x0000000000400000-0x0000000000790000-memory.dmp
memory/4288-182-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2864-186-0x0000000000400000-0x0000000002D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
| MD5 | e0f66942f8d0f2f50bb4fe927c8f34b7 |
| SHA1 | 6b2aa63466ce1e48d2268b950048ef8df7578fb7 |
| SHA256 | e1bcbe82e46638a1c722f7f32cc6081d788b6f19b98c403143354dcd56009c6d |
| SHA512 | b0f6e6ecf98327d5008ea5098b4949e01cf38fc92d4f65ec300ce24fd1cade98d3c3f03db4d3c6ebdafeebb351dd37439a23d41924d00bd564961da3746b481b |
memory/3724-181-0x0000000002F00000-0x000000000301B000-memory.dmp
memory/3440-189-0x0000000002460000-0x0000000002461000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
memory/1952-193-0x00000000020D0000-0x00000000020D1000-memory.dmp
memory/4288-113-0x0000000002FD0000-0x00000000030D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
memory/3336-104-0x0000000073D90000-0x0000000074540000-memory.dmp
memory/1596-93-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2800-88-0x0000000000BC0000-0x000000000146F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E11E.exe
| MD5 | ef57e765f5b96c096eb42ec8f174292f |
| SHA1 | b3743ff221876e8051e90843e8b3cc38b4bb58b7 |
| SHA256 | 97d85610932322191c3a7797061d9feeb268a878beaba568192c2beec5e3ed4e |
| SHA512 | 0652fcf82161cbbb7b4d9b02ea0fa14e889cf2151fd352b0d8a24fed4146a28a40f09157333f76992d118372ac5a179a926417d21c44b0142b00b1229d8bc142 |
C:\Users\Admin\AppData\Local\Temp\E11E.exe
| MD5 | 87be654dbdd7f39aa9c2e9c67ce38d72 |
| SHA1 | b72b6f46e6521bdbe7d464ca2a80409776f7b391 |
| SHA256 | a31c3f09551693cce24d47d8a7f139425d60ae8dd766d53622d008e5fb2be53e |
| SHA512 | d5edff77fddd8886691318f00ae10909feb0875948fae347773170139113a5c522c01dcf1622f9e048a8d65da0aa1a946bc6f3c61db68909301e68658160ca71 |
memory/1080-194-0x0000000000400000-0x0000000000790000-memory.dmp
memory/1080-197-0x0000000000400000-0x0000000000790000-memory.dmp
memory/3724-201-0x0000000002F00000-0x000000000301B000-memory.dmp
memory/2880-196-0x0000000002880000-0x000000000299B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp
| MD5 | 593c6bba2414d94e5e05d505074793dc |
| SHA1 | 1315c0ffbecf2e1eea0f5ac63adce7cc403ea9e8 |
| SHA256 | 44a0af487346e24e3a06361a917a81ec151ddb8b7a1c558294cfc283a35ce4ec |
| SHA512 | 6e9d0191723db1caf54f50d1ba249079f74c0b8cdb745fefb283a248279375248c6ddc27f70b1887678c5e5e22fc9a58cec1a613e758b3a96d2c72a5b7da5257 |
memory/4856-213-0x0000000002E90000-0x000000000377B000-memory.dmp
memory/1596-214-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2460-215-0x0000000002FD0000-0x0000000003004000-memory.dmp
memory/4856-207-0x0000000002A80000-0x0000000002E85000-memory.dmp
memory/2460-218-0x0000000000400000-0x0000000002D41000-memory.dmp
memory/4288-219-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/1952-220-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/3440-221-0x0000000000400000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/4856-223-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2460-225-0x0000000003050000-0x0000000003150000-memory.dmp
memory/2460-226-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/4288-262-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2536-261-0x0000000002570000-0x00000000025A6000-memory.dmp
memory/2864-270-0x0000000002E30000-0x0000000002F30000-memory.dmp
memory/2536-271-0x0000000004E60000-0x0000000005488000-memory.dmp
memory/2536-272-0x0000000004A70000-0x0000000004A92000-memory.dmp
memory/2536-273-0x0000000005490000-0x00000000054F6000-memory.dmp
memory/2536-274-0x0000000005500000-0x0000000005566000-memory.dmp
memory/2536-276-0x0000000002780000-0x0000000002790000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpbw54bc.qca.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2536-282-0x0000000002780000-0x0000000002790000-memory.dmp
memory/2536-275-0x0000000072A00000-0x00000000731B0000-memory.dmp
memory/2536-287-0x0000000005570000-0x00000000058C4000-memory.dmp
memory/2536-291-0x0000000005B80000-0x0000000005B9E000-memory.dmp
memory/2536-292-0x0000000005BC0000-0x0000000005C0C000-memory.dmp
memory/2536-302-0x0000000006090000-0x00000000060D4000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2536-328-0x0000000006E90000-0x0000000006F06000-memory.dmp
memory/2536-334-0x0000000006F30000-0x0000000006F4A000-memory.dmp
memory/2536-333-0x0000000002780000-0x0000000002790000-memory.dmp
memory/2536-332-0x0000000007590000-0x0000000007C0A000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/2536-348-0x0000000073290000-0x00000000732DC000-memory.dmp
memory/2536-345-0x0000000007100000-0x0000000007132000-memory.dmp
memory/2536-349-0x0000000071170000-0x00000000714C4000-memory.dmp
memory/2536-359-0x00000000070E0000-0x00000000070FE000-memory.dmp
memory/2536-360-0x0000000007140000-0x00000000071E3000-memory.dmp
memory/2536-362-0x0000000007220000-0x000000000722A000-memory.dmp
memory/2536-363-0x000000007FC90000-0x000000007FCA0000-memory.dmp
memory/2536-364-0x00000000072E0000-0x0000000007376000-memory.dmp
memory/2536-365-0x0000000007240000-0x0000000007251000-memory.dmp
memory/3440-366-0x0000000002460000-0x0000000002461000-memory.dmp
memory/2168-376-0x00000298FE300000-0x00000298FE322000-memory.dmp
memory/2168-377-0x00007FFBCF610000-0x00007FFBD00D1000-memory.dmp
memory/2536-379-0x0000000007280000-0x000000000728E000-memory.dmp
memory/2168-380-0x00000298FBAC0000-0x00000298FBAD0000-memory.dmp
memory/1080-383-0x0000000000400000-0x0000000000790000-memory.dmp
memory/2168-384-0x00000298FBAC0000-0x00000298FBAD0000-memory.dmp
memory/2536-385-0x0000000007290000-0x00000000072A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ad1efd1029ac62ba32573f0fe0ade720 |
| SHA1 | 815cb801d13eee3f9528271c7106ba1ba2d3565c |
| SHA256 | 52339f644deccb160ae7baf5729e7f37d1e8191abc4fc0e17bdf0a08e08e43b7 |
| SHA512 | 2f6dcb353027c7f128c4376db5b3048188109b3c326d17150ae60b131e7b746a18432db3729166b74d003251beca07f290dc8a446bb95fe854c2efc252b99d70 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0a6a3607c17c1772153cd2df46245d13 |
| SHA1 | 227e6494c0487628b784394618901b7659f3edfc |
| SHA256 | ccb31bd53e0dd05f5548443705466b25ea68006243e3f50ce4205b566e79f627 |
| SHA512 | 81bebcbaf56d8ae4ba43233c3a83d9120a918d4ea5f6ecb104597b784623521a7e8ece3f9bf5d9159116ae5bb8c17cccfd922f94a32b0f95426086cdfd788a02 |
C:\Windows\rss\csrss.exe
| MD5 | dee6f72532b423c83b1483ef216a83d3 |
| SHA1 | 06a812a3c174067dcf15447be310608fe0235a0b |
| SHA256 | e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0 |
| SHA512 | 7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 4a151730ffc576b3fac742c3d414685b |
| SHA1 | 9f848dd585c9b0feba892e894ec6b291feaac9c8 |
| SHA256 | 761e558d1322a94e551f2a3507de8c5643122153289e9e9b981507f22939a77f |
| SHA512 | 5d89312f6e0208120f067b5a3e789a92ee624190fd614ce4c1dd6d33e7fe94467c0e7b74b4b77f14477fe8c8c2a8a233bf281962f41c55efd34b1d124f73f845 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5af975cf787dd9320c2801f2884ec4d0 |
| SHA1 | 0f06dbb9be2f882d5d270ee93e17b4e66ad475eb |
| SHA256 | fbc5da56ea5e53d9f255e6647bc9fe237dda2e5279973e7e588c70d3375256a8 |
| SHA512 | fdebcf40683e2bc042bb2102fbf0f686c5521f4490c2ecfb8e65099c3851c66a51c88a16da5cca2d809f76262db3950509aed0d8f599b3f75bf5d6d781c5e167 |
C:\Users\Admin\AppData\Roaming\hvhiscv
| MD5 | 5212ecaf2c3880d92f371356d84105be |
| SHA1 | d17cc3b0083fef207a84eefbb927ac9a79ef01ae |
| SHA256 | cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84 |
| SHA512 | a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a42cf8df08b568bd775daa06d500de27 |
| SHA1 | 717186c0c8647e8b831f15b40475692e686b6221 |
| SHA256 | d6a80511c9fc0f7a0862a269c26da1a6e543799af18f4bef2d8de19401692045 |
| SHA512 | dd89b0326482ea936310a419f0112174b0099cd65be3b74c38b73127392f9605e4113e20f28f495640526149088d2c20fc35db4118bd9dfe89fdd92e91ca6f48 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | ebaab163ec9e1f38820a34b5828be9aa |
| SHA1 | 2ccba5c552cd8fcfe519aa72b792b45cb5e6f202 |
| SHA256 | 2ba79f789f828068059b982ca35a855d2198938f51d294f53e455cfc004efb1e |
| SHA512 | 05352680056e5592608d1aa0198e32542a40cc630fd16306661dec4d20e6608d458d481c07429afc7351b4ac0f7c1aaa5bb01a21d7a222270191ee215d3b759a |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 7d63cf07abdec06195b109fd4e12abdd |
| SHA1 | a2201683645c9dcd12ac315f84260557e95b0ddd |
| SHA256 | 17ac52e3f7b18fd7199266992b22ed36a909be46020b7ec305e8a0a146a264c7 |
| SHA512 | 6402c59ff7b1a8033e55dc7bd7afa7b9b350cccbb64923cc4e9121a00fe262f6488f07de7387edf7126402638e3d2518d64c992df534e5e5de9ef32c0498e6b3 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |