Malware Analysis Report

2024-11-15 06:15

Sample ID 240224-3mt5fahe9z
Target 5212ecaf2c3880d92f371356d84105be.exe
SHA256 cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
Tags
smokeloader pub1 backdoor bootkit persistence trojan upx dcrat glupteba lumma stealc discovery dropper evasion infostealer loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84

Threat Level: Known bad

The file 5212ecaf2c3880d92f371356d84105be.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader pub1 backdoor bootkit persistence trojan upx dcrat glupteba lumma stealc discovery dropper evasion infostealer loader rat spyware stealer

Lumma Stealer

SmokeLoader

Glupteba

DcRat

Stealc

Glupteba payload

Creates new service(s)

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Reads user/profile data of web browsers

Deletes itself

Reads data files stored by FTP clients

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Program crash

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 23:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 23:38

Reported

2024-02-24 23:40

Platform

win7-20240221-en

Max time kernel

127s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\C89F.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2696 set thread context of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\98E7.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\71FA.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\71FA.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\71FA.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\71FA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 1208 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 1208 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 1208 wrote to memory of 2696 N/A N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 2696 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\81CD.exe C:\Users\Admin\AppData\Local\Temp\81CD.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1208 wrote to memory of 2484 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2484 wrote to memory of 2472 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1208 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe
PID 1208 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe
PID 1208 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe
PID 1208 wrote to memory of 2468 N/A N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe
PID 1208 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\C89F.exe
PID 1208 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\C89F.exe
PID 1208 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\C89F.exe
PID 1208 wrote to memory of 2884 N/A N/A C:\Users\Admin\AppData\Local\Temp\C89F.exe
PID 2468 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2468 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\98E7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1208 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\Temp\1691.exe
PID 1208 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\Temp\1691.exe
PID 1208 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\Temp\1691.exe
PID 1208 wrote to memory of 1532 N/A N/A C:\Users\Admin\AppData\Local\Temp\1691.exe
PID 1208 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\71FA.exe
PID 1208 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\71FA.exe
PID 1208 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\71FA.exe
PID 1208 wrote to memory of 1380 N/A N/A C:\Users\Admin\AppData\Local\Temp\71FA.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1208 wrote to memory of 1704 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1704 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\BA7F.exe C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp
PID 1208 wrote to memory of 1164 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53F.exe
PID 1208 wrote to memory of 1164 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53F.exe
PID 1208 wrote to memory of 1164 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53F.exe
PID 1208 wrote to memory of 1164 N/A N/A C:\Users\Admin\AppData\Local\Temp\F53F.exe
PID 1532 wrote to memory of 360 N/A C:\Users\Admin\AppData\Local\Temp\1691.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe

"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"

C:\Users\Admin\AppData\Local\Temp\81CD.exe

C:\Users\Admin\AppData\Local\Temp\81CD.exe

C:\Users\Admin\AppData\Local\Temp\81CD.exe

C:\Users\Admin\AppData\Local\Temp\81CD.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8815.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8815.dll

C:\Users\Admin\AppData\Local\Temp\98E7.exe

C:\Users\Admin\AppData\Local\Temp\98E7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 124

C:\Users\Admin\AppData\Local\Temp\C89F.exe

C:\Users\Admin\AppData\Local\Temp\C89F.exe

C:\Users\Admin\AppData\Local\Temp\1691.exe

C:\Users\Admin\AppData\Local\Temp\1691.exe

C:\Users\Admin\AppData\Local\Temp\71FA.exe

C:\Users\Admin\AppData\Local\Temp\71FA.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {A0908533-2672-457E-A75B-CFB7876BF3FB} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\BA7F.exe

C:\Users\Admin\AppData\Local\Temp\BA7F.exe

C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp" /SL5="$60120,4323177,54272,C:\Users\Admin\AppData\Local\Temp\BA7F.exe"

C:\Users\Admin\AppData\Local\Temp\F53F.exe

C:\Users\Admin\AppData\Local\Temp\F53F.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Roaming\wvsdgbi

C:\Users\Admin\AppData\Roaming\wvsdgbi

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
BA 109.175.29.39:80 trmpc.com tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 8.8.8.8:53 kamsmad.com udp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp

Files

memory/2120-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/2120-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2120-3-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1208-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp

memory/2120-5-0x0000000000400000-0x0000000002D3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81CD.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2696-17-0x0000000004990000-0x0000000004B48000-memory.dmp

memory/2696-18-0x0000000004990000-0x0000000004B48000-memory.dmp

memory/2732-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-21-0x0000000004B50000-0x0000000004D07000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81CD.exe

MD5 b616caf2b54103fcf72e6151adac0d46
SHA1 5d29d9ef0ff53427fa8ffbc4bd3f58c389ef3783
SHA256 2f57d61873f49865c3bcaa2acf7049c810a24c308594def9f28278e59a644fb0
SHA512 f8b0971dbcfc8a5de2ccd1f0d5696bbd81c6c4044a1bc36c07f083085e47d8f13b41bf1da9617fce46e93f1560e43f6b62687ca49a2380780f5ad2dbbe5f68c7

\Users\Admin\AppData\Local\Temp\81CD.exe

MD5 ec107905993c0e3ea3796938a7703089
SHA1 4a8808f5bb1417798986fe5c6ceee88054fe3e7c
SHA256 88ea05c6230cc8c381064df526862873b066a8103c60b901c74a07354fe9e17d
SHA512 c9773f0045f684e98c6d44140c4865cb0508b4748913157e0a1ce4dfed491cd214ef73717fa7e458f8aeb8ce5b365ab9deac88ca4ad1517ef95b616b1f80b030

memory/2732-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2732-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2732-32-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2732-31-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2732-25-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8815.dll

MD5 b66379323022a073f1f7cdefed747401
SHA1 14cfd615676b85960154df8273ca841f4a0e268b
SHA256 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db
SHA512 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b

\Users\Admin\AppData\Local\Temp\8815.dll

MD5 c931486255b9c380f896c33d143ef6b1
SHA1 9be428ebd706d03688beea3149f3558d0df2c206
SHA256 48bb51efe6e7a7f4aa37e3563a9095d5ccac4535152604314dcfb91b487d4c6d
SHA512 9cff9c19d17406d826beffc5c7111f8aa84594da7a42f372f8e73ca137445aa52be3aa751c91bad810c12ad7dcb559932b34656848c4be67eb764fa1c6809ae3

memory/2732-33-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2472-36-0x0000000000140000-0x0000000000146000-memory.dmp

memory/2472-35-0x0000000010000000-0x000000001020C000-memory.dmp

\Users\Admin\AppData\Local\Temp\8815.dll

MD5 02c83601301167faeb74495444d6590e
SHA1 7fb880beff3b8fb64f37d42decc74b04ce0b9e84
SHA256 91d39b36e4fb9afd9170ffa1d6d67ab5061fc4ef4ab6487e8dadc14e8832ad76
SHA512 ee1912737514199238210a0d5d34fe005aa3cd12bc97851aa09c6da21a9acb84bbe19b5e90bb935ade2856e74be910259c20dc279d8190c9760107108a0a2753

memory/2732-40-0x0000000000280000-0x0000000000286000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\98E7.exe

MD5 e06282697d839fc8dcc478cb22cfeb5b
SHA1 7d3f2ca8affc4d3140e4f1db85d08a89cea944c3
SHA256 375e852ed9c6e2b246d823b07cfebf845481a52dbe1d088ebdd9ada3756aa0ee
SHA512 d11ebe71e0dde27a1cf6629a3aaa1fc0557ffa03a7132373bcb1846b44401a0d763225a72ed4c666a019a87836fbc5c2c34b7d965728a5b99060cf25555ed1ad

C:\Users\Admin\AppData\Local\Temp\98E7.exe

MD5 c7b647893b52c1b36181304002961423
SHA1 e43d7d3c3223134e57144ef90382f1c78217f6f1
SHA256 6a84875c462e57fb65f7f34085d63b5a1eab2727d8d054f3729ce9aa018d7adc
SHA512 23bfe8eca534a96449d6f7608ae400f32a91ed9a007810d3f7c3c52cdd2ed3a383dae034e1b072e3754cc35cc3e4e2af1c719adf08056a1da6d0ea96d7c1a0e3

memory/2468-47-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2468-50-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2468-49-0x0000000000D00000-0x00000000015AF000-memory.dmp

memory/2468-52-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2468-55-0x00000000775A0000-0x00000000775A1000-memory.dmp

memory/2468-58-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C89F.exe

MD5 df2076b7ede154d455fdd1035115de54
SHA1 62df9325ff2fce5e5a2cf121e84065221a513d77
SHA256 0730675048e9e0a97e9ad20f73712d7e3ba6ed114a7cdfbf8b50075656c4395c
SHA512 5f55d313b2451f14f101d7383e03cdc3a9b36a9f6487a7c164def8018b76983e6fe74288f4457a2f4273d117f1a10a886409f713173bb1f791e86205caf80430

memory/2884-67-0x0000000002F60000-0x0000000003060000-memory.dmp

memory/2884-68-0x0000000000220000-0x000000000028B000-memory.dmp

memory/2884-71-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2732-69-0x0000000002A90000-0x0000000002BCC000-memory.dmp

memory/2884-75-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2732-73-0x0000000002BD0000-0x0000000002CEB000-memory.dmp

memory/2732-72-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2732-77-0x0000000002BD0000-0x0000000002CEB000-memory.dmp

memory/2472-78-0x0000000000BE0000-0x0000000000D1C000-memory.dmp

memory/2472-79-0x0000000002770000-0x000000000288B000-memory.dmp

memory/2472-82-0x0000000002770000-0x000000000288B000-memory.dmp

\Users\Admin\AppData\Local\Temp\98E7.exe

MD5 f9bb28763560357668845c53eeb31a3f
SHA1 54f4d6b3196c1578049999be4ff714d8f9f5bb0c
SHA256 2e0238b7a233ca044c5a1fd2732d80a63b9277a3fdf668095a6ee9cfa02706b7
SHA512 a6830bdc2468a28fdb57fc07e9085ba2cb673b4c8b148391a228155f7a31ade151bc6f872e162111c8254a11ce35f2cc9ec3d670e9e81c6ae1769a80117e54e7

\Users\Admin\AppData\Local\Temp\98E7.exe

MD5 a61f7b2d959ae679f200b29d0c01a66b
SHA1 a41b1fae529bc2eae5534c2b5fe127ab9bc7bc59
SHA256 3e24125978e4544fb1dc8bfb49fa4d1cce7c5a19519b356c999b43a63ebad59e
SHA512 b971bddbe88379a5085634ce305ba3de7958125417ddc569af68b6ad06b240bf448555ce20f18b77af886d81fe1a999833d04f6fd30e7071a8349cb2424c4d98

memory/1532-90-0x0000000000D70000-0x0000000001626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1691.exe

MD5 fd244ee8b33bd29d464da59a42e004be
SHA1 4e8af53e7d4f4c7dfe760309da320a4525528e0f
SHA256 251dfaa20ff2ce38a7a0b74255bd585b7a09ee2164ac20da6da84ad0463a78a5
SHA512 79333e02b2adba42eb6bdcbd495334991400e52d5b9cebb35b1c71eefc4704eea69aea8c71f508079c976af6888d9fb1041c13f78c37d7928cbcd6d464678a59

memory/2884-94-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\71FA.exe

MD5 3893d9674f9791363d8f92edae4427a7
SHA1 93603d9de7c259c8437f320f032ba171be67e200
SHA256 ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce
SHA512 9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6

C:\Users\Admin\AppData\Local\Temp\71FA.exe

MD5 3fa5e88a9e8bd660c006932ec3845228
SHA1 80a085e19a9587ac268e8dc6cfd1621b50155279
SHA256 8848be5d2e2df5d044fdf6b6bd8e79e5c5176a27b97c18707194e768731f658d
SHA512 108d4d9e03747d05ba46307b2b6bb64ca0f7e8afca6c913b6f87da5c05749821ed5a15c21eb5c3068201b923b7f24114c856a0eb475d03c9e4708c3820e09a3b

memory/1208-107-0x0000000002DA0000-0x0000000002DB6000-memory.dmp

memory/1380-108-0x0000000000400000-0x0000000002D3E000-memory.dmp

memory/1380-110-0x0000000002E32000-0x0000000002E48000-memory.dmp

memory/1380-111-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1704-117-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA7F.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\BA7F.exe

MD5 e48b303a406230ddb31007a3ea0d27a2
SHA1 8df366aa720491a63af411e0e0a26645773b55f1
SHA256 c7433bf662afa8fd5fe8bf7ba195be675663556d71709ed7bcab124393adb30b
SHA512 bd9d5b526a27aa6d3f24884f280edb550665fc29be4585b499cf649c41c1f6d382f6438c8a817341c48936d8964fac2d9d55e2702e25b6ccafc46b3a5c9b715c

C:\Users\Admin\AppData\Local\Temp\is-HH0RC.tmp\BA7F.tmp

MD5 17a8697f12a3c6196f9af529950bda6a
SHA1 95ffe3ac2e052da21827e107ce49d5a09b9f7b34
SHA256 c28497147101366a323a5c0040823d9fdd7905b7d190bc645d31b6e2b3d741c5
SHA512 0befe7903b827a78eb7297d560db27c6cad0324203e8a29fc91cd1cb7ead2f903ccb00caa21a8c28abf820f21334f9f56cb439bcb9dc247c08cea6119a3d1b74

\Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-82H22.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\F53F.exe

MD5 a31328e6b465a963c2b205c482aedf25
SHA1 d1013c617f538e22c9013169fee642e98d830700
SHA256 c8fc9768f9045b6cab7a18ef570d328362dfba04b31dec4c75b169d992215ff6
SHA512 a522fb6091d0bd1b61f9006903b6e355c9a11afbf3d6dfe10c0b417cc17974c9b88fd20b024d60c771a6829597190a4ea519ef8d5afbc5654b10f2fc673029a5

memory/1164-160-0x0000000000400000-0x0000000002D8C000-memory.dmp

\Users\Admin\AppData\Local\Temp\98E7.exe

MD5 792d533d0d2b84ccc8f2d789e7ca689a
SHA1 3544294922fd322470e28223d761d52b8e354684
SHA256 64745a7b5f17c59ac594897efacbac9c5a70a2d7bdcf280c952a27a83a2590c2
SHA512 4429675ccc21a8c6d6c5065f96115a39e6f94c37ba922bf445af577b5965e80e1bfc4d9fbd0e111dd7977a694315168afd1eb9b272a61c204adb5090b3df7f0c

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 33173a5f01c70ff647485f5427453242
SHA1 5a8b4455ed301b4c0d9870625d7b642ad843902e
SHA256 415ae01e28996f7ac8c5178d401e04aaf324527ebd8ac050a7c0ad4632df8b18
SHA512 0a236b0ec3162ab9fa51fda9672b69cc9d6762d06bd04d2fc6ab261b2341ed854c5896ae4bd2108ad019211330e5437c0a2afd6b10093346d667cef47932cafc

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 dee6f72532b423c83b1483ef216a83d3
SHA1 06a812a3c174067dcf15447be310608fe0235a0b
SHA256 e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0
SHA512 7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7c277165dcead3616b33d9432afcb485
SHA1 b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256 a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA512 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105

memory/1164-172-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/360-171-0x0000000002660000-0x0000000002A58000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

memory/1164-173-0x0000000002F22000-0x0000000002F83000-memory.dmp

memory/1164-174-0x0000000000220000-0x000000000028B000-memory.dmp

C:\Users\Admin\AppData\Roaming\wvsdgbi

MD5 2d5fd1a161ead4bbc4d3d9a4d24088ac
SHA1 f103187c99590f719834d61edb68a971ee846f70
SHA256 7e6065957202b3839e1b85e1efa258b80575df942a66e0f6d18ee3a74981416e
SHA512 770cb619ef55e0f52060a63a2eb7f58c0901a41a07bfed2a27dc6a0e3f4775f3d6b28617e0f87b16dedf4e47512bb4b40016bb73566315c8a938283f0bb2025a

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28158c533348f213e23e5bdac3b09369
SHA1 ce453cdc9510ea68131ba32f86430e98920ab21c
SHA256 c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4
SHA512 974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 23:38

Reported

2024-02-24 23:40

Platform

win10v2004-20240221-en

Max time kernel

82s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\AC2E.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D323.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\AC2E.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\C3EF.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Windows\windefender.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2336 set thread context of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 668 set thread context of 3900 N/A C:\Windows\windefender.exe C:\Windows\system32\conhost.exe
PID 668 set thread context of 4396 N/A C:\Windows\windefender.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-151 = "Central America Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2592 = "Tocantins Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3372 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 3372 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 3372 wrote to memory of 2336 N/A N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 2336 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\AC2E.exe C:\Users\Admin\AppData\Local\Temp\AC2E.exe
PID 3372 wrote to memory of 1176 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3372 wrote to memory of 1176 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1176 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1176 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1176 wrote to memory of 2880 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3372 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEBE.exe
PID 3372 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEBE.exe
PID 3372 wrote to memory of 2800 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEBE.exe
PID 3372 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3EF.exe
PID 3372 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3EF.exe
PID 3372 wrote to memory of 2864 N/A N/A C:\Users\Admin\AppData\Local\Temp\C3EF.exe
PID 3372 wrote to memory of 3336 N/A N/A C:\Users\Admin\AppData\Local\Temp\D323.exe
PID 3372 wrote to memory of 3336 N/A N/A C:\Users\Admin\AppData\Local\Temp\D323.exe
PID 3372 wrote to memory of 3336 N/A N/A C:\Users\Admin\AppData\Local\Temp\D323.exe
PID 3336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3336 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3372 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E11E.exe
PID 3372 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E11E.exe
PID 3372 wrote to memory of 1596 N/A N/A C:\Users\Admin\AppData\Local\Temp\E11E.exe
PID 3336 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3336 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3336 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3336 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3336 wrote to memory of 3984 N/A C:\Users\Admin\AppData\Local\Temp\D323.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3372 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe
PID 3372 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe
PID 3372 wrote to memory of 4288 N/A N/A C:\Users\Admin\AppData\Local\Temp\E507.exe
PID 1596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\E11E.exe C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp
PID 1596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\E11E.exe C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp
PID 1596 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\E11E.exe C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp
PID 1952 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
PID 1952 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
PID 1952 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
PID 3972 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3972 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3972 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1952 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
PID 1952 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
PID 1952 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe
PID 3972 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp
PID 3972 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp
PID 3972 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp
PID 3440 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3440 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4500 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4500 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4500 wrote to memory of 3364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4500 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4500 wrote to memory of 4144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4856 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe

"C:\Users\Admin\AppData\Local\Temp\5212ecaf2c3880d92f371356d84105be.exe"

C:\Users\Admin\AppData\Local\Temp\AC2E.exe

C:\Users\Admin\AppData\Local\Temp\AC2E.exe

C:\Users\Admin\AppData\Local\Temp\AC2E.exe

C:\Users\Admin\AppData\Local\Temp\AC2E.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B269.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B269.dll

C:\Users\Admin\AppData\Local\Temp\BEBE.exe

C:\Users\Admin\AppData\Local\Temp\BEBE.exe

C:\Users\Admin\AppData\Local\Temp\C3EF.exe

C:\Users\Admin\AppData\Local\Temp\C3EF.exe

C:\Users\Admin\AppData\Local\Temp\D323.exe

C:\Users\Admin\AppData\Local\Temp\D323.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\E11E.exe

C:\Users\Admin\AppData\Local\Temp\E11E.exe

C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp" /SL5="$D01D6,4323177,54272,C:\Users\Admin\AppData\Local\Temp\E11E.exe"

C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe

"C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe" -i

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe

"C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe" -s

C:\Users\Admin\AppData\Local\Temp\E507.exe

C:\Users\Admin\AppData\Local\Temp\E507.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp

C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4288 -ip 4288

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 544

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2460 -ip 2460

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 1980

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 604

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\hvhiscv

C:\Users\Admin\AppData\Roaming\hvhiscv

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 trmpc.com udp
KR 175.119.10.231:80 trmpc.com tcp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 231.10.119.175.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
FR 176.31.116.155:8443 tcp
FR 91.121.181.6:9001 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 75.176.45.87:9001 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
JP 163.44.174.129:80 tcp
US 154.35.175.225:443 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
NL 185.227.82.7:443 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
DE 51.195.43.17:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 17.43.195.51.in-addr.arpa udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
N/A 127.0.0.1:54271 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
CA 198.245.61.196:443 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 2e606f98-a33f-4887-951a-cba760356e8f.uuid.statsexplorer.org udp
GB 185.65.205.10:443 tcp
US 8.8.8.8:53 10.205.65.185.in-addr.arpa udp
SG 209.58.180.90:443 tcp
US 8.8.8.8:53 90.180.58.209.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
DE 157.90.183.103:9001 tcp
DE 212.132.78.65:9111 tcp
US 8.8.8.8:53 65.78.132.212.in-addr.arpa udp
US 8.8.8.8:53 103.183.90.157.in-addr.arpa udp
US 8.8.8.8:53 server1.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server1.statsexplorer.org tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
DE 157.90.183.103:9001 tcp
DE 212.132.78.65:9111 tcp
US 8.8.8.8:53 testmoz.com udp
US 8.8.8.8:53 connect.garena.com udp
US 8.8.8.8:53 testmoz.com udp
US 8.8.8.8:53 connect.garena.com udp
US 8.8.8.8:53 elements.envato.com udp
US 8.8.8.8:53 elements.envato.com udp
US 8.8.8.8:53 areaprivata.sisal.it udp
SG 202.81.112.199:22 connect.garena.com tcp
US 8.8.8.8:53 areaprivata.sisal.it udp
US 8.8.8.8:53 trakteer.id udp
CA 198.100.157.237:22 testmoz.com tcp
CA 198.100.157.237:21 testmoz.com tcp
CA 198.100.157.237:443 testmoz.com tcp
SG 202.81.112.199:21 connect.garena.com tcp
US 8.8.8.8:53 trakteer.id udp
US 8.8.8.8:53 eagle-research.com udp
SG 202.81.112.199:443 connect.garena.com tcp
US 104.18.34.126:22 elements.envato.com tcp
US 104.18.34.126:21 elements.envato.com tcp
GB 173.222.8.199:22 areaprivata.sisal.it tcp
GB 173.222.8.199:21 areaprivata.sisal.it tcp
US 8.8.8.8:53 eagle-research.com udp
US 8.8.8.8:53 in1-smtp.messagingengine.com udp
US 104.18.34.126:443 elements.envato.com tcp
US 8.8.8.8:53 jupiter.ch.uj.edu.pl udp
US 8.8.8.8:53 jupiter.ch.uj.edu.pl udp
SG 202.81.112.199:143 connect.garena.com tcp
GB 173.222.8.199:443 areaprivata.sisal.it tcp
US 104.26.4.203:22 trakteer.id tcp
US 104.26.4.203:21 trakteer.id tcp
US 8.8.8.8:53 shopee.co.id udp
US 8.8.8.8:53 237.157.100.198.in-addr.arpa udp
US 8.8.8.8:53 mxa.mailgun.org udp
US 8.8.8.8:53 megadev.info udp
US 8.8.8.8:53 shopee.co.id udp
US 192.124.249.32:22 eagle-research.com tcp
CA 198.100.157.237:80 testmoz.com tcp
SG 202.81.112.199:465 connect.garena.com tcp
US 104.18.34.126:143 elements.envato.com tcp
SG 202.81.112.199:80 connect.garena.com tcp
US 104.26.4.203:443 trakteer.id tcp
US 192.124.249.32:21 eagle-research.com tcp
US 103.168.172.218:143 in1-smtp.messagingengine.com tcp
US 103.168.172.218:995 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 199.112.81.202.in-addr.arpa udp
US 8.8.8.8:53 126.34.18.104.in-addr.arpa udp
PL 149.156.235.14:22 jupiter.ch.uj.edu.pl tcp
US 8.8.8.8:53 megadev.info udp
US 8.8.8.8:53 adobeid.services.adobe.com udp
US 104.18.34.126:465 elements.envato.com tcp
US 104.18.34.126:80 elements.envato.com tcp
GB 173.222.8.199:143 areaprivata.sisal.it tcp
SG 202.81.112.199:995 connect.garena.com tcp
US 192.124.249.32:443 eagle-research.com tcp
US 34.160.157.95:143 mxa.mailgun.org tcp
US 103.168.172.218:465 in1-smtp.messagingengine.com tcp
PL 149.156.235.14:21 jupiter.ch.uj.edu.pl tcp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 sg.carousell.com udp
CA 198.100.157.237:80 testmoz.com tcp
US 172.64.153.130:22 elements.envato.com tcp
US 172.64.153.130:21 elements.envato.com tcp
US 8.8.8.8:53 199.8.222.173.in-addr.arpa udp
US 104.18.34.126:995 elements.envato.com tcp
GB 173.222.8.199:465 areaprivata.sisal.it tcp
US 34.160.157.95:465 mxa.mailgun.org tcp
GB 173.222.8.199:80 areaprivata.sisal.it tcp
SG 202.181.90.248:22 shopee.co.id tcp
NL 20.105.216.13:22 megadev.info tcp
PL 149.156.235.14:443 jupiter.ch.uj.edu.pl tcp
US 104.18.34.126:80 elements.envato.com tcp
US 8.8.8.8:53 adobeid.services.adobe.com udp
US 8.8.8.8:53 sg.carousell.com udp
PL 149.156.235.14:443 jupiter.ch.uj.edu.pl tcp
US 8.8.8.8:53 account.91.com udp
SG 202.181.90.248:21 shopee.co.id tcp
US 34.160.157.95:995 mxa.mailgun.org tcp
GB 173.222.8.199:995 areaprivata.sisal.it tcp
NL 20.105.216.13:21 megadev.info tcp
US 104.26.4.203:80 trakteer.id tcp
US 8.8.8.8:53 mxa-004fae02.gslb.pphosted.com udp
US 8.8.8.8:53 14.235.156.149.in-addr.arpa udp
US 8.8.8.8:53 203.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 32.249.124.192.in-addr.arpa udp
SG 74.125.200.27:143 alt2.aspmx.l.google.com tcp
US 103.168.172.219:143 in1-smtp.messagingengine.com tcp
US 172.67.74.68:22 trakteer.id tcp
US 8.8.8.8:53 account.91.com udp
SG 202.181.90.248:443 shopee.co.id tcp
US 8.8.8.8:53 accounts.google.com udp
US 172.67.74.68:21 trakteer.id tcp
CA 198.100.157.237:22 testmoz.com tcp
PL 149.156.235.14:143 jupiter.ch.uj.edu.pl tcp
CA 198.100.157.237:443 testmoz.com tcp
US 192.124.249.32:80 eagle-research.com tcp
US 103.168.172.219:465 in1-smtp.messagingengine.com tcp
NL 20.105.216.13:443 megadev.info tcp
US 172.64.153.130:143 elements.envato.com tcp
US 104.16.209.133:22 sg.carousell.com tcp
US 8.8.8.8:53 megadev-info.mail.protection.outlook.com udp
US 8.8.8.8:53 95.157.160.34.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 103.168.172.219:995 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 id.arduino.cc udp
PL 149.156.235.14:80 jupiter.ch.uj.edu.pl tcp
PL 149.156.235.14:465 jupiter.ch.uj.edu.pl tcp
SG 74.125.200.27:465 alt2.aspmx.l.google.com tcp
US 104.18.34.126:443 elements.envato.com tcp
US 103.168.172.221:143 in1-smtp.messagingengine.com tcp
US 172.64.153.130:995 elements.envato.com tcp
US 172.64.153.130:465 elements.envato.com tcp
US 104.26.5.203:22 trakteer.id tcp
US 104.26.4.203:80 trakteer.id tcp
NL 205.220.185.59:143 mxa-004fae02.gslb.pphosted.com tcp
IE 18.200.206.88:22 adobeid.services.adobe.com tcp
IE 18.200.206.88:21 adobeid.services.adobe.com tcp
IE 18.200.206.88:443 adobeid.services.adobe.com tcp
US 104.16.209.133:21 sg.carousell.com tcp
US 8.8.8.8:53 id.arduino.cc udp
US 104.26.5.203:21 trakteer.id tcp
US 8.8.8.8:53 aceflareaccount.com udp
PL 149.156.235.14:995 jupiter.ch.uj.edu.pl tcp
SG 74.125.200.27:995 alt2.aspmx.l.google.com tcp
US 103.168.172.221:465 in1-smtp.messagingengine.com tcp
US 8.8.8.8:53 248.90.181.202.in-addr.arpa udp
SG 202.81.112.199:443 connect.garena.com tcp
NL 52.101.73.26:143 megadev-info.mail.protection.outlook.com tcp
US 104.18.34.126:443 elements.envato.com tcp
SG 202.81.112.199:80 connect.garena.com tcp
US 103.168.172.221:995 in1-smtp.messagingengine.com tcp
US 104.16.209.133:443 sg.carousell.com tcp
US 8.8.8.8:53 aceflareaccount.com udp
US 8.8.8.8:53 dutchis.net udp
PL 149.156.235.14:22 jupiter.ch.uj.edu.pl tcp
NL 205.220.185.59:995 mxa-004fae02.gslb.pphosted.com tcp
PL 149.156.235.14:80 jupiter.ch.uj.edu.pl tcp
NL 205.220.185.59:465 mxa-004fae02.gslb.pphosted.com tcp
SG 202.181.90.248:80 shopee.co.id tcp
US 104.16.208.133:22 sg.carousell.com tcp
US 104.26.4.203:443 trakteer.id tcp
NL 52.101.73.26:465 megadev-info.mail.protection.outlook.com tcp
IE 18.200.206.88:143 adobeid.services.adobe.com tcp
NL 20.105.216.13:80 megadev.info tcp
NL 108.177.119.84:22 accounts.google.com tcp
NL 108.177.119.84:21 accounts.google.com tcp
US 8.8.8.8:53 88.206.200.18.in-addr.arpa udp
US 8.8.8.8:53 13.216.105.20.in-addr.arpa udp
US 8.8.8.8:53 dutchis.net udp
US 192.124.249.32:80 eagle-research.com tcp
US 104.16.208.133:21 sg.carousell.com tcp
US 192.124.249.32:443 eagle-research.com tcp
US 104.18.34.126:22 elements.envato.com tcp
NL 52.101.73.26:995 megadev-info.mail.protection.outlook.com tcp
PL 149.156.235.14:443 jupiter.ch.uj.edu.pl tcp
IE 18.200.206.88:465 adobeid.services.adobe.com tcp
US 8.8.8.8:53 flirtmagnifique.com udp
US 8.8.8.8:53 account.91.com udp
PL 149.156.235.14:443 jupiter.ch.uj.edu.pl tcp
US 104.16.209.133:143 sg.carousell.com tcp
CA 198.100.157.237:80 testmoz.com tcp
NL 108.177.119.84:443 accounts.google.com tcp
US 104.18.12.135:22 id.arduino.cc tcp
US 104.18.12.135:21 id.arduino.cc tcp
PL 149.156.235.14:80 jupiter.ch.uj.edu.pl tcp
PL 149.156.235.14:443 jupiter.ch.uj.edu.pl tcp
US 8.8.8.8:53 alt4.gmr-smtp-in.l.google.com udp
US 8.8.8.8:53 www.carousell.sg udp
PL 149.156.235.14:443 jupiter.ch.uj.edu.pl tcp
CA 198.100.157.237:21 testmoz.com tcp
US 107.162.189.184:22 aceflareaccount.com tcp
NL 52.101.73.15:143 megadev-info.mail.protection.outlook.com tcp
US 104.18.34.126:21 elements.envato.com tcp
US 104.16.209.133:465 sg.carousell.com tcp
IE 18.200.206.88:995 adobeid.services.adobe.com tcp
US 8.8.8.8:53 133.209.16.104.in-addr.arpa udp
US 8.8.8.8:53 flirtmagnifique.com udp
US 8.8.8.8:53 welcome2.wifi.id udp
SG 202.181.90.248:80 shopee.co.id tcp
US 104.26.4.203:22 trakteer.id tcp
US 8.8.8.8:53 www.plitch.com udp
SG 202.81.112.199:21 connect.garena.com tcp
US 104.16.209.133:80 sg.carousell.com tcp
IE 18.200.206.88:80 adobeid.services.adobe.com tcp
US 104.18.13.135:22 id.arduino.cc tcp
US 107.162.189.184:21 aceflareaccount.com tcp
NL 52.101.73.15:465 megadev-info.mail.protection.outlook.com tcp
SG 202.181.90.248:21 shopee.co.id tcp
SG 202.81.112.199:143 connect.garena.com tcp
GB 173.222.8.199:22 areaprivata.sisal.it tcp
GB 173.222.8.199:21 areaprivata.sisal.it tcp
US 104.18.34.126:143 elements.envato.com tcp
US 104.18.34.126:80 elements.envato.com tcp
US 172.64.153.130:21 elements.envato.com tcp
US 104.16.209.133:995 sg.carousell.com tcp
US 172.64.153.130:22 elements.envato.com tcp
US 104.16.208.133:465 sg.carousell.com tcp
US 8.8.8.8:53 welcome2.wifi.id udp
US 8.8.8.8:53 sse3.pajak.go.id udp
US 8.8.8.8:53 84.119.177.108.in-addr.arpa udp
NL 52.101.73.15:995 megadev-info.mail.protection.outlook.com tcp
IE 18.200.206.88:80 adobeid.services.adobe.com tcp
US 104.16.208.133:143 sg.carousell.com tcp
US 103.168.172.218:143 in1-smtp.messagingengine.com tcp
US 104.18.13.135:21 id.arduino.cc tcp
US 173.194.202.14:143 alt4.gmr-smtp-in.l.google.com tcp
NL 89.47.1.10:21 dutchis.net tcp
US 107.162.189.184:443 aceflareaccount.com tcp
SG 202.81.112.199:22 connect.garena.com tcp
SG 202.81.112.199:465 connect.garena.com tcp
US 192.124.249.32:22 eagle-research.com tcp
US 104.26.4.203:21 trakteer.id tcp
US 104.18.12.135:143 id.arduino.cc tcp
US 192.124.249.32:21 eagle-research.com tcp
US 104.18.34.126:995 elements.envato.com tcp
GB 173.222.8.199:80 areaprivata.sisal.it tcp
US 34.96.71.207:22 flirtmagnifique.com tcp
US 172.64.153.130:143 elements.envato.com tcp
US 104.18.34.126:80 elements.envato.com tcp
US 104.18.34.126:465 elements.envato.com tcp
US 103.168.172.218:465 in1-smtp.messagingengine.com tcp
US 104.16.208.133:995 sg.carousell.com tcp
US 173.194.202.14:465 alt4.gmr-smtp-in.l.google.com tcp
CA 198.100.157.237:80 testmoz.com tcp
US 8.8.8.8:53 sse3.pajak.go.id udp
US 8.8.8.8:53 ww7.french-bookys.org udp
US 8.8.8.8:53 mxb-00308701.gslb.pphosted.com udp
US 103.168.172.218:995 in1-smtp.messagingengine.com tcp
US 172.67.74.68:22 trakteer.id tcp
US 103.168.172.219:143 in1-smtp.messagingengine.com tcp
NL 89.47.1.10:443 dutchis.net tcp
PL 149.156.235.14:143 jupiter.ch.uj.edu.pl tcp
CA 198.100.157.237:22 testmoz.com tcp
US 104.18.12.135:465 id.arduino.cc tcp
GB 173.222.8.199:143 areaprivata.sisal.it tcp
US 104.26.4.203:80 trakteer.id tcp
SG 202.81.112.199:995 connect.garena.com tcp
US 172.67.74.68:21 trakteer.id tcp
US 34.96.71.207:21 flirtmagnifique.com tcp
US 104.18.12.135:80 id.arduino.cc tcp
US 104.18.13.135:143 id.arduino.cc tcp
SG 202.181.90.248:22 shopee.co.id tcp
US 172.64.153.130:995 elements.envato.com tcp
US 172.64.153.130:465 elements.envato.com tcp

Files

memory/3988-1-0x0000000002DA0000-0x0000000002EA0000-memory.dmp

memory/3988-2-0x0000000002F00000-0x0000000002F0B000-memory.dmp

memory/3988-3-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/3372-4-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/3988-5-0x0000000000400000-0x0000000002D3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC2E.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2336-16-0x0000000004C70000-0x0000000004E2D000-memory.dmp

memory/3724-17-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2336-18-0x0000000004E30000-0x0000000004FE7000-memory.dmp

memory/3724-20-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3724-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3724-22-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B269.dll

MD5 b66379323022a073f1f7cdefed747401
SHA1 14cfd615676b85960154df8273ca841f4a0e268b
SHA256 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db
SHA512 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b

memory/2880-26-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2880-27-0x00000000007E0000-0x00000000007E6000-memory.dmp

memory/3724-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3724-30-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B269.dll

MD5 d3d95f1cc5b650d22b7ed57ba3a22a21
SHA1 53c9bee12417a661ad62eaa2bd6026124b07b10d
SHA256 d7481ea51076dddf99dfaaa197a8e586c8f80e6f116a5d62b984af0903ccda64
SHA512 8c8108e7b4ce4a7b5ac07e64ba1c7cda19d653010d49de5635d33eafc0dc8151fd9f00d983c52ed91fe5b13d71c521eb06c7cf3f3084955be3f26f47f9da2fb5

memory/3724-33-0x0000000000950000-0x0000000000956000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEBE.exe

MD5 acd072a27fbf42bc036802413e4eaf4e
SHA1 0809cd2d902abb1b08f1baecee9a7a5b3c576eb4
SHA256 4035730ac652c1b60915e87640812ca98cab3659b9606a2560f47f0926a2261e
SHA512 06d709ac73067720aa18bb1af52e44ce2850014882b68394505abc5f88d147f62c45332fd6b5bf94fdffe26ae6210bc474fa17217f68494e636b54006578884b

C:\Users\Admin\AppData\Local\Temp\BEBE.exe

MD5 5914dfecbcaf98a93fdb043df706df1f
SHA1 79ea43b28ff425338045b46ff0246668b0bf9a1e
SHA256 c083f31e9d48652ee47464c3fde4e7d92a63a6110fa1602e20c6e4f6c11f7f48
SHA512 0763827ea5b942e79fc57bad80ac4e0a7ff345ca02b8749f02415c0a82f97c9c81587aeef056a51765033b084dcc78de3875f24979225268a2f131f007f320d8

memory/2800-39-0x00000000015E0000-0x00000000015E1000-memory.dmp

memory/2800-40-0x0000000000BC0000-0x000000000146F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C3EF.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2864-48-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/2864-49-0x00000000049A0000-0x0000000004A0B000-memory.dmp

memory/2864-51-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D323.exe

MD5 5432ccce8ac6890762a57543fc7fc6fe
SHA1 2a0dd2d54d22635f370cafc0a228fc1fe36eccce
SHA256 ad38ac932048d0129f07dd0e2149605115949f7f22fb865b279a154b247363ab
SHA512 8e4448b923f0306acfa0c7b3e5113235c1fad45f49d9a0210cd50fac2e458c03a037892ae613ec8cfc53d1e003d8be72336a3b993dc74c7beeea29e292664a88

C:\Users\Admin\AppData\Local\Temp\D323.exe

MD5 c7c8b71baee8f80c0acedc1db40c7824
SHA1 c7a28bd64fb3fa4bebef1bff7578670ad9163af4
SHA256 a1c20a49291d74e860492e5f87e48a2faef4236c4c0f95212b56d2909775cdb4
SHA512 829722298eb7950cb7a63d844fd0cdaa1ede33f87d6997e146a5bf185f546aaa43ec58eaeceab739d070366acbaf67f33d29b1a9e51d917d6d087b57fc44dc9b

memory/3336-58-0x0000000000E70000-0x0000000001726000-memory.dmp

memory/3336-59-0x0000000073D90000-0x0000000074540000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7c277165dcead3616b33d9432afcb485
SHA1 b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256 a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA512 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105

memory/2880-68-0x0000000002740000-0x000000000287C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8c9607a8c8359d15ec05a327be0b80a8
SHA1 645ef703da82d57f169789d42c5c88625548bcc1
SHA256 924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA512 60880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c641189e2f1dca765716924b00fb0541
SHA1 5020e7e18acafb0a699ec8bcbb0db81448a2a756
SHA256 ee15357441bf9b47d392fb578324ccd39c386f2b7794b35930887e2df90da548
SHA512 4919a6acf4ceb57ff9db4f9ab687406a63503e9c9d4261f727d1b285409f24f876b8c578690ef441f3130525a73588546801d41dcdd97b5327fe321c55fb0318

memory/1596-79-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3724-81-0x0000000002DC0000-0x0000000002EFC000-memory.dmp

memory/2880-83-0x0000000010000000-0x000000001020C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 65c145064bb3e087c2ec0ae6034c2df0
SHA1 5ec0f6d5fa4a931f5964c709ed79efae1520fefe
SHA256 2d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e
SHA512 7a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 02df76a7b45d874395b4274c2e5b7b1f
SHA1 1b8d7060e9fa5204fa74efeb4192a168b778e9ca
SHA256 2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9
SHA512 5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e

C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\is-EHOUO.tmp\E11E.tmp

MD5 5cc29afdf740599b3a6cba5b64b9d4ae
SHA1 249103d58e2f09c1452de388fc101f3e425954bf
SHA256 9cd4688f7c3fe38c579a6a8d28a9d4c6b9652336b885cc1fe5cee4f5e293e69a
SHA512 1311e3f4590577942d742b660f1ab1e805c66a71dc6d358722084d2e6571e1e2f8c029b4ae7a4ebbad27df99f915b9cca81c1c9a0596862f11be17bbf792bf76

C:\Users\Admin\AppData\Local\Temp\is-HL7NP.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-HL7NP.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2880-129-0x0000000002880000-0x000000000299B000-memory.dmp

memory/2880-169-0x0000000002880000-0x000000000299B000-memory.dmp

C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe

MD5 fbfe6bc7887cc98ffe373edf03621841
SHA1 346afa7ff4d42a241dfe443cdecefd0961c08412
SHA256 1921c256755b2ca3d97216df201b6233737937f28d735267166a7f782b878942
SHA512 0e743487d9ab2de6db60941def2d1e950134834f0c847b968270ba85cfee2d9abf0b9a516883f0477e8b409afd9945fb77c3e9f836e71aa4cd0b415db3c1a89b

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 7e16dda41b2ae464d9612815f0d3d6eb
SHA1 1b2486381b4e1cade80e200638f64d9fc4693ed5
SHA256 492a2edab7086f7989f9fb74f662683b7a12f47691c04ee6c764e335a0cbf2b1
SHA512 4549699fa1fdb320b22b5ac456a72d219c09a83b11cccdb9d49cfac26428721b710873304cc7109a6802bd79b52325ff6380e55c5b14a42dda6b1221c4f8e72b

memory/3724-176-0x0000000002F00000-0x000000000301B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsgEE49.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3228-183-0x0000000000400000-0x0000000000790000-memory.dmp

C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe

MD5 24ee18fc0b741e34a244b5c7db9b76d9
SHA1 bc0f432ee01e052479e735d0155b46ff5edf9232
SHA256 8eb891ab450fcd0a88e10125c74c4ebe46900eea3fe2f54fb788f8a1d3fa9664
SHA512 eeedf4d0905938807f7c481eb1cc7f843ed5339575c457ef36847979316227a21ec2958090726559bb3704cdca23371625da3aa75fc123994205424e7add3c84

memory/3228-187-0x0000000000400000-0x0000000000790000-memory.dmp

memory/4288-182-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2864-186-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Trafaret\trafaret.exe

MD5 e0f66942f8d0f2f50bb4fe927c8f34b7
SHA1 6b2aa63466ce1e48d2268b950048ef8df7578fb7
SHA256 e1bcbe82e46638a1c722f7f32cc6081d788b6f19b98c403143354dcd56009c6d
SHA512 b0f6e6ecf98327d5008ea5098b4949e01cf38fc92d4f65ec300ce24fd1cade98d3c3f03db4d3c6ebdafeebb351dd37439a23d41924d00bd564961da3746b481b

memory/3724-181-0x0000000002F00000-0x000000000301B000-memory.dmp

memory/3440-189-0x0000000002460000-0x0000000002461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/1952-193-0x00000000020D0000-0x00000000020D1000-memory.dmp

memory/4288-113-0x0000000002FD0000-0x00000000030D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

memory/3336-104-0x0000000073D90000-0x0000000074540000-memory.dmp

memory/1596-93-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2800-88-0x0000000000BC0000-0x000000000146F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E11E.exe

MD5 ef57e765f5b96c096eb42ec8f174292f
SHA1 b3743ff221876e8051e90843e8b3cc38b4bb58b7
SHA256 97d85610932322191c3a7797061d9feeb268a878beaba568192c2beec5e3ed4e
SHA512 0652fcf82161cbbb7b4d9b02ea0fa14e889cf2151fd352b0d8a24fed4146a28a40f09157333f76992d118372ac5a179a926417d21c44b0142b00b1229d8bc142

C:\Users\Admin\AppData\Local\Temp\E11E.exe

MD5 87be654dbdd7f39aa9c2e9c67ce38d72
SHA1 b72b6f46e6521bdbe7d464ca2a80409776f7b391
SHA256 a31c3f09551693cce24d47d8a7f139425d60ae8dd766d53622d008e5fb2be53e
SHA512 d5edff77fddd8886691318f00ae10909feb0875948fae347773170139113a5c522c01dcf1622f9e048a8d65da0aa1a946bc6f3c61db68909301e68658160ca71

memory/1080-194-0x0000000000400000-0x0000000000790000-memory.dmp

memory/1080-197-0x0000000000400000-0x0000000000790000-memory.dmp

memory/3724-201-0x0000000002F00000-0x000000000301B000-memory.dmp

memory/2880-196-0x0000000002880000-0x000000000299B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd1E1.tmp

MD5 593c6bba2414d94e5e05d505074793dc
SHA1 1315c0ffbecf2e1eea0f5ac63adce7cc403ea9e8
SHA256 44a0af487346e24e3a06361a917a81ec151ddb8b7a1c558294cfc283a35ce4ec
SHA512 6e9d0191723db1caf54f50d1ba249079f74c0b8cdb745fefb283a248279375248c6ddc27f70b1887678c5e5e22fc9a58cec1a613e758b3a96d2c72a5b7da5257

memory/4856-213-0x0000000002E90000-0x000000000377B000-memory.dmp

memory/1596-214-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2460-215-0x0000000002FD0000-0x0000000003004000-memory.dmp

memory/4856-207-0x0000000002A80000-0x0000000002E85000-memory.dmp

memory/2460-218-0x0000000000400000-0x0000000002D41000-memory.dmp

memory/4288-219-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1952-220-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/3440-221-0x0000000000400000-0x00000000008E2000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4856-223-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2460-225-0x0000000003050000-0x0000000003150000-memory.dmp

memory/2460-226-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4288-262-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2536-261-0x0000000002570000-0x00000000025A6000-memory.dmp

memory/2864-270-0x0000000002E30000-0x0000000002F30000-memory.dmp

memory/2536-271-0x0000000004E60000-0x0000000005488000-memory.dmp

memory/2536-272-0x0000000004A70000-0x0000000004A92000-memory.dmp

memory/2536-273-0x0000000005490000-0x00000000054F6000-memory.dmp

memory/2536-274-0x0000000005500000-0x0000000005566000-memory.dmp

memory/2536-276-0x0000000002780000-0x0000000002790000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zpbw54bc.qca.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2536-282-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2536-275-0x0000000072A00000-0x00000000731B0000-memory.dmp

memory/2536-287-0x0000000005570000-0x00000000058C4000-memory.dmp

memory/2536-291-0x0000000005B80000-0x0000000005B9E000-memory.dmp

memory/2536-292-0x0000000005BC0000-0x0000000005C0C000-memory.dmp

memory/2536-302-0x0000000006090000-0x00000000060D4000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2536-328-0x0000000006E90000-0x0000000006F06000-memory.dmp

memory/2536-334-0x0000000006F30000-0x0000000006F4A000-memory.dmp

memory/2536-333-0x0000000002780000-0x0000000002790000-memory.dmp

memory/2536-332-0x0000000007590000-0x0000000007C0A000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/2536-348-0x0000000073290000-0x00000000732DC000-memory.dmp

memory/2536-345-0x0000000007100000-0x0000000007132000-memory.dmp

memory/2536-349-0x0000000071170000-0x00000000714C4000-memory.dmp

memory/2536-359-0x00000000070E0000-0x00000000070FE000-memory.dmp

memory/2536-360-0x0000000007140000-0x00000000071E3000-memory.dmp

memory/2536-362-0x0000000007220000-0x000000000722A000-memory.dmp

memory/2536-363-0x000000007FC90000-0x000000007FCA0000-memory.dmp

memory/2536-364-0x00000000072E0000-0x0000000007376000-memory.dmp

memory/2536-365-0x0000000007240000-0x0000000007251000-memory.dmp

memory/3440-366-0x0000000002460000-0x0000000002461000-memory.dmp

memory/2168-376-0x00000298FE300000-0x00000298FE322000-memory.dmp

memory/2168-377-0x00007FFBCF610000-0x00007FFBD00D1000-memory.dmp

memory/2536-379-0x0000000007280000-0x000000000728E000-memory.dmp

memory/2168-380-0x00000298FBAC0000-0x00000298FBAD0000-memory.dmp

memory/1080-383-0x0000000000400000-0x0000000000790000-memory.dmp

memory/2168-384-0x00000298FBAC0000-0x00000298FBAD0000-memory.dmp

memory/2536-385-0x0000000007290000-0x00000000072A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ad1efd1029ac62ba32573f0fe0ade720
SHA1 815cb801d13eee3f9528271c7106ba1ba2d3565c
SHA256 52339f644deccb160ae7baf5729e7f37d1e8191abc4fc0e17bdf0a08e08e43b7
SHA512 2f6dcb353027c7f128c4376db5b3048188109b3c326d17150ae60b131e7b746a18432db3729166b74d003251beca07f290dc8a446bb95fe854c2efc252b99d70

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0a6a3607c17c1772153cd2df46245d13
SHA1 227e6494c0487628b784394618901b7659f3edfc
SHA256 ccb31bd53e0dd05f5548443705466b25ea68006243e3f50ce4205b566e79f627
SHA512 81bebcbaf56d8ae4ba43233c3a83d9120a918d4ea5f6ecb104597b784623521a7e8ece3f9bf5d9159116ae5bb8c17cccfd922f94a32b0f95426086cdfd788a02

C:\Windows\rss\csrss.exe

MD5 dee6f72532b423c83b1483ef216a83d3
SHA1 06a812a3c174067dcf15447be310608fe0235a0b
SHA256 e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0
SHA512 7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4a151730ffc576b3fac742c3d414685b
SHA1 9f848dd585c9b0feba892e894ec6b291feaac9c8
SHA256 761e558d1322a94e551f2a3507de8c5643122153289e9e9b981507f22939a77f
SHA512 5d89312f6e0208120f067b5a3e789a92ee624190fd614ce4c1dd6d33e7fe94467c0e7b74b4b77f14477fe8c8c2a8a233bf281962f41c55efd34b1d124f73f845

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5af975cf787dd9320c2801f2884ec4d0
SHA1 0f06dbb9be2f882d5d270ee93e17b4e66ad475eb
SHA256 fbc5da56ea5e53d9f255e6647bc9fe237dda2e5279973e7e588c70d3375256a8
SHA512 fdebcf40683e2bc042bb2102fbf0f686c5521f4490c2ecfb8e65099c3851c66a51c88a16da5cca2d809f76262db3950509aed0d8f599b3f75bf5d6d781c5e167

C:\Users\Admin\AppData\Roaming\hvhiscv

MD5 5212ecaf2c3880d92f371356d84105be
SHA1 d17cc3b0083fef207a84eefbb927ac9a79ef01ae
SHA256 cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
SHA512 a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a42cf8df08b568bd775daa06d500de27
SHA1 717186c0c8647e8b831f15b40475692e686b6221
SHA256 d6a80511c9fc0f7a0862a269c26da1a6e543799af18f4bef2d8de19401692045
SHA512 dd89b0326482ea936310a419f0112174b0099cd65be3b74c38b73127392f9605e4113e20f28f495640526149088d2c20fc35db4118bd9dfe89fdd92e91ca6f48

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 ebaab163ec9e1f38820a34b5828be9aa
SHA1 2ccba5c552cd8fcfe519aa72b792b45cb5e6f202
SHA256 2ba79f789f828068059b982ca35a855d2198938f51d294f53e455cfc004efb1e
SHA512 05352680056e5592608d1aa0198e32542a40cc630fd16306661dec4d20e6608d458d481c07429afc7351b4ac0f7c1aaa5bb01a21d7a222270191ee215d3b759a

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 7d63cf07abdec06195b109fd4e12abdd
SHA1 a2201683645c9dcd12ac315f84260557e95b0ddd
SHA256 17ac52e3f7b18fd7199266992b22ed36a909be46020b7ec305e8a0a146a264c7
SHA512 6402c59ff7b1a8033e55dc7bd7afa7b9b350cccbb64923cc4e9121a00fe262f6488f07de7387edf7126402638e3d2518d64c992df534e5e5de9ef32c0498e6b3

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec