Malware Analysis Report

2024-11-13 14:05

Sample ID 240225-fz1fnadc4y
Target cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe
SHA256 cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
Tags
glupteba smokeloader pub1 backdoor dropper evasion loader persistence trojan upx dcrat lumma stealc bootkit discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84

Threat Level: Known bad

The file cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor dropper evasion loader persistence trojan upx dcrat lumma stealc bootkit discovery infostealer rat spyware stealer

DcRat

Glupteba payload

SmokeLoader

Glupteba

Lumma Stealer

Stealc

Detects executables containing URLs to raw contents of a Github gist

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects Windows executables referencing non-Windows User-Agents

UPX dump on OEP (original entry point)

Detects executables referencing many varying, potentially fake Windows User-Agents

Detect binaries embedding considerable number of MFA browser extension IDs.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables Discord URL observed in first stage droppers

Detects executables packed with VMProtect.

Downloads MZ/PE file

Modifies Windows Firewall

Creates new service(s)

Stops running service(s)

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

UPX packed file

Deletes itself

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 05:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 05:19

Reported

2024-02-25 05:21

Platform

win7-20240221-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\95DB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\70EC.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2664 set thread context of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\95DB.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 1204 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 1204 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 1204 wrote to memory of 2664 N/A N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 2664 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\70EC.exe C:\Users\Admin\AppData\Local\Temp\70EC.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2712 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2712 wrote to memory of 2492 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 2332 N/A N/A C:\Users\Admin\AppData\Local\Temp\95DB.exe
PID 1204 wrote to memory of 2332 N/A N/A C:\Users\Admin\AppData\Local\Temp\95DB.exe
PID 1204 wrote to memory of 2332 N/A N/A C:\Users\Admin\AppData\Local\Temp\95DB.exe
PID 1204 wrote to memory of 2332 N/A N/A C:\Users\Admin\AppData\Local\Temp\95DB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe

"C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe"

C:\Users\Admin\AppData\Local\Temp\70EC.exe

C:\Users\Admin\AppData\Local\Temp\70EC.exe

C:\Users\Admin\AppData\Local\Temp\70EC.exe

C:\Users\Admin\AppData\Local\Temp\70EC.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\78AA.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\78AA.dll

C:\Users\Admin\AppData\Local\Temp\95DB.exe

C:\Users\Admin\AppData\Local\Temp\95DB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 124

C:\Users\Admin\AppData\Local\Temp\A180.exe

C:\Users\Admin\AppData\Local\Temp\A180.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B20C0553-16C5-451A-B524-D505AF1C406C} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\gdfvttb

C:\Users\Admin\AppData\Roaming\gdfvttb

C:\Users\Admin\AppData\Local\Temp\B84B.exe

C:\Users\Admin\AppData\Local\Temp\B84B.exe

C:\Users\Admin\AppData\Local\Temp\CDFE.exe

C:\Users\Admin\AppData\Local\Temp\CDFE.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\E3A1.exe

C:\Users\Admin\AppData\Local\Temp\E3A1.exe

C:\Users\Admin\AppData\Local\Temp\is-79ORP.tmp\E3A1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-79ORP.tmp\E3A1.tmp" /SL5="$201C4,4185251,54272,C:\Users\Admin\AppData\Local\Temp\E3A1.exe"

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\nsy3738.tmp

C:\Users\Admin\AppData\Local\Temp\nsy3738.tmp

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
N/A 127.0.0.1:49225 tcp
FR 178.33.183.251:443 tcp
CA 167.114.144.152:9002 tcp
NO 88.88.79.90:80 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
KR 211.181.24.133:80 trmpc.com tcp
UA 62.216.54.29:9001 tcp
US 204.13.164.118:443 tcp
DE 46.4.66.188:8000 tcp
FR 195.154.168.209:9300 tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
FR 195.154.168.209:9300 tcp
DE 46.4.66.188:8000 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 ebsy-mbol.jep udp
US 8.8.8.8:53 ebsy-mbol.jep udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bmerez.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bmerez.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.de udp
US 8.8.8.8:53 juzdurudc.ge.jz udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 ybhee.de udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 juzdurudc.ge.jz udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 uem.lk udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 zspbbkew.sjrumoez.pl udp
US 8.8.8.8:53 ybhee.ce.oz udp
US 8.8.8.8:53 uem.lk udp
US 8.8.8.8:53 uem.lk udp
US 8.8.8.8:53 ybhee.ce.oz udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 zspbbkew.sjrumoez.pl udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hej.ee udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hej.ee udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 kamsmad.com udp
KR 211.181.24.132:80 kamsmad.com tcp
US 8.8.8.8:53 derbweb.oj udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bgubscbloezjes.jeczm.mx udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 derbweb.oj udp
US 8.8.8.8:53 derbweb.oj udp
US 8.8.8.8:53 bgubscbloezjes.jeczm.mx udp
US 8.8.8.8:53 bgubscbloezjes.jeczm.mx udp
US 8.8.8.8:53 vhsbhbkjbpur.erg udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 vhsbhbkjbpur.erg udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 ftp.ybhee.cem udp
KR 211.181.24.132:80 kamsmad.com tcp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eg.frezero.cem udp
US 8.8.8.8:53 qbloebob3.mee.edu.eg udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 qbloebob3.mee.edu.eg udp
US 8.8.8.8:53 eg.frezero.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 qbloebob3.mee.edu.eg udp
US 8.8.8.8:53 coklum.cem udp
US 8.8.8.8:53 ftp.ebsy-mbol.jep udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 ftp.zspbbkew.sjrumoez.pl udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 mail.bejelherjofrujo.cem.br udp
US 8.8.8.8:53 ftp.juzdurudc.ge.jz udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 coklum.cem udp
US 8.8.8.8:53 bejelherjofrujo.cem.br udp
US 8.8.8.8:53 ftp.bmerez.cem udp
US 8.8.8.8:53 ftp.ybhee.de udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 ftp.bejelherjofrujo.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem.br udp
US 8.8.8.8:53 mail.ebsy-mbol.jep udp

Files

memory/2868-2-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/2868-1-0x0000000003180000-0x0000000003280000-memory.dmp

memory/2868-3-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/1204-4-0x0000000002580000-0x0000000002596000-memory.dmp

memory/2868-5-0x0000000000400000-0x0000000002D3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70EC.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2664-17-0x0000000004890000-0x0000000004A48000-memory.dmp

memory/2664-18-0x0000000004890000-0x0000000004A48000-memory.dmp

memory/2664-22-0x0000000004A50000-0x0000000004C07000-memory.dmp

memory/2572-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2572-26-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-27-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\78AA.dll

MD5 b66379323022a073f1f7cdefed747401
SHA1 14cfd615676b85960154df8273ca841f4a0e268b
SHA256 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db
SHA512 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b

memory/2492-39-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2492-40-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2492-42-0x0000000000DC0000-0x0000000000EFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\95DB.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

C:\Users\Admin\AppData\Local\Temp\95DB.exe

MD5 2ecf2c13abdeea12d21e5ae1ce1427c2
SHA1 71f8a51b11cc7d20aef0b5b8b0fd2f4aa19a1c92
SHA256 efd193f3ccbbf0f0506a08cad03ff97ec1f4af4b57ad7fc970324818044f632b
SHA512 060c06ec0b266aecf7f501463a2a11f60492132f68dcc72584e713e041b13dcd58970147cab3eb8f84c789a8bfac520b70b1b217c0dbe4952d08f0f06e8ade00

memory/2492-48-0x0000000002650000-0x000000000276B000-memory.dmp

memory/2492-51-0x0000000002650000-0x000000000276B000-memory.dmp

memory/2332-52-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2332-53-0x0000000001320000-0x0000000001BCF000-memory.dmp

memory/2572-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2332-56-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2332-58-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2332-59-0x00000000775B0000-0x00000000775B1000-memory.dmp

memory/2332-62-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A180.exe

MD5 e7daa3a1c5313592c25eadb630a26939
SHA1 f045377dae75ff0685759ad98f8a641f95638593
SHA256 ae4ce161e7962f4e0fe521ff088abfe36eeb319442a4f953b44a9ac4a0f77529
SHA512 bea8938765583b3e6e0fce6e0e77ba372ca45e97635ef12ea4066676da5b60286878170e47cf1f019009beeca46bbdf091b7000509fe1be6f214051d950d5afd

C:\Users\Admin\AppData\Local\Temp\A180.exe

MD5 42890fec31de38b85215c147b0601ad3
SHA1 38243be84be0d07d82598a4f8b8af11127872c70
SHA256 9b04ad78063de07dc721c4dbd56a5db509ac21320db4fc83573c075c3eeccad8
SHA512 38bbf4f30c8cb66e2ebf2aba6d1d48ffd6af74017c68f45cd3be2892cdbe8f2f0ef01dfafc4269d685b955f97ad121be4ac756b6946c88f5b63e2b8c1bdf8538

memory/2492-70-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2772-71-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/2772-72-0x0000000000250000-0x00000000002BB000-memory.dmp

memory/2572-73-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2772-77-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Roaming\gdfvttb

MD5 5212ecaf2c3880d92f371356d84105be
SHA1 d17cc3b0083fef207a84eefbb927ac9a79ef01ae
SHA256 cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
SHA512 a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09

memory/2572-84-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B84B.exe

MD5 8deb6b2a43e4aa3536cde29cb36c3a2c
SHA1 1e814d6b6016297efacb75764beb4c555478ad1a
SHA256 f9ad0a2f07e1a86f16917297fd2390b6dbf51d35192e977cfd6463f3d78eca2d
SHA512 80a95e28159082fe5ae7ef833957341d4620d1560f51924d5791e8cec87fc4c45e8c78d3fcc6ba9dd6ef6943a13328afb1c18556fef42415c24f36f004d3d999

C:\Users\Admin\AppData\Local\Temp\B84B.exe

MD5 f5e0eb212feff9596c90627b4610db95
SHA1 46aee66e64f06d169d85ca5f16bd67a682d525c4
SHA256 d4745a7ce499f0c9a6c3bc67247f4e67f02dbee30fa84ff813c3b1505d023485
SHA512 90d0f01e725af952b6a63f3fb01a7e92bfdce857274666cf3ef43044f345a02969693e41a1e0f61a26f8e619470601975c2774e2ddc35f8131f4467ae19a2a56

memory/1640-85-0x0000000001090000-0x0000000001946000-memory.dmp

memory/1640-86-0x00000000732B0000-0x000000007399E000-memory.dmp

memory/2572-87-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CDFE.exe

MD5 3893d9674f9791363d8f92edae4427a7
SHA1 93603d9de7c259c8437f320f032ba171be67e200
SHA256 ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce
SHA512 9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6

memory/2772-100-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2512-102-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2512-101-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/2512-103-0x0000000000400000-0x0000000002D3E000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8ad403ae8cf15c720dc1689b03c0b14e
SHA1 613000bf380626170aecd8c41a4f5f24e38c81d0
SHA256 fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f
SHA512 20ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 452c18323878b830187936101aea2754
SHA1 c99802db6204c596e9ae0a2bcd01dd49964feda9
SHA256 369df828547348cc841bc7450c9b2ee5450c13cff42dc4ab4dab972a250a0394
SHA512 17560cfd00eb218f7a955a268ff895d79f46f6d6fa883926388a746002d7aaf5811913cf17a4f455bdc70175c81e27e180a01de4554c0e90480b626e1c0c6c0c

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

memory/2280-112-0x00000000027A0000-0x0000000002B98000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 3ca4a9bdbec4d6e4d299906880ff5333
SHA1 0687217241b17ebbbb2c5366a5e6814611006c11
SHA256 1432ceb485d36ed7af72913b693d5e2f975a7de52b70019c984908458440b5cc
SHA512 15e9e37b40d6016e38eb2bcd74625a163766ff0db2d4eb151ec92714de09a8b4c6beee2c76cca0700b17d5e2b9037bc7ea7942fd3e1e0ba3a730e7f162e15434

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 84cc42478a45afb79ee481ea9d0ad8d9
SHA1 d0f13a02a0c7ced6c54e6575e2257c2d1ad7328c
SHA256 4c1a82bafcb501ba52377d64ef3cddd01a6d773d83a7a5072abdf641b61442b2
SHA512 856c73bec22afb73894d0eb63820532a1ef86a3c11d4d4d8e94ae8ff3f8ec9a44799b46a3b06efac67220264160f792d37a606956083ecbb23b8706b5439f2c3

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 d1595c627b387677b1fdc35f8ce881d0
SHA1 177df5ff81f11a747db10917414d10e7bcb216d0
SHA256 85475b69029793ad8d37db633331707e47409f0d8536349d8ce07510eac62cf6
SHA512 10011f5215fbfb594695c537fe6794a4dc794fe392019f4e2f93f943b0cca6ffde34a9a3274440f4df63c9debaa031103882b4b6ed6be77534115df086ca9f51

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 8d3d2cae827e55f83e9a0eedec37632e
SHA1 9972f9328afd0e4632a90a391ac891f4b97e1c8a
SHA256 7d5943d83c2f0cf99a8198ebae6c07269cbaaf595bb78ab006e57846abbb080b
SHA512 3115b7b08c403f3479c9b5fcd600ab8505f05fbf3ff79076c57582c8b0facaae7564859a8c1cfe3aa00a32a562fa1c3dd7a0a2f2a616b8c903a8634cf9c5d8f1

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 682fc35530a6dc6f2bdfad98ecd7eae2
SHA1 10666b26129587b4a564fb59d367539f57c76ca3
SHA256 83414b912a4ba1cbfea8b625890291ae866860408ed45da5923d1a67ea7c4101
SHA512 ea68038310a51b183dfee7acabd61cad8d93372f30321ec0ed9ccf53016c82b7133b90930fcff107f42582f7a65315f2cf5ba8078597cf275fb45c6881da25da

memory/2280-134-0x00000000027A0000-0x0000000002B98000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsyDF29.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 a95cb4fc85942a4c1c926eb59ea75fab
SHA1 1f010863e3f006be0a1880291513f9301317fabc
SHA256 7163e8d2bc540785ee05addedc74c4cb91f6225bdbd5669d401807f930c32eab
SHA512 59365d314e8607aad81fc804032e1f59ab2d2bf2d1da353a2f930c74b8907459ba313229279c1d601d793103da5e3d2f333036ba5dbd801beaaf169d8d65653f

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 c7e7923c32399821168d3c8b43a07432
SHA1 f4f6712df98adc7f3e6eb4daaae8701ff94cade6
SHA256 803a8f1a03fe40d7311432963bfadebb83254c56d1a9f1b1e0f14b6d8b798279
SHA512 d2877bea59cacaddee4f0f36559842a8b81a79621865e622f41cd2c8fb856000cf6dfc433ab985e177dd33dcc0694cef84ff691fcb27f4b5931314a2faeb0cea

memory/2280-145-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2280-135-0x0000000002BA0000-0x000000000348B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 dc301e7b410b4824b071332b3fbfe2f1
SHA1 a9deda9c23931439801ee28e848d5be2582046fa
SHA256 74c128080dda13dc7847c4d1e9681dbac8ed2754c6178d2d66312b72431cf429
SHA512 a394de8c9414d89ae9b48cb491d6c07a9bde679665581d81a66e49897d30f38f149f9e1d8c2e542c2e356b3e6a002b81f757875e6c8be24f3651c11b90365fd3

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

memory/1640-152-0x00000000732B0000-0x000000007399E000-memory.dmp

memory/1204-153-0x0000000002F80000-0x0000000002F96000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E3A1.exe

MD5 ed61a602c96d3fe8688f6337926ed48c
SHA1 34608c306af1b832e40e8cdd072fe99d2fe55e9b
SHA256 9e0771258e2bb8c019361b082897c51bcc1ffd419e4e6814da03610f3f90d685
SHA512 0b21ecfced33b5d0d3603bf63f4a7c6c278ac213fab0e4781470f15f1479841d7e9294cbbd14e354429536731c8be1cd2d8989057948428db636df92d75e3a1a

memory/1388-157-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2512-154-0x0000000000400000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 1a3a1e4481b7f9c72a26c2496d91f8d7
SHA1 fb112f5df0d9cf3c177161c173c81079ad9c8be1
SHA256 ecfefe489c22349a8882854ff644f6742a2106d3a7f2b21708e42aff8d00dc18
SHA512 c90655972b299d5e3bbe9b77543f43adc962c882d1f3ca619dfad3aa528b44ed24931b98823b6274e648287f6692c09d224654a242c20130e8a7cda4321c4e0f

memory/2572-170-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1056-169-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2332-172-0x0000000001320000-0x0000000001BCF000-memory.dmp

memory/1056-174-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E3A1.exe

MD5 fa34ca092b847dc45cdce8e5247c84d0
SHA1 0937d848f47726f69ec4ac4973e043825dad0f5b
SHA256 9bd30e4decd7932141d079f4b84ca9d7dc4d866103069439b001ec55ddfd857a
SHA512 77868df22caa0ddcccf721337353959fd648740c597fbf91186edf77139e5eca474a25c1ac5a2a39786083b7c115ef2aacd87b28f74e9326caf75259956bd472

\Users\Admin\AppData\Local\Temp\is-79ORP.tmp\E3A1.tmp

MD5 539c3889efe7287cfac6602816434284
SHA1 c9ad3c6c9b4a92c65516408bebbde2b2d863b26e
SHA256 24f67a53989646e6ca6be9342b05cab88604328d2cb799075b4d32b053a88c12
SHA512 033f1c22ebc388b18ebc95f008cd916693c1a18a13b728b7c6c252d4e8cd9da1cb1f14ba01672713c65fb03888e93fe3b2d64e3a984174f9fc21bc7b2153b56a

\Users\Admin\AppData\Local\Temp\is-JH570.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/1052-198-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-JH570.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-JH570.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\EE2D.exe

MD5 df2076b7ede154d455fdd1035115de54
SHA1 62df9325ff2fce5e5a2cf121e84065221a513d77
SHA256 0730675048e9e0a97e9ad20f73712d7e3ba6ed114a7cdfbf8b50075656c4395c
SHA512 5f55d313b2451f14f101d7383e03cdc3a9b36a9f6487a7c164def8018b76983e6fe74288f4457a2f4273d117f1a10a886409f713173bb1f791e86205caf80430

memory/2152-221-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2152-222-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/2152-223-0x0000000000290000-0x00000000002FB000-memory.dmp

memory/2152-224-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2280-225-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2772-226-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

memory/2152-227-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2572-231-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-232-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-234-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-233-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-235-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-236-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-239-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-240-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-237-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-242-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-244-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-243-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-247-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-245-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2572-249-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy3738.tmp

MD5 0063d01271d9a6a7d11bb986ad3a2f9e
SHA1 a323af99e804a5f55682e78f5a656364c71c5573
SHA256 5d4da1c4fcf674cea73bd1a2c4852558a4beabb41f33b34001e26de08eb78198
SHA512 7c1556e9b5ad6b0801fa037fadf5191073f7cfd2c9bc57ed00c882fa8aa9f33b54631120740eab8b99cd1cabc34a518c4d802f58f9e15597cd9e3d7995d072fd

C:\Users\Admin\AppData\Local\Temp\nsy3738.tmp

MD5 ff4fb1c2f14730b757b9f9818d2aa25c
SHA1 4b9cddfe5078b7e6fcc82af12e38c543c3b0a2a6
SHA256 aca1dd641df84344afcd2d36d158febd5ee2d6affb71d8624bd081e78007bd90
SHA512 4e7bec54c383a3eb45cafc13534dad67b9262deb641967b09351790ac11fdd9de0ba21b2336d929f19fe0cb648256a5b4c356281e80f3972eafe1a182af577eb

\Users\Admin\AppData\Local\Temp\nsy3738.tmp

MD5 df385e54936a530465f91986fc2a010e
SHA1 a4034cefb7da41ac03e0b752ce39d031a7ca7f8e
SHA256 9aac823f73449450dfae6b03b72cb58376bdaf5eef0a0a9413e61ab55719d368
SHA512 68d8670db6a8b0ad7338c4e1d9d8557ee54f0acf03ae11abf8f8f84bf3d3685f6ba852dbfc93e25e726f465e25e8c9f7a4be828f8419bb0817b5ca10a1f4e0bd

\Users\Admin\AppData\Local\Temp\nsy3738.tmp

MD5 97ef014b840482b8f70f7b5c4c1d2fae
SHA1 cea6ff48552f7ec509160179ffda28ab4f26da0f
SHA256 f910b7e8832dde437c7556a4c61c1eee980261ab474753c149987aa7bc03306e
SHA512 e434df5878ed44d9ca445b0b82f7c45531349426e5251ab6a75e34fe6c01181eddb2ec857c250f0bb946bad974043e6ab1e6b50bf7fc67fc3d818cb9e4ef185c

memory/3104-951-0x000000001B570000-0x000000001B852000-memory.dmp

memory/3104-1092-0x0000000001F00000-0x0000000001F08000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 05:19

Reported

2024-02-25 05:21

Platform

win10v2004-20240221-en

Max time kernel

71s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8C80.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\4E98.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\72AD.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1820 set thread context of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9C50.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9C50.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9C50.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\agtwdhr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\agtwdhr N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\agtwdhr N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 3512 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 3512 wrote to memory of 1820 N/A N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 1820 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\4E98.exe C:\Users\Admin\AppData\Local\Temp\4E98.exe
PID 3512 wrote to memory of 4808 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3512 wrote to memory of 4808 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4808 wrote to memory of 2216 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4808 wrote to memory of 2216 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4808 wrote to memory of 2216 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3512 wrote to memory of 3272 N/A N/A C:\Users\Admin\AppData\Local\Temp\6DDA.exe
PID 3512 wrote to memory of 3272 N/A N/A C:\Users\Admin\AppData\Local\Temp\6DDA.exe
PID 3512 wrote to memory of 3272 N/A N/A C:\Users\Admin\AppData\Local\Temp\6DDA.exe
PID 3512 wrote to memory of 5064 N/A N/A C:\Users\Admin\AppData\Local\Temp\72AD.exe
PID 3512 wrote to memory of 5064 N/A N/A C:\Users\Admin\AppData\Local\Temp\72AD.exe
PID 3512 wrote to memory of 5064 N/A N/A C:\Users\Admin\AppData\Local\Temp\72AD.exe
PID 3512 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe
PID 3512 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe
PID 3512 wrote to memory of 4564 N/A N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe
PID 3512 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C50.exe
PID 3512 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C50.exe
PID 3512 wrote to memory of 1444 N/A N/A C:\Users\Admin\AppData\Local\Temp\9C50.exe
PID 3512 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5A7.exe
PID 3512 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5A7.exe
PID 3512 wrote to memory of 564 N/A N/A C:\Users\Admin\AppData\Local\Temp\A5A7.exe
PID 4564 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4564 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4564 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4564 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4564 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4564 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3512 wrote to memory of 3640 N/A N/A C:\Windows\system32\netsh.exe
PID 3512 wrote to memory of 3640 N/A N/A C:\Windows\system32\netsh.exe
PID 3512 wrote to memory of 3640 N/A N/A C:\Windows\system32\netsh.exe
PID 4564 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4564 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\8C80.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 564 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\A5A7.exe C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp
PID 564 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\A5A7.exe C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp
PID 564 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\A5A7.exe C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp
PID 2796 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2796 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2796 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1072 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe
PID 1072 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe
PID 1072 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe
PID 1072 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe
PID 1072 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe
PID 1072 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe
PID 2796 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp
PID 2796 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp
PID 2796 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp
PID 1408 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1408 wrote to memory of 4104 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4104 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4104 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4104 wrote to memory of 1152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4104 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe

"C:\Users\Admin\AppData\Local\Temp\cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84.exe"

C:\Users\Admin\AppData\Local\Temp\4E98.exe

C:\Users\Admin\AppData\Local\Temp\4E98.exe

C:\Users\Admin\AppData\Local\Temp\4E98.exe

C:\Users\Admin\AppData\Local\Temp\4E98.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\5540.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\5540.dll

C:\Users\Admin\AppData\Local\Temp\6DDA.exe

C:\Users\Admin\AppData\Local\Temp\6DDA.exe

C:\Users\Admin\AppData\Local\Temp\72AD.exe

C:\Users\Admin\AppData\Local\Temp\72AD.exe

C:\Users\Admin\AppData\Roaming\agtwdhr

C:\Users\Admin\AppData\Roaming\agtwdhr

C:\Users\Admin\AppData\Local\Temp\8C80.exe

C:\Users\Admin\AppData\Local\Temp\8C80.exe

C:\Users\Admin\AppData\Local\Temp\9C50.exe

C:\Users\Admin\AppData\Local\Temp\9C50.exe

C:\Users\Admin\AppData\Local\Temp\A5A7.exe

C:\Users\Admin\AppData\Local\Temp\A5A7.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp" /SL5="$C0056,4185251,54272,C:\Users\Admin\AppData\Local\Temp\A5A7.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\AAAA.exe

C:\Users\Admin\AppData\Local\Temp\AAAA.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

"C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe" -i

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

"C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe" -s

C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp

C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3640 -ip 3640

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3640 -s 544

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3340 -ip 3340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 2160

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 trmpc.com udp
KR 211.181.24.133:80 trmpc.com tcp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 133.24.181.211.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 87.151.147.113:9001 tcp
NL 5.2.78.69:9001 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
FR 195.154.106.60:443 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 60.106.154.195.in-addr.arpa udp
FR 51.91.121.255:9001 tcp
NL 45.66.33.45:443 tcp
DE 195.201.94.113:443 tcp
US 154.35.175.225:443 tcp
US 8.8.8.8:53 113.94.201.195.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 kamsmad.com udp
DE 116.203.140.74:9001 tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 44.55.182.186.in-addr.arpa udp
FR 45.14.150.182:9001 tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
DE 51.195.43.17:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 17.43.195.51.in-addr.arpa udp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 104.149.139.42:8080 tcp
DE 131.188.40.189:443 tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
CA 149.56.126.142:9001 tcp
FR 46.226.104.31:9001 tcp
US 8.8.8.8:53 31.104.226.46.in-addr.arpa udp
US 8.8.8.8:53 142.126.56.149.in-addr.arpa udp
US 8.8.8.8:53 a3e4ea1b-43d5-4c79-bf1c-5868227d435b.uuid.statsexplorer.org udp
DE 95.111.243.215:9001 tcp
FR 46.226.104.31:9001 tcp
US 8.8.8.8:53 215.243.111.95.in-addr.arpa udp
CA 149.56.126.142:9001 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp
N/A 127.0.0.1:62380 tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.oj udp
US 8.8.8.8:53 hejmbol.oj udp

Files

memory/3316-1-0x0000000003040000-0x0000000003140000-memory.dmp

memory/3316-2-0x0000000002FE0000-0x0000000002FEB000-memory.dmp

memory/3316-3-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/3512-4-0x00000000025F0000-0x0000000002606000-memory.dmp

memory/3316-5-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/3316-8-0x0000000002FE0000-0x0000000002FEB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4E98.exe

MD5 e96f944bf9bb81204500be8e3a07c697
SHA1 583a21df8ff1500594cd1eeb9ead688fc56612f5
SHA256 b4f64538ef21f94974a95a62ced02f2b698949aed6b138732728d1b30f2a0cc7
SHA512 ff545753b007e4b80193f21fa14a973d27917bdce8008008c9d8b04dbd50a6f82b2b6d05178a4a440064f3c23f8a74377909eac2ee84b678ba84a84d3e9c18ab

C:\Users\Admin\AppData\Local\Temp\4E98.exe

MD5 887e4428b68d4c69cc6ad0ad73d40b2d
SHA1 00975e2fdeef1e1dd2c86b87e109214c78a875e6
SHA256 3fb9aa3f9005dae9b60503e54bcd18e0ccb14af91e8c7a181a9084ee819ecd0c
SHA512 721be75052d861478d9bd80243f9ff79960862146672a169e037222c2227c63e325b899892c8e95933df10e143e20b6f4916bf5927708eb81eccc4d8cd963a0e

memory/1820-17-0x0000000004BB0000-0x0000000004D78000-memory.dmp

memory/1820-18-0x0000000004D80000-0x0000000004F37000-memory.dmp

memory/2324-19-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2324-21-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4E98.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2324-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2324-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2324-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2324-26-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5540.dll

MD5 303b69d66f4aa3dd07e6fdd11bc7ec75
SHA1 421dcd6e16e54e2065ab7f8c05526e39a066272f
SHA256 39fd541ea1364e0c1f6d21dd74ec7ed83555ebc5f40f570e3f8ff829c47d10a6
SHA512 e5993e7b93ffbd452e1725b15a322c44150a9973467fb348f85f0337dbd446563e60f078c649e7dba81f45eda307613c351a8ee6a9ed9d48c5b50a069fe5d5dd

C:\Users\Admin\AppData\Local\Temp\5540.dll

MD5 4336ba52ad41d4515ddfcb4f9942b5ff
SHA1 9e0f7ad26e139ad6305c3f044dbf0ab58ef16012
SHA256 827318eca74d820ced5cae99aff01979b96110588a9abb7f87628bb45ace7376
SHA512 6c2966f58b3c7bda40ba87d0b1b01152eedae95079c08dfc4f43cd4d2f3329bab4ae7152c84bc86f5ffc94fd725833a29856fb6b815f1aeb6360a1af5029a549

memory/2324-30-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2324-29-0x0000000000D60000-0x0000000000D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5540.dll

MD5 b66379323022a073f1f7cdefed747401
SHA1 14cfd615676b85960154df8273ca841f4a0e268b
SHA256 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db
SHA512 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b

memory/2216-34-0x0000000000710000-0x0000000000716000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6DDA.exe

MD5 e5309eb5c96602e444bb8da42f3a4324
SHA1 aab039346401a0e9f486463cdaabab08549c5567
SHA256 79baa3e856e3e81c701ffe359b4c69cd8b84e9a7a8f0a4839622a8dedae12f57
SHA512 36f5e62f339d59bf1a71650fb7fc4c428b9524c7ad90581524ccdb7f0ba6ffd6e78dd92d8ac9546833f4cd0c8b3d3698e1666b931544518cfdfbef8c40feb7b7

C:\Users\Admin\AppData\Local\Temp\6DDA.exe

MD5 82e21cbd0f15d63a965f590e218f7d7c
SHA1 2a049cf30d59668cbe7f78d4fbce2b193e68da0a
SHA256 93f5f13411505cfe9d3d2e3f935c0b8bd18dfd6e705a97fff5d54768de9e5154
SHA512 035920563c9bb5ee27e5822e75f06a8663d6fbf0144469dfbedd378edd1912d4d72e5462bfbceb393c5f386105f7fca337635d6f0f31980f16d235957a0f9745

C:\Users\Admin\AppData\Local\Temp\72AD.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/5064-45-0x0000000002FA0000-0x00000000030A0000-memory.dmp

memory/5064-46-0x0000000002F10000-0x0000000002F7B000-memory.dmp

memory/3272-49-0x0000000000F40000-0x0000000000F41000-memory.dmp

memory/3272-47-0x0000000000140000-0x00000000009EF000-memory.dmp

memory/3272-50-0x0000000000140000-0x00000000009EF000-memory.dmp

memory/5064-48-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2324-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3272-55-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/3272-57-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/3272-56-0x0000000000F50000-0x0000000000F51000-memory.dmp

memory/3272-58-0x0000000000F50000-0x0000000000F51000-memory.dmp

C:\Users\Admin\AppData\Roaming\agtwdhr

MD5 5212ecaf2c3880d92f371356d84105be
SHA1 d17cc3b0083fef207a84eefbb927ac9a79ef01ae
SHA256 cc4cb393dfc2c8fef2d76f297554a93cbec91244fe7ad5dc3ab533018d52fc84
SHA512 a1987d88d57e2a835f81b771da0bd8f8d26800d023d088558a688979bd876a8f142fdfe2b2462907be6401152fc3ec7dd87bae0749e118c9ca82080963253a09

C:\Users\Admin\AppData\Local\Temp\8C80.exe

MD5 891b0ecba023c942258e77f219e08e47
SHA1 b6902ef9eef4c4822532c059656e67606090d1f9
SHA256 cde4d1fb53812f82a6ae30d9fe315b2a27fd77900f27c9ed3a6b49c21e51b330
SHA512 90867d45c751c0c0c685b980cc772a8cbe4a88378bc5cfe5187ce23e38005c102d5dfb95ec8fb63557caf9c0b2ac8c07320baf39159cde85f2f20c273ae1c0df

C:\Users\Admin\AppData\Local\Temp\8C80.exe

MD5 30f52a48c856a4fa1e5d2725d45d2c4f
SHA1 c80566058b3e9ac5530725e2337ce4b0119995f2
SHA256 39667c0e93b91bc2dfdfdd2f1e22cdefc997e83c29598895d94a5ec68eab349c
SHA512 5fd006465637c76c9e758da23945aec033a1aa16bd61a6c0216777fb8d4fabf695fe12d540d6de0ee4ee3fefe2f3c76a399546e37482f581cf1adb4d4bb74125

memory/4564-64-0x0000000073700000-0x0000000073EB0000-memory.dmp

memory/4564-65-0x00000000000D0000-0x0000000000986000-memory.dmp

memory/2216-67-0x00000000024D0000-0x000000000260C000-memory.dmp

memory/2324-68-0x0000000002D50000-0x0000000002E8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9C50.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\9C50.exe

MD5 3893d9674f9791363d8f92edae4427a7
SHA1 93603d9de7c259c8437f320f032ba171be67e200
SHA256 ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce
SHA512 9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6

memory/3272-76-0x0000000000140000-0x00000000009EF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7c277165dcead3616b33d9432afcb485
SHA1 b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256 a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA512 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105

C:\Users\Admin\AppData\Local\Temp\A5A7.exe

MD5 32cf4d8dca9af1588b550d6679811b44
SHA1 d3baa5c015ff1f765a2e61b62045ec43648290a2
SHA256 439c4308b78816bfa22b12959a6d913096add4181ecc1441ebd0bfac1a8496b4
SHA512 8e6e2349db25355d0ce72d3ba4e204b171284105d103467fcc8ba078e51715efccdcfab36fd278075da32b5fea8285adc2853c7280a44b1720d3f8b060b81a58

memory/2324-90-0x0000000010000000-0x000000001020C000-memory.dmp

memory/5064-75-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/564-91-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1444-97-0x0000000002D60000-0x0000000002E60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A5A7.exe

MD5 45eed27a83b89db560811f63e72d6cc9
SHA1 a2ddd2a84a1ab6d0cf2de40ca690cc7425d13673
SHA256 5edea16e2c1ed97baa036973a96bf225b80db335ea755612c7bbf5e048557d8a
SHA512 cd3f079f238c3fedcd8ffe777c24b6a5aaec9e097cea588af5e867c22e9be501e3c6a41dd3be32d03586f061484e7e9e38718d1a25c9d25cd440987c448b9909

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 f30b31cd985bb3b4c2dced17df5ed9fb
SHA1 94a2218267ddd03b538636ace0593e38f52c9b5a
SHA256 b650d35b4c45c0ae9ff9a10df74e5d3c724a8e693a05706e61e798805a731645
SHA512 648ae868eaf7473a7922796d1e1572df192a81dc7ee38c6ca17b3ca8c81dc6af7b3539564fce58ba8c220a3154618e45dfb79640a96a14c56a51123a339b2213

memory/1444-103-0x0000000002D50000-0x0000000002D5B000-memory.dmp

memory/2216-111-0x0000000002610000-0x000000000272B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b4cd344bdf164bc552a7e4b7fd152594
SHA1 8e41f116655fbb8f4f614c21c0b02f06b281beba
SHA256 65e375fbf5477a9c9ea06b4fd5115169b96478deaf55d65f207d89327269a015
SHA512 1624548747342c564bac7e0830bc2710b6de8585fc70d1003ac77e972aaeb907ac6ce45ef53e04f9af38a60811aac6435be9192ded73106c538ddb9dd82916a0

memory/2324-110-0x0000000002E90000-0x0000000002FAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b45b646c5c3131dbbb69c15d98255ab1
SHA1 391cb13c4a7d43b683444f6c3a87305de5004a37
SHA256 e107f6f456b4f9c1138e7e0f1c7d4b88db97f62cb5e624da3e574d59681dd7a1
SHA512 13edee5cc6e7a05339aeb9ac4c91f7c787ba887192523f977a4eaac61aeecaccad01791ebee78ddf51196563397a3d52b064af0c897c241e6caf0466c9b7f479

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 aaf0bb37ae70edf36b650977fe25658f
SHA1 dec39feae72f0c5ae84775303e543ca353de6256
SHA256 bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512 d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4

memory/2216-93-0x0000000002610000-0x000000000272B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JPNMJ.tmp\A5A7.tmp

MD5 38005377c4b89dd0f8d6b99610fd2871
SHA1 1f8ea24cf01f4e416fda0f44d9b6bcddf6631125
SHA256 e619a8b063287c5aae0ae35ab7ebb569a720f401a0e8c1fd6483c88d217c069a
SHA512 fc5f8d7006ba7227aaaea8fbe740d80d6225b804a98083f73d0c4efc79b4609b535e00c3dac5e8eefcc515e0e0f0cef0e0a4c619eb9a31bb9fa34c0ff7d314c4

memory/2324-133-0x0000000002E90000-0x0000000002FAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 e269c53ef153296451ebeb79bc0a4c68
SHA1 7b4ed20b9b9f64c3f9f5c53606fa1608751c81f6
SHA256 e8f80cc137fc094553eb7f5730658f55e2fa72e14177d1fa344f0a0d29698c01
SHA512 5fa8104b4d10de372f22f49261f2d1ead48546bfa82e8c41dbe1ffb0b41c7059b2cb21d9cf1024def4c1578110bee950f9e3e9a3de7a5afd123ac8ba0f8d433f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 0b5ed34f6d958857a8aed0c090358ff4
SHA1 5954283ec26e51f322593e53b6b32e3f70d43ac3
SHA256 4301f0bd33640a1b767e4d605bbbaf78567091e51019f132fb06558127f4acb3
SHA512 2bec28c4eeba2f75b9a5280c457fb1220d13d829905b6f0bac8fcd64bee791557cc38e38610f5e9a3478ad0a76d9d9a3bd36f3496ad1e3785376df7140ef8c9c

C:\Users\Admin\AppData\Local\Temp\is-328AR.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-328AR.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/3512-153-0x0000000002C80000-0x0000000002C96000-memory.dmp

memory/4564-137-0x0000000073700000-0x0000000073EB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 65c145064bb3e087c2ec0ae6034c2df0
SHA1 5ec0f6d5fa4a931f5964c709ed79efae1520fefe
SHA256 2d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e
SHA512 7a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f

memory/1444-154-0x0000000000400000-0x0000000002D3E000-memory.dmp

memory/564-158-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nslB8EC.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3640-160-0x0000000004990000-0x00000000049FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 609d8b79eca868b78a4f0a4468101222
SHA1 844ccffc0aa763c703ad9db7ced59cfecd4cc93a
SHA256 51a4115eb975b66cd357749159b9bd5f63a76b95159aaef21340cdbd9ac0f8af
SHA512 92c472bc6dfe5bd555f1ebf884022600a890ce6727e088291479604abfbb4eb4c878e80c249937c54de320a1e625a318148630d38f86a9ff58060d569b18c136

memory/3640-136-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1444-157-0x0000000000400000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

MD5 aec4c50763ad4e53c7db78cef639b4da
SHA1 0e7200890d1b5ac8936e029fb7ce3620314caab6
SHA256 863a3d81b63e12a9c46d621923e74f2c18115da200c0b5be5b85592afead4ba0
SHA512 71bdd8dec7a998822105344f01a3631d574fe8d60c570fc3d83fbf6802615ea07fead05d01b1ebafe92ec2edc7672a537710ffadf7aeb61fddd7f30ac47b21ef

memory/2216-204-0x0000000002610000-0x000000000272B000-memory.dmp

memory/2324-207-0x0000000002E90000-0x0000000002FAB000-memory.dmp

memory/4592-206-0x0000000000400000-0x000000000076F000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 c0f520b35339b2140cf172bce21bbd27
SHA1 afd7289519e7f69f19d1aff0cf77ee7e2c5c74dc
SHA256 054d5886b4df134b823096d5a3fae93a9a61c74c40495dba45d270aed20690be
SHA512 116a8d02e61d338d7ee1c6ff7496671f9f0a5110b7927748df067bf5e087860deb98a59bf079a55985e0476456dcc891115c54e29ff9ce3febeb3785f37b3dc5

memory/1072-214-0x0000000000620000-0x0000000000621000-memory.dmp

memory/4592-213-0x0000000000400000-0x000000000076F000-memory.dmp

memory/5064-205-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

MD5 dbba8a346716510492b3cc32c1839428
SHA1 12150f05214342367103a5433ba5a81fd4f52479
SHA256 559b75aea16e37ccde927aae67a086874568fd083055211530e244192e486c41
SHA512 6670f44e3c0fd90c4c2e3b862880ec82e5e9c2e30313f25c344e6e637da6d9b4b3c6a77febd87044696468f44267fac13af2618d5e9d2840674e884b476a444a

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

MD5 e9a2ef3cd0546d5a61a6fc3f4145207c
SHA1 cba925ab059960224e918e777e5d74958e3197e7
SHA256 269ef18e875a55b536e3e422eee6aa8ed02533e3fde34e0964166f9e800fd530
SHA512 44a4f049afd4b1c86d5cb55384e95e300ce7d3f811430a9f650df6366106e85a882d2379cb3b84622963b4bab6dbfd265e38a0eb8e195cfad5b996f0f1507d75

memory/1408-222-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/3640-227-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp

MD5 ca92af8b0cdb0eeacf45dc65e0cf7c50
SHA1 563fa5f37dabe96f7c7e93e16268f6c26a33bb2c
SHA256 8df4db8519c084dc39cebfddf7fd4da5212cc52ec6788a7ddfbbf7dd15cb3e53
SHA512 a01cf76b87716ef17911eedc83f1b91726e3e7d7b8221e81106b85e961df0320e37fd0a72254a95d58d55799a5a4eda7c9c180c9984f80cbea7c7539870a0bd8

C:\Users\Admin\AppData\Local\Temp\nssCAA0.tmp

MD5 593c6bba2414d94e5e05d505074793dc
SHA1 1315c0ffbecf2e1eea0f5ac63adce7cc403ea9e8
SHA256 44a0af487346e24e3a06361a917a81ec151ddb8b7a1c558294cfc283a35ce4ec
SHA512 6e9d0191723db1caf54f50d1ba249079f74c0b8cdb745fefb283a248279375248c6ddc27f70b1887678c5e5e22fc9a58cec1a613e758b3a96d2c72a5b7da5257

memory/2324-231-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3640-232-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1072-236-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1476-237-0x0000000000400000-0x000000000076F000-memory.dmp

memory/1476-238-0x0000000000400000-0x000000000076F000-memory.dmp

memory/3340-239-0x0000000002F60000-0x0000000003060000-memory.dmp

memory/3340-240-0x0000000002EE0000-0x0000000002F14000-memory.dmp

memory/3340-241-0x0000000000400000-0x0000000002D41000-memory.dmp

memory/1408-244-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/2988-245-0x0000000002930000-0x0000000002D2A000-memory.dmp

memory/2324-246-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2988-247-0x0000000002E30000-0x000000000371B000-memory.dmp

memory/2988-248-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3340-252-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2324-259-0x0000000000400000-0x0000000000848000-memory.dmp

memory/5016-251-0x0000000000400000-0x0000000002D3F000-memory.dmp

memory/5016-264-0x0000000002D50000-0x0000000002E50000-memory.dmp

memory/3640-300-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/4396-306-0x0000000004FE0000-0x0000000005016000-memory.dmp

memory/4396-310-0x00000000057A0000-0x0000000005DC8000-memory.dmp

memory/5064-314-0x0000000002FA0000-0x00000000030A0000-memory.dmp

memory/4396-315-0x0000000072490000-0x0000000072C40000-memory.dmp

memory/4396-325-0x0000000005160000-0x0000000005170000-memory.dmp

memory/4396-324-0x00000000054F0000-0x0000000005512000-memory.dmp

memory/4396-326-0x0000000005160000-0x0000000005170000-memory.dmp

memory/4396-330-0x0000000005ED0000-0x0000000005F36000-memory.dmp

memory/4396-331-0x0000000005F40000-0x0000000005FA6000-memory.dmp

C:\ProgramData\nss3.dll

MD5 e64bb33b92c477e6f047860c9024c4d6
SHA1 879cbcbfa7a54a31b95c2f47900e107895c92fff
SHA256 1d0e4eef29af8eff6b6fcb32bce82e91ac7824e0d9883f782b85a9ddbd06cb03
SHA512 ee26357a9f027cd976db05352b32e4100e2825ca1f30b6f3de56938d50b95d34dfdec506d9c2d5d917306f5aa8e87a7e1dbf9be463877fcb992be967cb7465f3

memory/5016-334-0x0000000000400000-0x0000000002D3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ukjjqxqn.s4o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\mozglue.dll

MD5 7e5f0688592247c3dbfca9ebf28003dc
SHA1 b1531998d91f805ed2cf1456a3d039b1a7890c90
SHA256 9a0fd3de2d7345e8282cfd9d1899d5ed106c67c8db74b025703ba51a425368b2
SHA512 ac25d901c6fa8c9a69e9f23391d0379cb00de40a1afbb9eb7b90915626e76d30f7b8cb464656a2f87c8206179d828c4c15cc1aba0a1256de41ff0cd9f8ad1e20

memory/4396-351-0x00000000060B0000-0x0000000006404000-memory.dmp

memory/4396-357-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/4396-360-0x0000000006650000-0x000000000669C000-memory.dmp

memory/4396-361-0x0000000007590000-0x00000000075D4000-memory.dmp

memory/4396-367-0x00000000076F0000-0x0000000007766000-memory.dmp

memory/4396-368-0x0000000005160000-0x0000000005170000-memory.dmp

memory/4436-369-0x0000025F31010000-0x0000025F31032000-memory.dmp

memory/4396-379-0x0000000007FF0000-0x000000000866A000-memory.dmp

memory/4436-383-0x0000025F2F760000-0x0000025F2F770000-memory.dmp

memory/1408-382-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/4436-381-0x0000025F2F760000-0x0000025F2F770000-memory.dmp

memory/4436-380-0x00007FF9AA940000-0x00007FF9AB401000-memory.dmp

memory/4396-384-0x0000000007990000-0x00000000079AA000-memory.dmp

memory/3340-389-0x0000000000400000-0x0000000002D41000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 7d9d1cb2acda8dc392a99b65c2f13b9f
SHA1 40fc00745bcb72ed59a03d9a35986679d0efa725
SHA256 48a0651c00f9496202e74270650f9223ddf3fb3ba5361e0a6ea3c8e2bdb80fb9
SHA512 2c598f89c1ef45f822bdaa0b60696777dba0835642aa523c016f662effb1b7e826560a141a385428e20cf0962e752597726bef4b63c6714c39890c340242a7a6

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 9277bd106b59d279a272754b5619cb08
SHA1 aa9b68134238c5c366640ac0163b92362b7fb013
SHA256 fcb48ea5cceb4c20c6306a693fe6a484efa1169fdf1563c80eebb173999b9683
SHA512 51dc7a21ed6b53f10a8cad3e5e01179f67f1fb48574e1b1efbbbbb77d95958c3230dc6aaecbf6fb7445cdfc406663a7ae0d32bf10fd12b57c4984ba631814aec

C:\Users\Admin\AppData\Roaming\ewtwdhr

MD5 db8bcfae8816372e856908248e576111
SHA1 628a9a6effbd2e2f5c6e9d5c0ee048af0bb2f0f9
SHA256 01dc9fc1b0e3e7b20126ed87a274d2f88956ce6aa948b9683d7583c47e33ddea
SHA512 3f04b3c01aa7977a73819b23aaa721eee65ad907e483a27d430bde6b39658372afefba5a3819cf573a4736442d8095bd25dcf94fc0f28dd2dadf112c7f7d8256

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 1f09cb913da9bd700abde94caa632040
SHA1 914346b48a5cf0d7a4a8484bb6000a5bd7f4844a
SHA256 cde58711476e3404dad53633521a53ec304551e51f6eda4e92df603b2c1cd396
SHA512 2786bf5de27594790e6d78e150c446e07df78528a78a2ea07f23b8134fc5be7b566e66c7b438ff3f93394a9f74ff7ef6a94ffb75f0ae81472e3def327c673270

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 274e1a8abd5e3f99a1d6572483849020
SHA1 c8baff854609843283ec47ed6e15bbf98c825ee8
SHA256 99f18bb5747bf27d4dc179e9f7f0cc74a96fd067a39f77a77449bc7bdbeccbcb
SHA512 d1f60d60ef1b307dc574dc31f6936e117a1be5f41d2282f6124a233ddbf9e0798eb0ff65332671da2e3ad3297e08de017879ce7a61b9e953446b03f4eb3f4398

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1d43bd0e07e9743f73b591329dc4435c
SHA1 6696a0907dbb0a7bdcaa6aa6c7dd689d0c58c332
SHA256 1ee32e1984a77ca5e253538818454bb015e02397e7b13e8bd1a4caecae97707c
SHA512 c8f23681ad77a2a8a77fdc7976b26816f546a9f105ca2df6e552f519eca0d3632a83f6f089ef5487fb8523afebdf30b30ef20f1f31cf50a6240749d5dcf6fa12

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 1e5f433b90223a3dfb3f31a1a3869ac2
SHA1 154e568669d98964099761667d132030bd2cce2f
SHA256 201a7f398b11ec0f6cd77bb7c9273cba63f84093fa63efd559c681083a5c2e3e
SHA512 e328d8373ac107d38ec2afedfaf060ee6f28111709392d83651bf936b41cf8e1dddbe7024c2b17b51046b67515f4683d285cee4e949ffc33aaaf8037e5361d2f

C:\Windows\rss\csrss.exe

MD5 925360f87972ccaf36b2270c659bc9aa
SHA1 cbc64664af12a625786ea78acae190a3b6285e1a
SHA256 c46d525f6d381064f191d2c48ee37acec2707d473f9e0c1c6a1da06ad93c72be
SHA512 936cd065332d70be04bf77cb9c096d50312c716e5425ecf2f3fa25cb6cafaca90e70dac50b1536e761076d44ef8c8f8c0bce0187d4eb49d9ed3c1d81a6d2c3e4

C:\Windows\rss\csrss.exe

MD5 523955fa72f2566f041693ff5caf11bc
SHA1 9ba4ea75966f415d9d4621409826e8519d07d4f9
SHA256 40065caefac50f113e751b6bc9efc470022ff53ce6549cd8f29569a7a2476e81
SHA512 c0e1c6c616a615982215b2a3f0184c563ff7e266ba646c175ab59934e4590a7c539e94b54aabbdf3ed12428cc6865874101121719728b741d0c5bf4a7047e904

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 1a76a7be95b4eb7ca7c2d6b9014a345b
SHA1 9d26ad301535cbdde352a6b8da9ce4a5d301b406
SHA256 04c9f0dc1aa0b859c5e3803c09a53cdce89359d2d6664a15607e5966b9c57307
SHA512 c644cb25d4719400dda87da8f652c1a480f701f1b582d336cd3f40f735bac7ca911b401dfbe2d6c6c931a2258ebb566f8d248c49a23f589b4a2aeb3a9c7487b0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c58dddf45ff6b5c371c95122512831a6
SHA1 12cf6b36b3f4bef18afdbf3120fb961e47a143b3
SHA256 ae1f913c7250db67af0f9011376c4ad4a6b3800d8451d1a9c03d5c85bc81b8f1
SHA512 dbe71fe403b00e127c29683be5c04eb43cfcba2a550d4f70638915bab3e187b882757cab132e3c41e1fcb3b952d3fe33e18db781a85666c9419fc47ac3bd4f17

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6292fa2c1831b7fa33551c428476af9c
SHA1 47a42400bb217eb14757aae173bb1355333dcb66
SHA256 8dbed379689ddd9e0b23017e7520d545743c4e659924f8327800f1a6e1cdb58e
SHA512 d4c6cd830692fd202a93a320160c7167c128347913b24a9f2bee611a0c907cc411c0cd16c1b495a8839c6dd3e5cc7dfc861dba3a0183869cb90785daa041a9e8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 674e74a715774d7ec62f010142524821
SHA1 b3af5f2416a3677355b4c557acce0c8e15bf2c8f
SHA256 d0ad711724dc4b0a1d8c0b5317ca13485895718aad248c2d8dc2e320362ff8ef
SHA512 1c853804ed839458a937005cec44d2c07b9ec1a446b010439b667cfabb7a89d03c147b1192f6c367795a26ed00b63e15b4969570c8e4806ef39f5b7ed9b1c0d9

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5