Malware Analysis Report

2024-11-13 14:08

Sample ID 240227-b339hadg7y
Target 5cddaacf9782c030db128e3ebfd8f301.exe
SHA256 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Tags
glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23

Threat Level: Known bad

The file 5cddaacf9782c030db128e3ebfd8f301.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma discovery infostealer rat spyware stealer

Glupteba

SmokeLoader

Lumma Stealer

Glupteba payload

DcRat

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Modifies Windows Firewall

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

UPX packed file

Checks computer location settings

Deletes itself

Reads data files stored by FTP clients

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 01:41

Reported

2024-02-27 01:43

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Modifies boot configuration data using bcdedit

Description Indicator Process Target
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A
N/A N/A C:\Windows\system32\bcdedit.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\B6A4.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\C610.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2460 set thread context of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\25EE.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\25EE.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\25EE.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\25EE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe
PID 1220 wrote to memory of 2768 N/A N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe
PID 1220 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1220 wrote to memory of 2720 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe C:\Windows\SysWOW64\WerFault.exe
PID 2768 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\AD01.exe C:\Windows\SysWOW64\WerFault.exe
PID 1220 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 1220 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 1220 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 1220 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 2460 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\B6A4.exe C:\Users\Admin\AppData\Local\Temp\B6A4.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C610.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C610.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C610.exe
PID 1220 wrote to memory of 2684 N/A N/A C:\Users\Admin\AppData\Local\Temp\C610.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1220 wrote to memory of 1456 N/A N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1456 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\D59B.exe C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1173.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1173.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1173.exe
PID 1220 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\1173.exe
PID 1220 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\Temp\25EE.exe
PID 1220 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\Temp\25EE.exe
PID 1220 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\Temp\25EE.exe
PID 1220 wrote to memory of 3020 N/A N/A C:\Users\Admin\AppData\Local\Temp\25EE.exe
PID 1996 wrote to memory of 744 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1996 wrote to memory of 744 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1996 wrote to memory of 744 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1996 wrote to memory of 744 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1996 wrote to memory of 1004 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

C:\Users\Admin\AppData\Local\Temp\AD01.exe

C:\Users\Admin\AppData\Local\Temp\AD01.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B1D3.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2768 -s 124

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B1D3.dll

C:\Users\Admin\AppData\Local\Temp\B6A4.exe

C:\Users\Admin\AppData\Local\Temp\B6A4.exe

C:\Users\Admin\AppData\Local\Temp\B6A4.exe

C:\Users\Admin\AppData\Local\Temp\B6A4.exe

C:\Users\Admin\AppData\Local\Temp\C610.exe

C:\Users\Admin\AppData\Local\Temp\C610.exe

C:\Users\Admin\AppData\Local\Temp\D59B.exe

C:\Users\Admin\AppData\Local\Temp\D59B.exe

C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp" /SL5="$3017E,2424585,54272,C:\Users\Admin\AppData\Local\Temp\D59B.exe"

C:\Users\Admin\AppData\Local\Temp\1173.exe

C:\Users\Admin\AppData\Local\Temp\1173.exe

C:\Users\Admin\AppData\Local\Temp\25EE.exe

C:\Users\Admin\AppData\Local\Temp\25EE.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\nsj56D9.tmp

C:\Users\Admin\AppData\Local\Temp\nsj56D9.tmp

C:\Users\Admin\AppData\Local\Temp\5CD7.exe

C:\Users\Admin\AppData\Local\Temp\5CD7.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 124

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227014227.log C:\Windows\Logs\CBS\CbsPersist_20240227014227.cab

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
CA 198.100.149.77:443 tcp
DE 185.220.100.251:9000 tcp
FR 188.165.136.211:8080 tcp
US 38.108.119.208:9001 tcp
US 8.8.8.8:53 trmpc.com udp
KR 211.168.53.110:80 trmpc.com tcp
US 38.108.119.208:9001 tcp
FR 188.165.136.211:8080 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
N/A 127.0.0.1:49327 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 422ed1dd-5303-46e1-9498-9e3010117eda.uuid.statsexplorer.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
GB 51.195.138.197:14433 xmr-eu2.nanopool.org tcp
N/A 127.0.0.1:64588 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 kamsmad.com udp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 212.47.253.124:14433 xmr-eu1.nanopool.org tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 sapiensml.com udp
US 8.8.8.8:53 seykandal.com udp
US 8.8.8.8:53 www.seosparow.com udp
US 8.8.8.8:53 sfburkina.com udp
US 8.8.8.8:53 sharadhaa.com udp
US 8.8.8.8:53 shuba-dip.com udp
US 8.8.8.8:53 signbdltd.com udp
US 8.8.8.8:53 www.signstall.com udp
US 8.8.8.8:53 singkenya.com udp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 www.skillinno.com udp
US 8.8.8.8:53 slotbetz3.com udp
US 8.8.8.8:53 snake-mod.com udp
US 8.8.8.8:53 pubhubooks.com udp
US 8.8.8.8:53 puffineers.com udp
US 8.8.8.8:53 purehdiptv.com udp
US 8.8.8.8:53 pwvanguard.com udp
US 8.8.8.8:53 q4quotespk.com udp
US 8.8.8.8:53 rajmomanmd.com udp
DE 144.76.75.181:443 q4quotespk.com tcp
US 8.8.8.8:53 ralusturah.com udp
US 8.8.8.8:53 raportalep.com udp
US 173.236.210.221:443 rajmomanmd.com tcp
US 50.87.140.133:80 ralusturah.com tcp
US 8.8.8.8:53 redpandapc.com udp
US 8.8.8.8:53 resumearts.com udp
TR 185.216.114.15:443 raportalep.com tcp
FR 92.205.0.137:443 sapiensml.com tcp
US 8.8.8.8:53 ringslogin.com udp
IN 82.180.143.234:443 sharadhaa.com tcp
US 66.235.200.145:443 redpandapc.com tcp
US 63.250.43.128:443 seykandal.com tcp
US 154.49.142.92:443 resumearts.com tcp
US 198.54.116.166:443 ringslogin.com tcp
FR 154.49.245.70:443 sfburkina.com tcp
US 204.197.172.18:443 www.seosparow.com tcp
US 8.8.8.8:53 roshanurdu.com udp
US 8.8.8.8:53 safepakind.com udp
GB 185.151.30.174:80 signbdltd.com tcp
US 162.241.224.44:443 roshanurdu.com tcp
DE 188.40.169.203:443 shuba-dip.com tcp
US 75.75.239.93:80 singkenya.com tcp
US 104.21.36.121:443 www.signstall.com tcp
US 192.185.78.150:443 safepakind.com tcp
US 172.67.174.92:443 slotbetz3.com tcp
IR 81.12.30.130:443 www.skillinno.com tcp
US 208.109.225.165:80 snake-mod.com tcp
US 8.8.8.8:53 royaleswan.com udp
US 8.8.8.8:53 sakatinubu.com udp
US 8.8.8.8:53 sajadfalah.com udp
US 149.100.151.80:443 pubhubooks.com tcp
US 8.8.8.8:53 saraluxury.com udp
US 172.67.157.102:443 purehdiptv.com tcp
US 52.117.75.100:443 puffineers.com tcp
US 104.21.25.163:80 royaleswan.com tcp
IR 45.89.237.66:443 sajadfalah.com tcp
US 8.8.8.8:53 savvy-note.com udp
IR 185.94.96.118:443 saraluxury.com tcp
US 162.241.219.113:443 sakatinubu.com tcp
US 8.8.8.8:53 sangwatech.com udp
US 8.8.8.8:53 sciarttech.com udp
US 8.8.8.8:53 sellwisdom.com udp
FI 135.181.6.251:443 sangwatech.com tcp
US 172.67.153.94:443 sciarttech.com tcp
US 8.8.8.8:53 semeducfin.com udp
US 8.8.8.8:53 serpicomusic.ir udp
US 8.8.8.8:53 shyjutalks.com udp
US 8.8.8.8:53 siessionhj.com udp
US 8.8.8.8:53 sikhlawyer.com udp
US 8.8.8.8:53 skidamarin.com udp
KR 183.111.199.203:443 savvy-note.com tcp
US 8.8.8.8:53 www.seopatiala.com udp
US 8.8.8.8:53 serenomind.com udp
US 8.8.8.8:53 shinyseven.com udp
US 8.8.8.8:53 siessionsj.com udp
US 8.8.8.8:53 sindicozen.com udp
US 8.8.8.8:53 siroluxury.com udp
US 8.8.8.8:53 sirschoice.com udp
US 8.8.8.8:53 skinjuicer.com udp
US 8.8.8.8:53 smartest-s.com udp
US 8.8.8.8:53 slot88wins.com udp
US 8.8.8.8:53 mueller-c.at udp
FR 89.116.147.141:443 sellwisdom.com tcp
SG 217.21.74.121:443 semeducfin.com tcp
GB 185.151.30.174:443 signbdltd.com tcp
US 192.185.213.17:443 serenomind.com tcp
IN 89.117.27.64:443 shyjutalks.com tcp
FR 51.210.156.4:443 www.seopatiala.com tcp
US 8.8.8.8:53 snapblacks.com udp
DE 116.202.203.76:443 mueller-c.at tcp
US 172.67.167.202:443 skidamarin.com tcp
IR 89.42.208.212:443 serpicomusic.ir tcp
US 104.21.30.79:443 slot88wins.com tcp
US 198.12.210.206:443 sikhlawyer.com tcp
US 184.171.164.163:443 siessionsj.com tcp
US 212.1.208.86:443 sirschoice.com tcp
US 104.21.25.163:443 royaleswan.com tcp
DE 185.231.220.11:443 siroluxury.com tcp
TR 176.88.41.207:443 shinyseven.com tcp
US 184.171.164.163:443 siessionsj.com tcp
US 160.153.0.31:443 skinjuicer.com tcp
US 63.250.43.134:443 snapblacks.com tcp
US 162.241.225.231:443 smartest-s.com tcp
BR 187.45.239.105:443 sindicozen.com tcp
US 8.8.8.8:53 soundprohq.com udp
US 8.8.8.8:53 sportsknot.com udp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 srjindolia.com udp
US 8.8.8.8:53 ssmviplimo.com udp
US 143.110.150.27:443 soundprohq.com tcp
IN 89.117.27.198:443 srjindolia.com tcp
GB 185.77.97.144:443 sportsknot.com tcp
US 8.8.8.8:53 www.puffineers.com udp
US 8.8.8.8:53 stoneagebh.com udp
US 162.241.224.221:443 ssmviplimo.com tcp
US 8.8.8.8:53 stablepepe.com udp
US 8.8.8.8:53 sunmezzing.com udp
US 8.8.8.8:53 targetbpsc.com udp
US 8.8.8.8:53 taajatimes.com udp
US 8.8.8.8:53 subsetwear.com udp
US 8.8.8.8:53 tavanacard.com udp
US 8.8.8.8:53 taguaciclo.com udp
FR 89.117.116.13:443 stablepepe.com tcp
US 8.8.8.8:53 techsamiti.com udp
US 8.8.8.8:53 tehuticorp.com udp
US 8.8.8.8:53 thedoerguy.com udp
US 8.8.8.8:53 tecanalyse.com udp
US 8.8.8.8:53 teeartisan.com udp
US 8.8.8.8:53 temboscope.com udp
US 8.8.8.8:53 techwaveai.com udp
US 8.8.8.8:53 thaco-auto.com udp
US 8.8.8.8:53 topborudat.com udp
BR 149.100.155.232:443 taguaciclo.com tcp
IN 89.117.157.216:443 subsetwear.com tcp
US 8.8.8.8:53 trap4kicks.com udp
US 8.8.8.8:53 www.sportsknot.com udp
US 52.117.75.100:443 www.puffineers.com tcp
SG 151.106.124.132:443 targetbpsc.com tcp
FI 135.181.66.187:443 techsamiti.com tcp
US 92.204.132.198:443 tehuticorp.com tcp
SE 93.188.2.55:443 styrrantan.se tcp
US 63.250.43.4:443 thedoerguy.com tcp
US 8.8.8.8:53 trustbunch.com udp
IR 185.94.96.118:443 topborudat.com tcp
US 64.31.43.242:443 trap4kicks.com tcp
IR 193.141.64.15:443 tavanacard.com tcp
GB 185.77.97.128:443 www.sportsknot.com tcp
IN 89.117.157.248:443 taajatimes.com tcp
IN 89.117.157.166:443 techwaveai.com tcp
US 172.67.172.131:443 teeartisan.com tcp
PL 145.239.19.134:443 temboscope.com tcp
VN 202.92.7.113:443 thaco-auto.com tcp
US 162.241.253.111:80 tecanalyse.com tcp
US 172.67.175.4:443 trustbunch.com tcp
FI 135.181.217.49:443 stoneagebh.com tcp
US 8.8.8.8:53 trenenergy.com udp
US 8.8.8.8:53 ups-mexico.com udp
US 8.8.8.8:53 umeshworld.com udp
US 8.8.8.8:53 uvrtechsol.com udp
US 8.8.8.8:53 varunrathi.com udp
US 8.8.8.8:53 vandetimes.com udp
US 8.8.8.8:53 vegethique.com udp
US 8.8.8.8:53 viewsstory.com udp
US 8.8.8.8:53 trendtipsy.com udp
US 8.8.8.8:53 imunify-alert.com udp
US 8.8.8.8:53 urimahmeti.com udp
US 8.8.8.8:53 vawirespot.com udp
US 8.8.8.8:53 viagraintw.com udp
US 8.8.8.8:53 www.raportalep.com udp
US 8.8.8.8:53 vikouhouse.com udp
BA 185.12.79.25:80 kamsmad.com tcp
US 66.235.200.146:80 ups-mexico.com tcp
US 104.21.70.135:443 vandetimes.com tcp
IN 154.41.233.73:443 vawirespot.com tcp
IN 89.117.27.144:443 uvrtechsol.com tcp
IN 119.18.49.81:443 varunrathi.com tcp
US 162.241.216.32:80 trenenergy.com tcp
US 162.214.80.31:443 umeshworld.com tcp
US 162.241.169.155:443 viewsstory.com tcp
TR 185.216.114.15:443 www.raportalep.com tcp
US 172.67.220.174:443 viagraintw.com tcp
US 104.21.31.97:443 imunify-alert.com tcp
US 8.8.8.8:53 wearattics.com udp
US 8.8.8.8:53 wafrlydata.com udp
US 8.8.8.8:53 viralsluts.com udp
US 8.8.8.8:53 server4.ghostly.top udp
US 8.8.8.8:53 weheropack.com udp
US 8.8.8.8:53 www.votedavidg.com udp
US 8.8.8.8:53 www.web2growth.com udp
NL 153.92.218.135:443 vikouhouse.com tcp
US 154.49.142.21:443 trendtipsy.com tcp
US 185.212.70.173:443 urimahmeti.com tcp
US 8.8.8.8:53 wazongoods.com udp
US 8.8.8.8:53 web4demand.com udp
US 8.8.8.8:53 www.wellquimia.com udp
US 64.90.49.153:443 www.votedavidg.com tcp
US 162.241.85.82:443 www.web2growth.com tcp
US 8.8.8.8:53 whitefox81.com udp
US 8.8.8.8:53 www.worldwintv.com udp
NL 107.6.183.178:443 www.wellquimia.com tcp
DE 77.105.132.4:443 server4.ghostly.top tcp
SG 31.220.110.82:443 wearattics.com tcp
HK 8.210.115.63:443 weheropack.com tcp
US 89.117.139.227:443 wazongoods.com tcp
US 208.97.186.223:443 web4demand.com tcp
DE 217.160.0.191:443 vegethique.com tcp
US 8.8.8.8:53 vivamaisplanosdesaude.website udp
US 8.8.8.8:53 recaptcha.cloud udp
US 8.8.8.8:53 4slex.com udp
US 66.29.141.136:443 vivamaisplanosdesaude.website tcp
DE 78.47.205.166:443 recaptcha.cloud tcp
US 8.8.8.8:53 icf88.com udp
US 8.8.8.8:53 gcooc.com udp
US 8.8.8.8:53 gubnc.com udp
US 8.8.8.8:53 iiizx.com udp
US 8.8.8.8:53 www.techwaveai.com udp
US 8.8.8.8:53 k3rma.com udp
US 104.21.31.97:443 imunify-alert.com tcp
US 146.190.129.247:443 whitefox81.com tcp
DE 185.255.131.4:443 www.worldwintv.com tcp
DE 162.55.131.89:443 4slex.com tcp
US 8.8.8.8:53 jrclg.com udp
US 8.8.8.8:53 w66g.com udp
US 8.8.8.8:53 tagucycle.com.br udp
US 8.8.8.8:53 dxnpa.com udp
US 8.8.8.8:53 grbzy.com udp
US 8.8.8.8:53 icccz.com udp
US 8.8.8.8:53 impacthealthoh.com udp
US 8.8.8.8:53 wrapmydoge.com udp
US 8.8.8.8:53 hat98.com udp
US 8.8.8.8:53 ivxix.com udp
US 8.8.8.8:53 iuyxt.com udp
US 8.8.8.8:53 keksn.com udp
US 8.8.8.8:53 ivxxi.com udp
US 8.8.8.8:53 juont.com udp
US 172.67.223.243:443 k3rma.com tcp
US 104.21.5.164:443 iiizx.com tcp
CA 23.227.38.65:443 juont.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 54.144.38.219:443 ivxxi.com tcp
FR 178.32.154.99:443 dxnpa.com tcp
IN 89.117.157.166:443 www.techwaveai.com tcp
GB 154.49.138.206:443 icf88.com tcp
US 209.151.152.222:443 jrclg.com tcp
RU 91.215.85.51:443 gcooc.com tcp
FR 178.16.128.14:443 ivxix.com tcp
GB 185.77.97.68:443 tagucycle.com.br tcp
HK 203.86.232.59:443 grbzy.com tcp
US 8.8.8.8:53 www.kft61.com udp
US 8.8.8.8:53 worldwintv.com udp
HK 165.154.23.109:443 iuyxt.com tcp
US 8.8.8.8:53 lelpz.com udp
US 172.67.129.89:443 keksn.com tcp
RU 188.246.235.204:443 icccz.com tcp
US 200.225.43.125:443 impacthealthoh.com tcp
HK 165.154.23.109:443 iuyxt.com tcp
US 8.8.8.8:53 kukwy.com udp
US 172.83.154.35:80 w66g.com tcp
HK 27.50.63.33:443 www.kft61.com tcp
US 104.21.18.245:443 lelpz.com tcp
DE 185.255.131.4:443 worldwintv.com tcp
HK 27.50.63.33:443 www.kft61.com tcp
US 8.8.8.8:53 lelzz.com udp
CA 23.227.38.65:443 kukwy.com tcp
US 8.8.8.8:53 loagt.com udp
US 8.8.8.8:53 www.juont.com udp
US 8.8.8.8:53 lutsw.com udp
US 8.8.8.8:53 m-x-r.com udp
US 8.8.8.8:53 www.mfg18.com udp
US 8.8.8.8:53 lyxem.com udp
US 8.8.8.8:53 lumxh.com udp
US 8.8.8.8:53 mtopk.com udp
US 8.8.8.8:53 www.weheropack.com udp
US 8.8.8.8:53 mgcio.com udp
US 8.8.8.8:53 www.mphho.com udp
US 8.8.8.8:53 www.mfg25.com udp
US 8.8.8.8:53 miu3d.com udp
US 8.8.8.8:53 nnibo.com udp
US 8.8.8.8:53 morvt.com udp
US 8.8.8.8:53 mrooi.com udp
US 8.8.8.8:53 nuhth.com udp
DE 78.47.205.166:443 recaptcha.cloud tcp
US 172.67.180.8:443 lyxem.com tcp
CA 23.227.38.74:443 www.juont.com tcp
CA 23.227.38.65:443 nuhth.com tcp
HK 8.210.115.63:443 www.weheropack.com tcp
HK 20.239.182.115:443 www.mphho.com tcp
US 104.21.79.180:443 lelzz.com tcp
SG 85.187.128.56:443 miu3d.com tcp
US 162.241.216.47:443 www.mfg25.com tcp
US 162.241.216.47:443 www.mfg25.com tcp
DE 144.76.75.181:443 mtopk.com tcp
US 172.67.141.224:443 loagt.com tcp
US 50.62.220.152:80 m-x-r.com tcp
GB 154.49.138.132:443 nnibo.com tcp
CA 23.227.38.32:443 lutsw.com tcp
IN 206.189.141.17:443 mgcio.com tcp
RU 91.215.85.51:443 mrooi.com tcp
US 104.21.43.113:443 morvt.com tcp
CA 23.227.38.65:443 nuhth.com tcp
US 8.8.8.8:53 nznix.com udp
US 104.21.45.125:443 nznix.com tcp
US 8.8.8.8:53 ooiip.com udp
US 8.8.8.8:53 ooibo.com udp
US 8.8.8.8:53 acg.xacgame.top udp
US 8.8.8.8:53 oonpe.com udp
US 8.8.8.8:53 oozrd.com udp
US 8.8.8.8:53 www.odme.eu.com udp
US 8.8.8.8:53 www.duduing.com udp
US 8.8.8.8:53 ooipe.com udp
US 8.8.8.8:53 oonps.com udp
US 8.8.8.8:53 oozpe.com udp
US 8.8.8.8:53 oozqs.com udp
US 8.8.8.8:53 www.aeijuh.shop udp
US 8.8.8.8:53 oufmy.com udp
US 8.8.8.8:53 oxiop.com udp
US 8.8.8.8:53 www.tensund.com udp
US 8.8.8.8:53 oxmik.com udp
DE 78.47.205.166:443 recaptcha.cloud tcp
US 54.144.38.219:443 ooiip.com tcp
RU 194.67.193.135:443 oonpe.com tcp
DE 138.201.125.172:443 www.odme.eu.com tcp
RU 91.215.85.19:443 ooipe.com tcp
IN 62.72.28.17:443 ooibo.com tcp
CA 23.227.38.74:443 www.tensund.com tcp
US 8.8.8.8:53 www.nuhth.com udp
US 8.8.8.8:53 oozps.com udp
US 8.8.8.8:53 ppka2.com udp
US 8.8.8.8:53 oozrz.com udp
NL 185.31.200.183:443 oozrd.com tcp
US 154.208.8.223:443 acg.xacgame.top tcp
FR 141.94.141.140:443 pii5w.com tcp
GB 154.49.138.190:443 oonps.com tcp
NL 89.23.107.89:443 oozqs.com tcp
US 8.8.8.8:53 sparklingwonderus.com udp
US 8.8.8.8:53 oxuec.com udp
US 8.8.8.8:53 ouokv.com udp
US 8.8.8.8:53 pilpz.com udp
US 8.8.8.8:53 pocue.com udp
US 8.8.8.8:53 quxvr.com udp
US 8.8.8.8:53 roetg.com udp
US 8.8.8.8:53 ruqdh.com udp
US 8.8.8.8:53 ruzjn.com udp
US 8.8.8.8:53 ruccw.com udp
US 8.8.8.8:53 sagio.com udp
BA 185.12.79.25:80 kamsmad.com tcp
HK 165.154.23.109:443 ruzjn.com tcp
RU 91.215.85.51:443 oxmik.com tcp
NL 89.23.103.165:443 oozpe.com tcp
HK 165.154.23.109:443 ruzjn.com tcp
SE 79.137.206.168:443 oxiop.com tcp
US 172.67.149.61:443 pilpz.com tcp
CA 23.227.38.65:443 quxvr.com tcp
BR 45.152.46.25:443 roetg.com tcp
CA 23.227.38.74:443 www.nuhth.com tcp
CA 23.227.38.74:443 www.nuhth.com tcp
RU 91.215.87.56:443 oozrz.com tcp
NL 89.23.107.170:443 oozps.com tcp
HK 165.154.23.109:443 ruzjn.com tcp
DK 93.191.152.141:443 sagio.com tcp
CA 23.227.38.32:443 ruccw.com tcp
CA 23.227.38.32:443 ruccw.com tcp
US 104.21.89.106:443 oxuec.com tcp
IN 89.117.27.232:443 pocue.com tcp
JP 152.70.97.21:443 ppka2.com tcp
CA 23.227.38.65:443 quxvr.com tcp
CA 23.227.38.32:443 ruccw.com tcp
US 8.8.8.8:53 sezof.com udp
US 8.8.8.8:53 smamr.com udp
US 8.8.8.8:53 skeyr.com udp
HK 165.154.23.109:443 ruzjn.com tcp
US 8.8.8.8:53 srclg.com udp
TR 94.199.206.46:80 sezof.com tcp
US 8.8.8.8:53 www.smchp.com udp
MY 110.4.45.164:443 smamr.com tcp
US 8.8.8.8:53 suzuw.com udp
US 8.8.8.8:53 sltfb.com udp
US 8.8.8.8:53 www.vdt82.com udp
US 74.208.236.49:443 skeyr.com tcp
US 8.8.8.8:53 tvpvz.com udp
US 8.8.8.8:53 wumyc.com udp
US 8.8.8.8:53 xbh66.com udp
US 8.8.8.8:53 wriox.com udp
US 8.8.8.8:53 xbh22.com udp
US 8.8.8.8:53 uccpp.com udp
US 8.8.8.8:53 uuzfy.com udp
US 8.8.8.8:53 vudzw.com udp
US 8.8.8.8:53 xugth.com udp
US 8.8.8.8:53 zeaas.com udp
NL 185.31.200.183:80 oozrd.com tcp
US 8.8.8.8:53 xbooc.com udp
US 8.8.8.8:53 buanco.dk udp
US 8.8.8.8:53 www.quxvr.com udp
US 8.8.8.8:53 xbyaf.com udp
CA 23.227.38.32:443 uuzfy.com tcp
US 192.185.25.23:443 www.smchp.com tcp
US 8.8.8.8:53 zokgo.com udp
US 8.8.8.8:53 surferbeachnbay.com udp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 8.8.8.8:53 www.web4demand.com udp
US 8.8.8.8:53 collbe.com udp
US 8.8.8.8:53 crafyx.com udp
US 20.150.79.68:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 172.67.133.31:443 uehbe.com tcp
US 3.33.130.190:443 xbh22.com tcp
RU 91.215.85.65:443 zeaas.com tcp
US 38.60.251.43:443 xbooc.com tcp
US 3.33.130.190:443 xbh22.com tcp
HK 165.154.23.109:443 xugth.com tcp
US 8.8.8.8:53 cvemas.com udp
US 172.66.0.63:443 sltfb.com tcp
HK 27.50.63.33:443 www.vdt82.com tcp
US 8.8.8.8:53 dama20.com udp
CA 23.227.38.32:443 uuzfy.com tcp
CA 23.227.38.32:443 uuzfy.com tcp
CA 23.227.38.74:443 www.quxvr.com tcp
US 8.8.8.8:53 djvone.com udp
US 162.0.215.118:443 crafyx.com tcp
US 8.8.8.8:53 dounda.com udp
NL 95.168.169.160:443 zokgo.com tcp
GB 45.77.57.25:443 collbe.com tcp
HK 165.154.23.109:443 xugth.com tcp
US 162.241.225.189:443 tvpvz.com tcp
DK 93.191.152.141:443 buanco.dk tcp
BD 103.191.240.250:443 wriox.com tcp
DE 162.55.128.206:443 dama20.com tcp
US 8.8.8.8:53 djnoco.com udp
US 8.8.8.8:53 dko297.com udp
US 8.8.8.8:53 glamorousgains.com udp
US 8.8.8.8:53 dviber.com udp
US 8.8.8.8:53 ekeraa.com udp
HK 203.86.232.59:443 xbyaf.com tcp
CA 23.227.38.65:443 glamorousgains.com tcp
US 208.97.186.223:443 www.web4demand.com tcp
US 8.8.8.8:53 aisoloseguros.com udp
US 195.35.15.58:443 djvone.com tcp
SG 109.106.253.145:443 cvemas.com tcp
US 8.8.8.8:53 glorifyd.store udp
US 8.8.8.8:53 eamirh.com udp
KR 112.175.184.33:80 dounda.com tcp
BR 154.49.247.67:443 dviber.com tcp
DE 5.9.71.156:443 uccpp.com tcp
CA 23.227.38.65:443 glorifyd.store tcp
US 8.8.8.8:53 styshift.com udp
HK 27.50.63.54:443 dko297.com tcp
US 69.163.177.175:443 ekeraa.com tcp
US 8.8.8.8:53 eliodc.com udp
US 172.67.141.55:443 djnoco.com tcp
IN 89.117.157.216:443 eamirh.com tcp
CA 23.227.38.65:443 styshift.com tcp
HK 165.154.23.109:443 xugth.com tcp
US 198.187.29.17:443 aisoloseguros.com tcp
US 89.117.139.151:443 eliodc.com tcp
KR 141.164.36.75:443 edmyou.com tcp
CA 23.227.38.65:443 styshift.com tcp
US 8.8.8.8:53 akunprolegend.com udp
US 8.8.8.8:53 alu-techgroup.com udp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 aladdinevents.com udp
US 8.8.8.8:53 amore-woodart.com udp
US 8.8.8.8:53 asociebolivia.com udp
US 8.8.8.8:53 bankofaitools.com udp
US 8.8.8.8:53 ariaprimavera.com udp
US 8.8.8.8:53 amarsinghrana.com udp
US 8.8.8.8:53 amwatemplates.com udp
US 8.8.8.8:53 asanaholidays.com udp
US 8.8.8.8:53 asrafinancial.com udp
US 8.8.8.8:53 babypetcenter.com udp
US 8.8.8.8:53 bangrondongdo.com udp
US 8.8.8.8:53 aycadelibalta.com udp
US 8.8.8.8:53 banglatouch24.com udp
US 8.8.8.8:53 barrysjournal.com udp
US 8.8.8.8:53 banzaibet-now.com udp
US 162.241.252.245:443 bankofaitools.com tcp
NL 185.146.22.232:443 alu-techgroup.com tcp
TR 104.247.165.146:443 aycadelibalta.com tcp
US 162.241.244.109:443 banzaibet-now.com tcp
US 162.241.218.142:443 barrysjournal.com tcp
US 162.241.24.170:443 ariaprimavera.com tcp
US 216.246.47.69:443 asociebolivia.com tcp
SG 95.111.193.142:443 amore-woodart.com tcp
US 162.213.255.27:443 amwatemplates.com tcp
SG 45.143.81.53:443 akunprolegend.com tcp
VN 103.118.28.98:443 bangrondongdo.com tcp
IN 216.10.246.70:443 aladdinevents.com tcp
US 198.20.92.69:443 asrafinancial.com tcp
US 50.6.138.115:443 babypetcenter.com tcp
US 162.214.80.152:443 amarsinghrana.com tcp
US 8.8.8.8:53 acg.xacgame.top udp
US 8.8.8.8:53 bilangkualiti.com udp
US 8.8.8.8:53 www.bihaniexpress.com udp
US 8.8.8.8:53 bhsegurosaude.com udp
US 8.8.8.8:53 biankapeixoto.com udp
US 8.8.8.8:53 biopotencycbd.com udp
US 192.185.211.182:443 biankapeixoto.com tcp
MY 103.72.163.106:443 bilangkualiti.com tcp
US 154.208.8.223:443 acg.xacgame.top tcp
HK 165.154.23.109:443 xugth.com tcp
US 8.8.8.8:53 freejobmantra.com udp
US 8.8.8.8:53 fundacionsaur.com udp
US 8.8.8.8:53 frumoofficial.com udp
US 8.8.8.8:53 gadgetinfohub.com udp
US 8.8.8.8:53 gemaquevisual.com udp
US 8.8.8.8:53 belenajewelry.com udp
SG 103.227.176.9:443 www.bihaniexpress.com tcp
US 8.8.8.8:53 www.fuckedupmemes.com udp
US 8.8.8.8:53 bestdealfunds.com udp
US 8.8.8.8:53 galabetgiriss.com udp
US 8.8.8.8:53 galarettravel.com udp
US 8.8.8.8:53 generated4you.com udp
US 8.8.8.8:53 gizabetgiriss.com udp
US 8.8.8.8:53 georgeaddojnr.com udp
US 8.8.8.8:53 www.glamouruszone.com udp
US 8.8.8.8:53 ghalafashions.com udp
US 8.8.8.8:53 www.glamourregion.com udp
US 8.8.8.8:53 geoshield-eda.com udp
US 8.8.8.8:53 glowsensation.com udp
US 162.144.14.245:443 biopotencycbd.com tcp
US 108.167.132.243:443 bhsegurosaude.com tcp
US 8.8.8.8:53 globeperfumes.com udp
US 8.8.8.8:53 goknurmachine.com udp
KR 112.175.184.33:443 dounda.com tcp
US 8.8.8.8:53 golegolgiriss.com udp
GB 185.151.30.138:443 www.fuckedupmemes.com tcp
IN 89.117.27.162:443 freejobmantra.com tcp
LT 84.32.84.32:443 fundacionsaur.com tcp
US 8.8.8.8:53 gorabetgiriss.com udp
US 8.8.8.8:53 goodhopeellys.com udp
HK 165.154.23.109:443 xugth.com tcp
GB 109.70.148.64:443 georgeaddojnr.com tcp
US 172.67.131.236:443 www.glamourregion.com tcp
SG 156.67.222.8:443 frumoofficial.com tcp
US 104.21.23.48:443 www.glamouruszone.com tcp
US 34.120.137.41:443 gemaquevisual.com tcp
AE 40.123.214.195:443 ghalafashions.com tcp
US 172.67.143.89:443 gorabetgiriss.com tcp
GB 153.92.6.127:443 generated4you.com tcp
US 192.185.131.29:443 galarettravel.com tcp
US 165.140.70.70:443 bestdealfunds.com tcp
IN 172.105.41.73:443 geoshield-eda.com tcp
US 104.21.5.253:443 golegolgiriss.com tcp
IN 103.104.74.214:80 belenajewelry.com tcp
US 104.21.75.141:443 galabetgiriss.com tcp
US 154.56.47.249:443 globeperfumes.com tcp
US 194.163.47.106:443 goodhopeellys.com tcp
TR 104.247.167.3:443 goknurmachine.com tcp
BR 154.56.48.181:443 glowsensation.com tcp
US 104.21.65.174:443 gizabetgiriss.com tcp
US 8.8.8.8:53 greenplumlabs.com udp
US 8.8.8.8:53 gracesblankets.com udp
US 8.8.8.8:53 gruasancarlos.com udp
US 8.8.8.8:53 gruposehintra.com udp
US 8.8.8.8:53 guiadeamarres.com udp
US 8.8.8.8:53 www.gutpunchkefir.com udp
US 8.8.8.8:53 grimbascranes.com udp
US 63.250.43.16:443 greenplumlabs.com tcp
US 8.8.8.8:53 grupobazaldua.com udp
US 8.8.8.8:53 schwarzwald-tours.com udp
US 8.8.8.8:53 www.hacks4healthy.com udp
US 8.8.8.8:53 gulbahceklima.com udp
US 8.8.8.8:53 hahaindonesia.com udp
US 8.8.8.8:53 hadipressindo.com udp
US 8.8.8.8:53 hallelujahhub.com udp
US 8.8.8.8:53 hapursamachar.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 helpingtopics.com udp
US 8.8.8.8:53 healthinpedia.com udp
US 8.8.8.8:53 heylunabeauty.com udp
US 185.212.70.216:443 guiadeamarres.com tcp
US 141.193.213.10:443 gracesblankets.com tcp
US 8.8.8.8:53 happyhouseful.com udp
US 8.8.8.8:53 hashtendenims.com udp
US 8.8.8.8:53 hightechtrace.com udp
US 8.8.8.8:53 hkfakwatch852.com udp
US 8.8.8.8:53 homerevampers.com udp
US 8.8.8.8:53 helpimanewmom.com udp
US 8.8.8.8:53 herjoelectric.com udp
US 8.8.8.8:53 funding4you.com udp
US 8.8.8.8:53 hitech-cafe24.com udp
US 8.8.8.8:53 homesincibolo.com udp
FR 51.38.200.120:443 gruposehintra.com tcp
US 8.8.8.8:53 homecenterllc.com udp
CA 104.152.168.38:443 www.gutpunchkefir.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 8.8.8.8:53 homeneedszone.com udp
CA 54.39.73.210:80 www.hacks4healthy.com tcp
US 172.67.223.187:443 hallelujahhub.com tcp
SG 151.106.118.36:443 hadipressindo.com tcp
US 198.59.144.7:443 gruasancarlos.com tcp
DE 85.13.137.217:443 schwarzwald-tours.com tcp
US 104.21.40.132:443 gulbahceklima.com tcp
US 8.8.8.8:53 homestore4all.com udp
US 173.236.63.42:443 grupobazaldua.com tcp
SG 151.106.119.252:443 hahaindonesia.com tcp
US 8.8.8.8:53 www.hotelacaletta.com udp
GB 77.72.0.150:443 healthinpedia.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 104.21.19.99:443 helpingtopics.com tcp
GB 154.49.138.150:443 happyhouseful.com tcp
US 45.56.112.31:443 hapursamachar.com tcp
ID 202.52.146.246:443 heylunabeauty.com tcp

Files

memory/3064-1-0x0000000002720000-0x0000000002820000-memory.dmp

memory/3064-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3064-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1220-4-0x00000000021D0000-0x00000000021E6000-memory.dmp

memory/3064-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD01.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2768-16-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2768-18-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2768-19-0x00000000009D0000-0x000000000127F000-memory.dmp

memory/2768-21-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2768-22-0x0000000077980000-0x0000000077981000-memory.dmp

memory/2768-26-0x0000000000140000-0x0000000000141000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B1D3.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

\Users\Admin\AppData\Local\Temp\AD01.exe

MD5 d77d7a9139467aa4cb293767968fdd57
SHA1 6d9e58de967fd88414c7fa914eb72a4c2d194e35
SHA256 51d9b9dce93fe7ae1e891ceb49c772f51dc801670a8a21146ac9c95c64e5c133
SHA512 69eb6539fec3219092a722fd786d775de95b0488b2ac8ee9c9194da310e79c36523ad6299c3ada9645875156b37638f0d97afdbf1a14008c33e636bc42f57bdf

\Users\Admin\AppData\Local\Temp\AD01.exe

MD5 3e9f062fb1480619bc1734ce27c25734
SHA1 a8b20df50e546d5d90a0ff5c7b132b8509711854
SHA256 6f04b39ff261bb6874642b66cbb08109221ed6faff1a0c4fbc2d0c73838b1837
SHA512 b08d2829db922e048c4e7f81d8f5a3fa38a7f3ba97ecdb117c59933cc9c0389770fa2909d40d52df4cae2f22f4ceadce0a3c6ac1a872821417fa7b72db6316a7

\Users\Admin\AppData\Local\Temp\B1D3.dll

MD5 1430e3eb17c1d6c9772be3b1d9d9f3e1
SHA1 6a527b447928f5c44c7ab93ce7314318b2f26afd
SHA256 24b521991d5342c1226dde37422d7cd72956c495cc7463688b5b70d0dea794fd
SHA512 e3ab31292c0a7d88ad6ee4556d6f32f4edb8595707b746d412271624890a97d87459ca6a2078ff9038c54c0034d40f4ad5d1a7dfca6b4a69a634865031c43057

memory/2560-32-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2560-31-0x0000000000130000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B6A4.exe

MD5 6e92468a589a118a0e52a69838812d5a
SHA1 f7600765aaf24de6261aceabb2823992d5b7d11a
SHA256 89de3a6e7282355c370058f7b4fe364ec79205602c38013dc5f23196cf7a1f2a
SHA512 f212a536db73fb5a9798cbd472913ca8dfcad06c724b19930098ec3868ca41f2bb825d9824f6f0aaace763f57c589768206f6565461f79d97ae93591f96fd570

memory/2460-40-0x0000000003420000-0x00000000035D8000-memory.dmp

memory/2460-42-0x0000000003600000-0x00000000037B7000-memory.dmp

memory/2460-41-0x0000000003420000-0x00000000035D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\B6A4.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

C:\Users\Admin\AppData\Local\Temp\B6A4.exe

MD5 ca38afaeb59a26cd65587d8ee7f779f0
SHA1 30ec20dada9080ad340a887a2e34abc2fdfc9b7e
SHA256 313f773b890051446a007f1503227a819a9836e1ffca7440d4b06082b4d8f933
SHA512 cfda88ef92d8fee98a047ad3e5ed8f4b9dfdfd38fb1966770b95901573549b9c28bb811d5cc011abbe27b0effdd83d00b3b75b78681b4ceaa10a40a8e96118b9

memory/2928-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\AD01.exe

MD5 45374280a0528a62a2ab3aaa285f7470
SHA1 a5a65adc097c5c748c4ad32370cf3f2792512e16
SHA256 2446766275d7e97cc5acc6409862dbb396dd0446c06ce607c3d7b1e5f94b08f5
SHA512 e65624008d990f604a5df14a91304077a65d8af420b44d077676ec08b8cfdcc7a4ba8b602f4d988b6c43d50b3b061a806d31a0eeb3621f8d6fd16555dfe5160e

memory/2928-48-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2928-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2928-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2928-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2928-54-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C610.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2928-61-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\B1D3.dll

MD5 e66e1d2e61dcd2f59ff4179109d67554
SHA1 6a0ca09304ed0bd9e2ba51eec7624af92f741b7f
SHA256 9eb1764f3f5cf94075ec5ce6a0c2e55504aae60017dce486f4d864c49d5eb397
SHA512 00af05f79231f6b3ed3cb63a4a87f994320f4e3933bbbbd376b1e05572c07a6995011cf578b9cd30dd6f369739be12ba9185f8b999262bfb001dae91c0adf6cf

memory/2684-65-0x0000000002F50000-0x0000000003050000-memory.dmp

memory/2684-67-0x0000000000220000-0x000000000028B000-memory.dmp

memory/2928-68-0x0000000000230000-0x0000000000236000-memory.dmp

memory/2684-69-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2684-70-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1456-75-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D59B.exe

MD5 8bb780f0edba20eb58f462cb5640bd06
SHA1 a9c49a9faf988d6d88ce745ac7ca6e0ca74667e6
SHA256 c9186ae3b809e489ef6bf6eeed3cefed7e8e85f3d446e635825788d0a6fbdeb9
SHA512 6b8f0bf103e49ae18038fe72a88f3aed7fcf738106b3c7f8fe3846570c7af871273208c1e16076b8607a277185d937227b28a99119ab41097ac7005288d81d05

C:\Users\Admin\AppData\Local\Temp\D59B.exe

MD5 7b96170ca36e7650b9d3a075126b8622
SHA1 311068f2f6282577513123b9181283ffb01d55ce
SHA256 e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512 e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd

\Users\Admin\AppData\Local\Temp\is-DC7LJ.tmp\D59B.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

\Users\Admin\AppData\Local\Temp\is-Q4L0U.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-Q4L0U.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2768-93-0x00000000009D0000-0x000000000127F000-memory.dmp

memory/1372-103-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2560-104-0x00000000022B0000-0x00000000023D9000-memory.dmp

memory/2560-105-0x00000000023E0000-0x00000000024EE000-memory.dmp

memory/2560-106-0x00000000023E0000-0x00000000024EE000-memory.dmp

memory/2560-108-0x00000000023E0000-0x00000000024EE000-memory.dmp

memory/2928-109-0x0000000002A40000-0x0000000002B69000-memory.dmp

memory/2560-110-0x00000000023E0000-0x00000000024EE000-memory.dmp

memory/2928-112-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2684-113-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2928-115-0x0000000002B70000-0x0000000002C7E000-memory.dmp

memory/2928-117-0x0000000002B70000-0x0000000002C7E000-memory.dmp

memory/2928-118-0x0000000002B70000-0x0000000002C7E000-memory.dmp

memory/2928-123-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1456-124-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1372-125-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1173.exe

MD5 e1bb7bde6ec13f4fde302d3a3a1063f9
SHA1 14bb11297dfbbd2aed172c9df2575142bb13747a
SHA256 870e98726481317063d3e7300ddf022744875f333f5a1bf3451442b334898a03
SHA512 0404c009c7ef07f6cc8013c17389d5ccee08c50926ad5de1514094da27cec74636e224553ff3897eb471625aef7544121321646b8d927cdf523e9a80b2600db5

C:\Users\Admin\AppData\Local\Temp\1173.exe

MD5 725670eec049f5b9cce440c9e9050826
SHA1 cdc8b24e9793e23c3f5c1b5d00b99393f92a653e
SHA256 e89e718ff8761a12c79782d72b331711cce4f02648ce4c24649f30a90e384984
SHA512 70d3810b3a5ec5b91f9685b383abf862434bfe90e72ff9d73d583eb476cc5708ec8837dce1d162fd17520178e47f2971b7ea16a8138a88d8551dd4170b8a3838

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 adb29a2b3d4aae105be1eca35da10afc
SHA1 8496caa674d5bd59c37340e949871e6a33a6a6a9
SHA256 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7
SHA512 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9

memory/1996-140-0x0000000000F90000-0x0000000001846000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 dc47c4834254695d718a07a24e687cfe
SHA1 b1490e4609cd2e71bbf23830264dd0b0f336534c
SHA256 7d0378235cf1fe736d4dca425fc62b10852987e0224fc00e92448b3b5657f165
SHA512 de1c329f259f1c56fe00f29c4a335ac939b3bed5465f0ccd7a23998c35ee0268ee4d195c626c9f9448ed722e0a462d6304b38f341c637a5379f545059ea58fce

memory/1996-148-0x0000000073680000-0x0000000073D6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\25EE.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 55f69e2a01fee0155539f9ad5dadd92a
SHA1 a0be37eaa670f61da45825f98a4559de58d963b3
SHA256 bfb78f4db4c0cb79d02ab32e5d511f36d13626648106577f1a5f2b6ab885f385
SHA512 24b67d666d0337b00721ba2366dabf47b3ff65676637cf9bada37bf85d60b639293de93b9c2cb66bcd7b49f86c23e3197c7746dd0a8c403841c64a1d58fa1a70

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8ad403ae8cf15c720dc1689b03c0b14e
SHA1 613000bf380626170aecd8c41a4f5f24e38c81d0
SHA256 fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f
SHA512 20ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c53fcb793d89fccc8e81ce4d40eaf49d
SHA1 32c7441c1f58019d675c0a24f583f3d1211deae6
SHA256 aa590bc4a44a1deebf9e4c31ae12880119af498dfee30007a94f9507d45783f1
SHA512 4ca499648dabd9aa6d024f1c83faff9ebc45ff6a533ea541a7b3f8346ebf0b6899e33df675e333264b222f328a335eefe5806095577da600cfad3873ff03630f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 33173a5f01c70ff647485f5427453242
SHA1 5a8b4455ed301b4c0d9870625d7b642ad843902e
SHA256 415ae01e28996f7ac8c5178d401e04aaf324527ebd8ac050a7c0ad4632df8b18
SHA512 0a236b0ec3162ab9fa51fda9672b69cc9d6762d06bd04d2fc6ab261b2341ed854c5896ae4bd2108ad019211330e5437c0a2afd6b10093346d667cef47932cafc

memory/744-164-0x0000000002510000-0x0000000002908000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 749e0367485fa59b15a55a62b90aa0fb
SHA1 7dfd9ba5ea70311edbf794a4a283f0bc2bae4ef1
SHA256 1fe44c49af76ecd99ed516645712875ee288963b8d5b2c1c833f821f4026b5e1
SHA512 e540e11864d78a24f37445bda308cbf9203a5e8abe75042f78663e24f324a91ae62ec86065812f6e37f16747e025ca326d9eeff6a9f46d1a1515cdd7be1f6382

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 4d1464be230408de9468c52c26234c4d
SHA1 1b86cefe12d7b1f9dc3db621766f6cd037c6fdf2
SHA256 f61088dd57162b75e5e4dc4c8273d3f6209bdad1272fce5b9b5ee3e74f282fe4
SHA512 4e25b63fe80b404c7f6ba004a7e995b787196f4ed9a6d44082c7690e6c0834cf366a6c708239f0dd56763aca05e6ce866301d05989d30a606edeb6a2238096ad

memory/2928-172-0x0000000000400000-0x0000000000848000-memory.dmp

memory/744-175-0x0000000002510000-0x0000000002908000-memory.dmp

memory/744-176-0x0000000002910000-0x00000000031FB000-memory.dmp

memory/2928-177-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 3cc7874e9ff2607460f01b5c05f89486
SHA1 3e220dcda21c3613b84ff36bca9e6a69a05270ee
SHA256 55d9b6391e5ebbdd95c965ceb193f7de4801ebcfce47805214c3316f29cc7692
SHA512 ef787b1b9947712f1973b06299e3d97199ae7f904d900e16e1ce84bdbc80349293c8f1cd86083536702668b368a9087fa9472406ec6578bb561576a1168eb7b7

memory/2928-181-0x0000000000400000-0x0000000000848000-memory.dmp

memory/744-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 ebb513d4d6d769ae21e14c45f491ca1b
SHA1 5f97e01f98b58a17e538a71b81b7a24c999c1859
SHA256 5e467197e806babc85b146d0456992a2a72060494e4dd0a00dc05813f71381c6
SHA512 6e28db09bb87188eeb331f695e9505e80a06286191c29599d0d113e64013a818c0d537040eb527a5da4298adac057ae08928e84cca85d08301c9312e5da36a21

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 93df53829d7ff15b36cca0997bdf9523
SHA1 85961b7b321c9492e276ada800debaa55c9c1d59
SHA256 107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c
SHA512 37edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d7e4b9b1c47a1c5e43e40c56157a147f
SHA1 3d1afa4a1377bd808054add241e150c375a539a3
SHA256 4cfc04acddae5f5f2867e218cef35f327361af9c157267abbf9ef431af361f4d
SHA512 f07d7d22b92e61ea196f2c913ba4c6501b7f2acf1570baa7c748717325f67dc219d7a3f92405c06f8f157f0cff5cddcfa39e6a6e828fab565d57356cb567582d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 4451bf12dc7be6aa2448561086570c8a
SHA1 5296cd7413ca23953e13759ede1cc787aa53794c
SHA256 f59a5b0febbfb403478dc41ba4089ef7d9a383d9d191e3e9aedd43d52c70230f
SHA512 4b2d3950b6685a7451db250ff5ec67ba13d6749e56c410e0051d0f0b0e2df826d7f58d8f80cf06e48424788c19f804cfea09f05d0f91de95c62d7ea8c3eaa85b

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 97c35e714cfcd128c4f85038d9f38534
SHA1 9ca0166482a13cee2dd544fabf0f137063a716ce
SHA256 fa7c9de6502fc4c342987cd2b6fd491a84097d8f7968cfaf8e156d00019e0411
SHA512 76a0c09a85d358b67814a82034508af6f451d28ddb8eafd64abb4ac8f7309e487e5fdaf1cf40525d3a2a68e556a2fb65cf768df3eacaddd2263301011bd8a296

\Users\Admin\AppData\Local\Temp\nso3969.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/1996-206-0x0000000073680000-0x0000000073D6E000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 f96e099cf2a81a0e4d06230ac282f50a
SHA1 d43afd56079ee419423ae09c389e549f469912c9
SHA256 5c96debaeaebf90c499dbaee6ff989cbadc9e13f985240c954e27c9d49cd5f72
SHA512 45bc597e8340796222e81c517d9a7c958f4e018334a7edb21a987713244420f8962366152c0bb961fcc6a58ce9cce987fca4cc6ade76415c7ed57aa1cca5d5a6

memory/2684-208-0x0000000002F50000-0x0000000003050000-memory.dmp

memory/2684-209-0x0000000000220000-0x000000000028B000-memory.dmp

memory/2172-210-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2928-218-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj56D9.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

memory/744-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3020-230-0x0000000002720000-0x0000000002820000-memory.dmp

memory/3020-231-0x00000000003B0000-0x00000000003BB000-memory.dmp

memory/3020-232-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5CD7.exe

MD5 74c0473efdff08a9d693f49cbb10e36e
SHA1 1a64dd8aea7ca9d64aa0fc0503bff9166a89099d
SHA256 54b0f8b6b8de24a61e6b6264ed6b5ad1e5e3e8793faff189e44c9d8d597e4d52
SHA512 32565d4a9942cd574d76c70e94c49150fcef41b422ab3aba4de96b959f30ef8c636f3f393cecd9585c98c777d0728f889942462987889a8a6181d5661b0d2a44

C:\Users\Admin\AppData\Local\Temp\5CD7.exe

MD5 b0bea351be866ef906b3833c4895098b
SHA1 c45fdd52e15ed7fe23b403256bf6a5c2fe5544f1
SHA256 87ca94756569c50ea27472db9ac4e7744c9b073977e2ef24d7cb9018beb19dc1
SHA512 27700675f77ade6f32dc805faa350885414429ff14e7d5df936c0a6f352241c96edef976c68bdb4bb15e1be11a3cda91e68daf07539a2e20f6863a90092c0aea

memory/1220-240-0x0000000002B60000-0x0000000002B76000-memory.dmp

memory/2588-243-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/3020-241-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/2588-246-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2952-250-0x0000000002440000-0x0000000002540000-memory.dmp

memory/2952-252-0x0000000000220000-0x0000000000247000-memory.dmp

memory/2952-253-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/2588-255-0x00000000010B0000-0x0000000001B5D000-memory.dmp

memory/2588-286-0x0000000077980000-0x0000000077981000-memory.dmp

memory/2588-287-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2588-289-0x0000000000160000-0x0000000000161000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 550ee7188c527b01bfa4d015377d121c
SHA1 44c45f90daaef2f68d08512a79d0efa86a748f4b
SHA256 b236c2da74955dc9bcd4fc696ae78f49edbbc6f06aacaa80f0246da3deb3265d
SHA512 677f8a65ca34a290ce916d13966f0511875d5cfc12cc0983d7463a64047528a2407eb62ca8cae392452d06e756b9d07014af52c92d91ec61264c2005468f2a1a

\Users\Admin\AppData\Local\Temp\5CD7.exe

MD5 8c07afa756bfdd5993894690ae17c2b9
SHA1 b612a123b274881ed6ae14c27cfdf292e5f44bcf
SHA256 38fbe61690cec7a87a91b1b9b70b37ad92b8bdd330af4d79c1a28afd091bdafc
SHA512 da35cb2db78278b957b3792fa4fb3f02c87690d8547e98918baae5a02cd92c4392f906845048a0d5111c5100b5b90688768b39ddeee605c6985df437c400bcef

\Users\Admin\AppData\Local\Temp\5CD7.exe

MD5 cde705882dc07294bb96793891faa476
SHA1 a445432700572662e03471409e9e9d3b0082a1ed
SHA256 9d63c74e8b61a6e0888f3b4fc93c0ca158b8252382251b4a3fd60219f3475d51
SHA512 3bb4f357a0839f4b086674f010376756a8f9826ce8b79fd1b92e323bc72e6a635e4e6d7ff81aa94fdfc30ff341a65c7da97ad0f760c7bdca0c409534cc320137

\Users\Admin\AppData\Local\Temp\5CD7.exe

MD5 94187d9d51fabee5249e2906dcf6cd34
SHA1 ac5937a321a3e70d95fbeb19ab32a0858e92a008
SHA256 bf2fedb76209470bacf9e3d69000984b67929abb92dd7602c139fb89697235b3
SHA512 98cea89a6e7bb58ebd2338c94d1d8f9d165ddb7ec52979a0285f5ccd1bab5f60bb0b71451a2d8d2bd7c415664f06a0236dc31406f0741da90cc39aec1d1f6e8e

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/744-308-0x0000000002910000-0x00000000031FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

memory/744-357-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2292-371-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/2292-372-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2172-373-0x0000000000240000-0x0000000000241000-memory.dmp

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\Windows\rss\csrss.exe

MD5 760fe387d7c560f53f0f9c728a66d3b0
SHA1 543c5b5f57e01ec1744b098ef24e52ed08d81e42
SHA256 aa9ec255d6b490b747edeaf60a5dd617411feae80944d62cc2276551e6095efc
SHA512 2b4d0a18ade76d12236c7a698e48a6875c85e3a9df61727f5070edf4f63d30af380bb40a1d647cb907af25bb2fec4ce6076e7a5d39944ac76e92594bc54522b7

\Windows\rss\csrss.exe

MD5 3ca4a9bdbec4d6e4d299906880ff5333
SHA1 0687217241b17ebbbb2c5366a5e6814611006c11
SHA256 1432ceb485d36ed7af72913b693d5e2f975a7de52b70019c984908458440b5cc
SHA512 15e9e37b40d6016e38eb2bcd74625a163766ff0db2d4eb151ec92714de09a8b4c6beee2c76cca0700b17d5e2b9037bc7ea7942fd3e1e0ba3a730e7f162e15434

C:\Windows\rss\csrss.exe

MD5 7f48b037f22f8f23ef235c82bd530408
SHA1 4ed9016fa3b1370dbafdf8dfc553b9f4428ceafe
SHA256 8ab66ccf571fb49e524d96955072cec792df1f526b966f92152316094e7c8eb2
SHA512 953e0470b54dd572fde877de0cbadbbc6570b44da581f13d221f37c3018d875f4dacc6ef0e8d6b5d7a506ecdf4ad7b0e4a03e8b8f306a5d98c8ff80c6c38529a

memory/2292-406-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2952-411-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/2232-418-0x0000000002500000-0x00000000028F8000-memory.dmp

memory/2232-419-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 ab43192ad620e08c545c7f7c4b52802b
SHA1 090a9c43a6be4ead3385a92bb4779865ed10127d
SHA256 4d69fa18d7f1fac5f56f9396b65057a21f42a13349b83cbe7291f00fc0b989db
SHA512 1dcb00254d0ad110ebfa0e4cd267e31930f633f6762c3226579e62693401a465a8f9d0094d57354bb545ce5a5c2b15292c555506549b1dbcfae7629d91e0bbe0

memory/2588-425-0x00000000010B0000-0x0000000001B5D000-memory.dmp

memory/2808-427-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2808-428-0x00000000023B0000-0x00000000023B8000-memory.dmp

memory/2808-426-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

memory/2808-429-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2808-432-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2808-433-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2808-434-0x0000000002580000-0x0000000002600000-memory.dmp

memory/2808-436-0x000007FEF5320000-0x000007FEF5CBD000-memory.dmp

memory/2808-435-0x0000000002580000-0x0000000002600000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 49112bae363e9076d0b869b84ee72716
SHA1 c13a033c24a38b4308d231bfbcc6fdad52da230b
SHA256 672e5fbf4190a5a3534313a9705ab0677f7383f1c3aafb1ba1661591fd63725f
SHA512 8a2485af9a6c7fc2846e7ebd9682a5c6649614dac3255792a2560a8c092b2f3b363f23849b423909ebdce6d78880c466a6c1ab4bbfb8552e343d9d5300dd4eb2

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/568-441-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 bff754a050f41ed5b221384bc27473fc
SHA1 bdc03a46c3a01e14680a908cf73367371ac46236
SHA256 1c4c7802473e8f089d581b3be099c6f442863a798fb0885ad49f122ce0e692fd
SHA512 821e0d7f83f689505c3fddd76403d006008c362a43ecac8bdaf48149fbc2c4101bf3de59f999fa908f336c95b166f9fa17bd659a002fdc411d0df67bf9777e9b

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 33f63e6278297e30159507b38e1e4424
SHA1 24f7158e8d2a8a74792557baeeeb7792039a10e0
SHA256 bb9e5d7e8667c94a45f99684bac7a72458beeeae50125310016e1269e2e0f6d5
SHA512 b7bb9196450a6da06eb1fb22f45e029a2ce41a42a7191abb1e4d8ca10c98993a94d2b36129194984ef85c59160cebaa24b9e59b0cc1c1f70a883895b598a9c4b

memory/568-459-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1f1821fc28134998be2fb5d4d866d4e9
SHA1 03bfbaa0e3a83d5073bf8b71e160beeb06883345
SHA256 f8ba8b48a615306a8b2a25238618d7c0a5c17c90d0322d538a7be7766053c1ed
SHA512 8f837a4eb7c7beb579a9bfda4affaddbb52f8a505e86f38be211d401d5f97a02c3e3061d8c19b2cb5197a705d7edd85845a82b0a4272f0ec2fc8239000032dc9

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 b082c374b69c223e433a58e7c7f71d10
SHA1 5ad4b0774a575b2843a1f58ea01b3e54bb4afff7
SHA256 e5a2bce4afce10d13fb63931b4dbf9ce53c80b9a6820af7058cf55243e9c5929
SHA512 c1cdfb6fd2c218328146c9f52aa5bd4bbb35237c73f307a9f021d05a045b61746406644c548244fc6ca2104e2bc35f1ab9d29449167c8245e1b618361abb8ec0

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 170d66f9d75e64f50a295116ca704c25
SHA1 db0854fd1c8c705d62411aa8f13be7d2ebe2e476
SHA256 f6de5ced2a6adeb6c8422030a373c0a25756c5c79c5b066d9999a03ad9c04fd7
SHA512 d51b5ae12e52adf56941e8c4fadedaa6683fc013f6aa6a8c431db72fbf882d74ae75a940f53e7b793bf11e0740cc68eee3715e33eb526c4bdef42b51b74062c9

C:\Users\Admin\AppData\Local\Temp\CabD838.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarD944.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/432-516-0x0000000019B40000-0x0000000019E22000-memory.dmp

memory/432-517-0x0000000000880000-0x0000000000888000-memory.dmp

memory/432-518-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

memory/432-519-0x0000000001080000-0x0000000001100000-memory.dmp

memory/432-520-0x000007FEF52E0000-0x000007FEF5C7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 37663dd4315ed87ec57ecd4a0fc9436b
SHA1 887021a41e8ddc99dc9a2664b729a5e082e2e9f6
SHA256 625e76fe442913f7b19a3f4d8369a66f66d21e5ebe862011e5c3d978df9727f0
SHA512 fd000015a6fa3b34b6d4ec3f303408ef8ec0219eaec74a6baea816eb7ae555028564625553ba7605892c61d998055743e2e1a0e1639a518e85bd7de2d8c1895a

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 01:41

Reported

2024-02-27 01:43

Platform

win10v2004-20240226-en

Max time kernel

87s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\DB20.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2A3D.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\DB20.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\DDB1.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1540 set thread context of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\37EA.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\37EA.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\37EA.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\37EA.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3340 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE2D.exe
PID 3340 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE2D.exe
PID 3340 wrote to memory of 5032 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE2D.exe
PID 3340 wrote to memory of 5096 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3340 wrote to memory of 5096 N/A N/A C:\Windows\system32\regsvr32.exe
PID 5096 wrote to memory of 4124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 4124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5096 wrote to memory of 4124 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3340 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 3340 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 3340 wrote to memory of 1540 N/A N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 1540 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\DB20.exe C:\Users\Admin\AppData\Local\Temp\DB20.exe
PID 3340 wrote to memory of 1716 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB1.exe
PID 3340 wrote to memory of 1716 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB1.exe
PID 3340 wrote to memory of 1716 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDB1.exe
PID 3340 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8BE.exe
PID 3340 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8BE.exe
PID 3340 wrote to memory of 4880 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8BE.exe
PID 4880 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\E8BE.exe C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp
PID 4880 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\E8BE.exe C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp
PID 4880 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\E8BE.exe C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp
PID 1984 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 1984 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 1984 wrote to memory of 4100 N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 1984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 1984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 1984 wrote to memory of 1696 N/A C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3340 wrote to memory of 3420 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe
PID 3340 wrote to memory of 3420 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe
PID 3340 wrote to memory of 3420 N/A N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe
PID 3340 wrote to memory of 4716 N/A N/A C:\Users\Admin\AppData\Local\Temp\37EA.exe
PID 3340 wrote to memory of 4716 N/A N/A C:\Users\Admin\AppData\Local\Temp\37EA.exe
PID 3340 wrote to memory of 4716 N/A N/A C:\Users\Admin\AppData\Local\Temp\37EA.exe
PID 3420 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3420 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3420 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3420 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3420 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3420 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3420 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3420 wrote to memory of 4644 N/A C:\Users\Admin\AppData\Local\Temp\2A3D.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 464 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 464 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 464 wrote to memory of 4532 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 464 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp
PID 464 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp
PID 464 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp
PID 4532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4532 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3340 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\Temp\5093.exe
PID 3340 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\Temp\5093.exe
PID 3340 wrote to memory of 1324 N/A N/A C:\Users\Admin\AppData\Local\Temp\5093.exe
PID 2892 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2892 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2892 wrote to memory of 3872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2892 wrote to memory of 4236 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

C:\Users\Admin\AppData\Local\Temp\CE2D.exe

C:\Users\Admin\AppData\Local\Temp\CE2D.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D38D.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D38D.dll

C:\Users\Admin\AppData\Local\Temp\DB20.exe

C:\Users\Admin\AppData\Local\Temp\DB20.exe

C:\Users\Admin\AppData\Local\Temp\DB20.exe

C:\Users\Admin\AppData\Local\Temp\DB20.exe

C:\Users\Admin\AppData\Local\Temp\DDB1.exe

C:\Users\Admin\AppData\Local\Temp\DDB1.exe

C:\Users\Admin\AppData\Local\Temp\E8BE.exe

C:\Users\Admin\AppData\Local\Temp\E8BE.exe

C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp" /SL5="$80060,2424585,54272,C:\Users\Admin\AppData\Local\Temp\E8BE.exe"

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s

C:\Users\Admin\AppData\Local\Temp\2A3D.exe

C:\Users\Admin\AppData\Local\Temp\2A3D.exe

C:\Users\Admin\AppData\Local\Temp\37EA.exe

C:\Users\Admin\AppData\Local\Temp\37EA.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp

C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\5093.exe

C:\Users\Admin\AppData\Local\Temp\5093.exe

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3180 -ip 3180

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 2000

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1980 -ip 1980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 848

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 185.159.70.47:46031 tcp
DE 195.201.94.113:443 tcp
US 8.8.8.8:53 113.94.201.195.in-addr.arpa udp
US 199.249.230.155:443 tcp
N/A 127.0.0.1:61147 tcp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 trmpc.com udp
KR 211.168.53.110:80 trmpc.com tcp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
DE 46.38.251.59:9001 tcp
NL 185.244.24.42:8443 tcp
US 8.8.8.8:53 59.251.38.46.in-addr.arpa udp
US 8.8.8.8:53 42.24.244.185.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 associationokeo.shop tcp
DE 185.172.128.145:80 185.172.128.145 tcp
NL 185.244.24.42:8443 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
DE 46.38.251.59:9001 tcp
AT 192.36.38.33:443 tcp
US 8.8.8.8:53 33.38.36.192.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.61.114:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 114.61.15.51.in-addr.arpa udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 7c09d115-6e4d-4475-8284-f36a4660d299.uuid.statsexplorer.org udp
US 8.8.8.8:53 kamsmad.com udp
BA 185.12.79.25:80 kamsmad.com tcp
N/A 127.0.0.1:16123 tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 rku.bc.oz udp
US 8.8.8.8:53 rku.bc.oz udp
US 8.8.8.8:53 gmbolg.cem udp
US 8.8.8.8:53 gmbolg.cem udp
US 8.8.8.8:53 ybhee.cem.vz udp
US 8.8.8.8:53 ybhee.cem.vz udp
US 8.8.8.8:53 gmeol.cem udp
US 8.8.8.8:53 gmeol.cem udp
US 8.8.8.8:53 dmbol.cem udp
US 8.8.8.8:53 dmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 gmbol.cem.br udp
US 8.8.8.8:53 gmbol.cem.br udp
US 8.8.8.8:53 uzbh.hz udp
US 8.8.8.8:53 uzbh.hz udp
US 8.8.8.8:53 gmbolg.cem udp
US 8.8.8.8:53 rku.bc.oz udp
US 8.8.8.8:53 gmeol.cem udp
US 8.8.8.8:53 js3bdreso.cem.jr udp
US 8.8.8.8:53 dmbol.cem udp
US 8.8.8.8:53 js3bdreso.cem.jr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.vz udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 gmbol.cem.br udp
US 8.8.8.8:53 gmeol.cem udp
US 8.8.8.8:53 uzbh.hz udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 rku.bc.oz udp
US 8.8.8.8:53 server7.statsexplorer.org udp
US 8.8.8.8:53 dmbol.cem udp
US 8.8.8.8:53 gmbolg.cem udp
US 8.8.8.8:53 js3bdreso.cem.jr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 stun.sipgate.net udp
US 8.8.8.8:53 ybhee.cem.vz udp
US 8.8.8.8:53 rku.bc.oz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 bjozjerzej.cem udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 bjozjerzej.cem udp
US 8.8.8.8:53 gmbol.cem.br udp
US 8.8.8.8:53 gmeol.cem udp
US 8.8.8.8:53 uzbh.hz udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 js3bdreso.cem.jr udp
US 8.8.8.8:53 dmbol.cem udp
US 8.8.8.8:53 ftp.rku.bc.oz udp
US 8.8.8.8:53 gmbolg.cem udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 rku.bc.oz udp
US 8.8.8.8:53 gmeol.cem udp
US 8.8.8.8:53 ftp.gmbolg.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bjozjerzej.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem.vz udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 bbchbcb.cem udp

Files

memory/1328-1-0x00000000025C0000-0x00000000026C0000-memory.dmp

memory/1328-2-0x0000000002580000-0x000000000258B000-memory.dmp

memory/1328-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3340-5-0x0000000002390000-0x00000000023A6000-memory.dmp

memory/1328-8-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE2D.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/5032-18-0x0000000000EE0000-0x000000000178F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D38D.dll

MD5 4a29cf76ac589f126e7c12309318da51
SHA1 54128454b38d8bf87eb05ec3938f7312e41edb7f
SHA256 f57d59d3b086cba961a1ba469e27c7e5030dd8449c70e4435647faf5c1061a52
SHA512 608242687b1bb5b89ec0795d369613d3e54d9087d33acaa19d0d31bd6c63d64792a0a4a7bf79bc4f26c7e74f5cd1f987c10fbc8adfc2c544f3808228f5f564c2

memory/5032-17-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/5032-19-0x0000000000EE0000-0x000000000178F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D38D.dll

MD5 b3b83e44a9580165e083fc3b6ebea7ae
SHA1 308cee6647694e8dd3438eda2493fcfbfc47d80a
SHA256 e5e32fd8d17492811487a4cf393c8898e75dd2cb834d084e2a23d3ec322d97e1
SHA512 7a83493cecee83eec6b24a8f46046b2fca3bd6c03fdefc7364a2fe74e0e4ed38527ac9f638f7ffade95c76bd9b0fd912f81bf57cdb2d7b5b3f41ebb12335198d

memory/5032-23-0x0000000000600000-0x0000000000632000-memory.dmp

memory/5032-24-0x0000000000600000-0x0000000000632000-memory.dmp

memory/4124-26-0x0000000010000000-0x000000001020A000-memory.dmp

memory/5032-25-0x0000000000600000-0x0000000000632000-memory.dmp

memory/5032-27-0x0000000000600000-0x0000000000632000-memory.dmp

memory/4124-29-0x00000000010F0000-0x00000000010F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB20.exe

MD5 b73b13620f82e24559a5adc75072ccc5
SHA1 152a2acdc433928c05d891af5b624efb77b14d94
SHA256 492cdaf4386e89cf3d92561c95b68984a666a1ecbcaacdece69171ae41790a3f
SHA512 99f45a110a9b576e53cc220277fcedc02d2b9fec189e7a1f31bb018703936345c8050a561e0b8551922c97aa2a5ccee15827482fc81f845dc86ed1d62dc300ed

C:\Users\Admin\AppData\Local\Temp\DB20.exe

MD5 7f434979261c289f4b611eaf4488aab3
SHA1 4cf8b86e70a8627dfc0de78f380d0c6086ecdcb8
SHA256 8ba6525efdad26932ccd1b33672f207d8648faac28621d87d81c7cf990e7a73b
SHA512 212adf4ae65ebcf27532aa33ecb5fabde12e396a2c4b64580295b0971ab103994011048bd69fbaf561cefcfac2daaadcdea133d19a5ead5af128f131d16003a7

memory/1540-35-0x0000000003840000-0x0000000003A08000-memory.dmp

memory/1540-36-0x0000000003A10000-0x0000000003BC7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB20.exe

MD5 ca2753b2c6e3eb37b245757746a00c86
SHA1 d266219dcd811e5139f2b3a120dc3485e3ebdc61
SHA256 ed0b9b8e5eee059282a2452a6e25eb04e930c387a41010de45a65d2fb66ec5d3
SHA512 a5ac3231db412dff1ea34f77b675f86dc9d7d8cc1062011d1ff551fde2b8b598aa345a130d95b26384a7e1a59521489a9a5cead9695e24dbbd0fb9d395f858f6

C:\Users\Admin\AppData\Local\Temp\DDB1.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/1056-46-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1056-47-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1716-48-0x00000000049E0000-0x0000000004A4B000-memory.dmp

memory/1056-42-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1056-37-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1056-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1056-50-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D38D.dll

MD5 5d33a9c72c8008f9e70509724c85e00f
SHA1 e5f9407b5cace0e3f9d2b0f40e9ae99edca4efe7
SHA256 ca3b25e9c35a70a254d5128460b5cdfc03ae5c66d675a6306bab884d124b37bc
SHA512 709a1b1fc7c5f26e2827fbcfc62ac88226f82d7ca27efc5641c6bd33551e29c758dfe4534612cbefde0dc31fa48991755e93aeca2c76bb864894a978a6eeedf6

memory/1716-55-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1716-56-0x0000000003040000-0x0000000003140000-memory.dmp

memory/1056-57-0x0000000000A00000-0x0000000000A06000-memory.dmp

memory/5032-60-0x0000000000EE0000-0x000000000178F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8BE.exe

MD5 0a83fc4ef75e93c9e8b42101223da373
SHA1 7fab2117c1ad79274d8b044f5bd6af478d858213
SHA256 c006d186ef33965ba68fd6948da1053b81e054d3a63a415ed80d7e09a9af9516
SHA512 6ca61e8d3b78c5fa61f4c46512d2229e2517972957a7a038b6b5dbf9747b5269bcd547497d1494e028d21ec444802e96c63e6a1209ca690e8736b6fbd038c971

memory/4880-64-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8BE.exe

MD5 a7626d4194736b5c284a09feca2711c1
SHA1 121f234a4e436a98036b99ebb5d9dbf0dc659b54
SHA256 4550b7b36c6f67222e23fc7bae32689660712e4fc0d2c11515582c89d7429c55
SHA512 a74eb41cf0a3a4f36cd86f680e6d03ee2c0c6bbce4841f3acab200e4a13990fce43a7dd17d67eb4119706f1e7b499ddadd079558069c945e713edaf13371e78d

C:\Users\Admin\AppData\Local\Temp\is-LLDFO.tmp\E8BE.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

C:\Users\Admin\AppData\Local\Temp\is-G0J6H.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1984-71-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 3bfb15ed0b9fb528f4cc1a11f5b77d15
SHA1 091f12f70d30f535a2bbc50fdf9f7ecddcb4e014
SHA256 13e0f6590b249a52a6f7ae4b2f4e5148f191b2ffc7af6b06c74734dda990529d
SHA512 dab088ad2c777572f7529ba1f9a0d399898f0750409af88bb26205bd06fa255dfce3a5ff56e0308e325410fec0a121e6daaf178410e7807d5d1c88a525def23e

memory/4100-109-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 f17fe65293447914b13d35fe2513749a
SHA1 d597a20f656c2f674ed67b93b107fc98704ab04c
SHA256 80946f2ee1fc33f707579aede366bfebd438817abd42e2a41dc466ff35bae81a
SHA512 fd8eaa1d17b20bf0ee9fc15882f52ef04840e2957b594267d4be395869fb62a86c631b007fe48f210027b3df399d5187c15d44cbd9de93625684c6e8b53134dc

memory/4100-110-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4100-113-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 124477310352537f16c4a6c89204050d
SHA1 05bf58eaa2ad2d229cd312772a0300a853fa7d98
SHA256 928392fd3e6a51f0f77cbfe99a6d724f8450175d54fd9977d4d161d6130aa907
SHA512 495c85ef55f642f2c8611416fb90cd13075b3000b2eea191bd6473e5512aeecc450c472880ff148705b32489226c965fdc761a7165fba1a4223d4e8bb89705e3

memory/1696-117-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4124-118-0x0000000002EB0000-0x0000000002FD9000-memory.dmp

memory/1056-119-0x0000000002E00000-0x0000000002F29000-memory.dmp

memory/4124-120-0x0000000002FE0000-0x00000000030EE000-memory.dmp

memory/4124-121-0x0000000002FE0000-0x00000000030EE000-memory.dmp

memory/4124-124-0x0000000002FE0000-0x00000000030EE000-memory.dmp

memory/1056-125-0x0000000002F30000-0x000000000303E000-memory.dmp

memory/1056-127-0x0000000002F30000-0x000000000303E000-memory.dmp

memory/4124-128-0x0000000002FE0000-0x00000000030EE000-memory.dmp

memory/1056-129-0x0000000002F30000-0x000000000303E000-memory.dmp

memory/1056-134-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1716-135-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/4880-136-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1984-137-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1696-138-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A3D.exe

MD5 6bf98bc4393f34131d011482eda568d4
SHA1 87849cb3777d15a2d89f80f1ce340c341bd1a4d2
SHA256 bf394de2f9120bca0515fc1141f48f0b1c0fc6acf631b69eaba1400e3308a35c
SHA512 a11c201124fe41a12e32106940f8296b665088bfcc4d6b2a258f08002e93104ef287641b92ca5edfe89d2aaa95365c2b5e1192c9820b6040c759e97a7f800a5a

C:\Users\Admin\AppData\Local\Temp\2A3D.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

memory/1056-143-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3420-145-0x0000000000C70000-0x0000000001526000-memory.dmp

memory/3420-147-0x0000000072B60000-0x0000000073310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 62529eb440decb9151687caa9728c97b
SHA1 101814c05cae4892ebc2de787223ca1f4dcb4aed
SHA256 0030bad31bb465a35b4ca0ba5a21eaf0f570f54e7a3ffecb1d98f76ce728e728
SHA512 82d7f0d5a032977ccf1bdf7a2672e58c0f2e41a7a159e654687974e88d557362396d047e3ca3e1aca125e3d59c2a66cd667232f7a2ba3c0b5caacc9921cbf113

C:\Users\Admin\AppData\Local\Temp\37EA.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 34666eafe0fffb6a73e31c1e09ecac4f
SHA1 ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256 d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 abbed7400cb68d38906634bd66ee43da
SHA1 2356169d73ec780e5f3bb056cf8dec2e6eaf0d30
SHA256 38f5532f8edd63f0204ce9c429e6c02b430446734f2592271a523b78dd8e461d
SHA512 34c4acf0843a2cdc8a71c01f40b1d05739a5346d264b5c36c1b60b8e68225d3fc127dfcde62c9862c29254e634f73f0019e225e1b098a50eba54b40b0eb438f4

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b45b646c5c3131dbbb69c15d98255ab1
SHA1 391cb13c4a7d43b683444f6c3a87305de5004a37
SHA256 e107f6f456b4f9c1138e7e0f1c7d4b88db97f62cb5e624da3e574d59681dd7a1
SHA512 13edee5cc6e7a05339aeb9ac4c91f7c787ba887192523f977a4eaac61aeecaccad01791ebee78ddf51196563397a3d52b064af0c897c241e6caf0466c9b7f479

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 e5bdc6f3e7e9173a92e6410dbbdf4457
SHA1 0e23c3fae88a45599fa9d815b091859812ebc23d
SHA256 9d5035df884f710dc8647c7cf12c255ba281b48ca228e4736017da57ec92f975
SHA512 7e131071bba6e2d43804a798b9ddf4ce07d005253f058f27f5e1b0282f50fad5d9e376b52421929b0015cc482adce770e3611f9ab5a089e60243de8352be4fbc

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 0159c753801f7e27ae10b8527805eb8c
SHA1 aa87fef2ddf7159ae08194089e4d4178d5dbe009
SHA256 db2b1d24d4ae5442db39be1d3aae8329b9a2c752e402fb6669b27343c15ccd8c
SHA512 4fd68d99b5bada4e40c271b50f27b5f5e7ae330609a05087eca6cc0ff8e746487de43ca322f80d26f843e06e31d53d5cf4d0a1d8ec1bf455cc901e967cd54c3a

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 5ca7fc407124217ed4ac456d5369e951
SHA1 5defeaea509bafe38005a9232d94282b59525ef3
SHA256 dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120
SHA512 dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 be6df3d38e61bcc99c41c4f80aa3ef48
SHA1 02de2f7ef9d2f9e83b19f37b67fd0bdd1825832f
SHA256 ab3ab0bac897a52314b6239cdf59973c80ccd15d54750ceb5a6b8a0212483b76
SHA512 796fbf4c2bdce2ba8f16f7206d4c9fbbf59832fb93d98b99e476bb587db95348b6f77b368cf29bc6c763c245fbce7866bb711e0f7304a0dfed3ebfb4ce702494

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 819a5ef7a8ef0fac982b7771c1753b43
SHA1 c216891c0521bdb85fd29cd7097cdc4a7a305858
SHA256 efef5d7757a65912158c301bd1aa18880f693f9acfe7ffb14a87f4340b262b50
SHA512 9bb66c99dce90f363c11062cd659c5920662e88f0e76af88428a2a33e323762bf89dfa442ffb275463eb78baec036f3e29153a06a9a91a61926f29f47fc986ad

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 cf71d723e6a3a2abdb69313657a0862f
SHA1 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256 ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512 b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e

C:\Users\Admin\AppData\Local\Temp\nsm3DEF.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3420-192-0x0000000072B60000-0x0000000073310000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ac37a77b268afe3463035a826c5233aa
SHA1 0b1f9549cd160dbc38ed5aefe4a4ad0b11dec672
SHA256 3c5e94dbf117b1063b20203c7498c4324126cbd94ae3a30969e17e54d6bcf03c
SHA512 8eb08d42ecaa7254703971ccc83c766753abddadea219b3b3cc86fac1ef861b201c448341c555e4e186d5130a1221175b454c057626cd2a0657741657b2e5fb8

memory/1716-201-0x0000000003040000-0x0000000003140000-memory.dmp

memory/4532-202-0x0000000000A90000-0x0000000000A91000-memory.dmp

memory/1980-219-0x0000000002920000-0x0000000002D1A000-memory.dmp

memory/1696-213-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsw49A8.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

memory/1980-220-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/1984-221-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/1980-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5093.exe

MD5 2ffc5121c7c00cf53cec8421429c9c43
SHA1 f8264794c48a637a761b203a142cab1bdcc3fad2
SHA256 1a8cda31ec134d6461cadb3fcbc3b3667e2082c50b6501284485a96be6638c74
SHA512 649d61d81adcc793cae3c45f00e40267f5c9f84d361a0e34b74bf1ae658737966bffeed63b40d3b80ad8b21769f50a57274a48836612c76eddf0ec448a9dea7d

C:\Users\Admin\AppData\Local\Temp\5093.exe

MD5 08020e607d441a30c943110958c3c119
SHA1 e10917fc4dbb0129c257104f1bbf657eab313f49
SHA256 15e1c0272cd04b5cb98d2234ed32d17c95a3019b7ca42e29ea886533663158f2
SHA512 a43255f546abaf8369591714efcaeee5b6031fe79d466c64ebb0141a25859332b0bd59079d9f275cf23be2b41de2461cd051d8eeabc32e4d966b6b806c8554c0

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1056-228-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1324-230-0x00000000008C0000-0x00000000008C1000-memory.dmp

memory/1324-231-0x00000000008D0000-0x00000000008D1000-memory.dmp

memory/1324-232-0x00000000013B0000-0x00000000013B1000-memory.dmp

memory/1324-233-0x00000000013C0000-0x00000000013C1000-memory.dmp

memory/1324-234-0x00000000013D0000-0x00000000013D1000-memory.dmp

memory/1324-235-0x00000000013E0000-0x00000000013E1000-memory.dmp

memory/1324-236-0x00000000013F0000-0x00000000013F1000-memory.dmp

memory/1324-238-0x00000000008E0000-0x000000000138D000-memory.dmp

memory/1696-241-0x0000000000400000-0x0000000000720000-memory.dmp

memory/1980-244-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4532-245-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4716-246-0x0000000002440000-0x0000000002540000-memory.dmp

memory/4716-247-0x0000000002360000-0x000000000236B000-memory.dmp

memory/4716-248-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 9347963f1eb6809960649b8132b9cef9
SHA1 e09b58b4c6472d8017fb71195dee02752f0cd17d
SHA256 167b7bc94aea4124dfa1615d54138bfbaef519fb519923c7e2e0f2bef5ff0e45
SHA512 8771ec5df147d94c196bedafdae421fbcf40e0c9991c5d54b312a62793b5516e316d94a1784146eea7d8beda8b0eaa9810f102f542c329ac0363b7c0ac59bd91

memory/1324-251-0x00000000008E0000-0x000000000138D000-memory.dmp

memory/1696-253-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3180-254-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/1056-256-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3180-255-0x0000000002360000-0x0000000002460000-memory.dmp

memory/3180-258-0x0000000002330000-0x0000000002357000-memory.dmp

memory/4956-261-0x0000000004CC0000-0x0000000004CF6000-memory.dmp

memory/3180-263-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/4956-268-0x0000000005450000-0x0000000005A78000-memory.dmp

memory/3340-266-0x00000000023F0000-0x0000000002406000-memory.dmp

memory/4956-274-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/4956-275-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/4956-277-0x0000000072510000-0x0000000072CC0000-memory.dmp

memory/4956-278-0x0000000005290000-0x00000000052B2000-memory.dmp

memory/4956-279-0x00000000053B0000-0x0000000005416000-memory.dmp

memory/4716-280-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/4956-281-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/4956-282-0x0000000005CA0000-0x0000000005FF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_shuipuox.pdz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4956-292-0x00000000062A0000-0x00000000062BE000-memory.dmp

memory/4956-293-0x0000000006330000-0x000000000637C000-memory.dmp

memory/4956-316-0x00000000067F0000-0x0000000006834000-memory.dmp

memory/4956-339-0x0000000004E10000-0x0000000004E20000-memory.dmp

memory/4956-338-0x0000000007410000-0x0000000007486000-memory.dmp

memory/4956-347-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/4956-346-0x0000000007D10000-0x000000000838A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4956-371-0x0000000007810000-0x0000000007842000-memory.dmp

memory/4956-374-0x0000000070050000-0x000000007009C000-memory.dmp

memory/4956-375-0x0000000070230000-0x0000000070584000-memory.dmp

memory/4956-385-0x00000000077F0000-0x000000000780E000-memory.dmp

memory/4956-386-0x0000000007850000-0x00000000078F3000-memory.dmp

memory/4956-392-0x0000000007940000-0x000000000794A000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 6bdb234305778c39ec1121b20dbb5b46
SHA1 9397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA256 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA512 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d1cbedaa594413755c98c3a726effcc0
SHA1 e64f3f94e55bd61cfa83a639c8e256a314913417
SHA256 102e4077134f2a2fc2377cad536b03d6e71be680282078435509c513481418b3
SHA512 31751dc9c065347eae84f2ef408710daf4e5f7f1d2e67d87452a7dce399d3fe68bfab94ca0b56de21bc9eec60248a77e342d11ee671ad30608c61af248f306f3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 07c9e2bab22f7789dce0ab01e6ab73d9
SHA1 36b6a405fb2c629f3dfe9231cfd15a411ec993de
SHA256 689d9c6e12a058fd31c831812f6ad1eb3969a1863c61b71c1f7de55153a65e28
SHA512 3228adb5bbfa109d861cce0731d348845b74857efa14c66c7e2422a17a059d83c913db4e9fc0ec9917310c5d94d0a45131e0b0676178b5fd5d151b74d09fd7ff

C:\Windows\rss\csrss.exe

MD5 69d8541afe9eb5d47b8a4ec080212d19
SHA1 2bd9cda3c37de1569edc024935374ef90a8d186b
SHA256 5731567f5316e5c8535d8b9aa0ec8c2c839b89dbba2dd9aacbc76e46b26080b7
SHA512 56aa8cc13b79695bf1c0e1ce51302d569411d22072dbfca1943e97a3d5fe5e6f7c66ce341f8f065de73a85c9d29c820570202aa6977d89e3e5a979ccceec0c95

C:\Windows\rss\csrss.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 175d04cdee0f6fec9b1e876029364cc3
SHA1 1216ca309edcba55f0e1892b2f0b2547ef72a273
SHA256 795ac3d8c3a2f683ade05812f5ce665b5358f6bc563e866fcd6ccb4cb4022605
SHA512 26dd197fd3926beccea9dae42271f02533ebce689fcace36e7e379a649eea1879277e76f14238465b27bfe99cbd92d31789b89e5d4fc001907dca2285f4f6710

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 53478ab38941e7a24473ebc8b456d71d
SHA1 4fdf29301f5643a2879046a3d6df8e9d94067040
SHA256 5ae49958ef6818234a9a95122962541c4c9e57218dea38083ba60f6c280d1c61
SHA512 71ae082268455f2aedb743112b3ed406a3390976b9ace57839ca03f94fe0a009836772fe0519769933a31cca7112e38b365f5bfec30a7a7f32733609ee6302e8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5147d39ec695e21c5691c8dc1bb70d30
SHA1 def3f69ae6be7317a3b9a1b279063aed25e99fb1
SHA256 cd5d2d2d56c429d682a0c443b8173fd501f52afd3850643b86a0528785bb72f5
SHA512 95fa8e3ec8a6f2249b4fcf7331d64757156ccd36bc6e9c0aa986e9b8c6edae2fc01fdf7f4ec12ea003928186fd3c0abe023b7ff8f2d27546ede9caf1af57ce3c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5