Malware Analysis Report

2024-11-13 14:08

Sample ID 240227-b4hzysdd68
Target 5cddaacf9782c030db128e3ebfd8f301.exe
SHA256 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Tags
glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma socks5systemz botnet discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23

Threat Level: Known bad

The file 5cddaacf9782c030db128e3ebfd8f301.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma socks5systemz botnet discovery infostealer rat spyware stealer

Glupteba

Lumma Stealer

Glupteba payload

Detect Socks5Systemz Payload

Socks5Systemz

DcRat

SmokeLoader

Creates new service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Reads data files stored by FTP clients

UPX packed file

Deletes itself

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 01:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 01:41

Reported

2024-02-27 01:44

Platform

win7-20240215-en

Max time kernel

77s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\7DCA.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2436 set thread context of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\152C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\152C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\152C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1104 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe
PID 1104 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe
PID 1104 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe
PID 1104 wrote to memory of 2592 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe
PID 2592 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2592 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2592 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe C:\Windows\SysWOW64\WerFault.exe
PID 2592 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6E5D.exe C:\Windows\SysWOW64\WerFault.exe
PID 1104 wrote to memory of 2312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1104 wrote to memory of 2312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1104 wrote to memory of 2312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1104 wrote to memory of 2312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1104 wrote to memory of 2312 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2312 wrote to memory of 2560 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1104 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 1104 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 1104 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 1104 wrote to memory of 2436 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 2436 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\7A41.exe C:\Users\Admin\AppData\Local\Temp\7A41.exe
PID 1104 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DCA.exe
PID 1104 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DCA.exe
PID 1104 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DCA.exe
PID 1104 wrote to memory of 2580 N/A N/A C:\Users\Admin\AppData\Local\Temp\7DCA.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 1104 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 2840 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\8DA3.exe C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
PID 1104 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe
PID 1104 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe
PID 1104 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe
PID 1104 wrote to memory of 1732 N/A N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe
PID 1104 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\152C.exe
PID 1104 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\152C.exe
PID 1104 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\152C.exe
PID 1104 wrote to memory of 1384 N/A N/A C:\Users\Admin\AppData\Local\Temp\152C.exe
PID 1732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1732 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1732 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\FBB2.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

C:\Users\Admin\AppData\Local\Temp\6E5D.exe

C:\Users\Admin\AppData\Local\Temp\6E5D.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7428.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7428.dll

C:\Users\Admin\AppData\Local\Temp\7A41.exe

C:\Users\Admin\AppData\Local\Temp\7A41.exe

C:\Users\Admin\AppData\Local\Temp\7A41.exe

C:\Users\Admin\AppData\Local\Temp\7A41.exe

C:\Users\Admin\AppData\Local\Temp\7DCA.exe

C:\Users\Admin\AppData\Local\Temp\7DCA.exe

C:\Users\Admin\AppData\Local\Temp\8DA3.exe

C:\Users\Admin\AppData\Local\Temp\8DA3.exe

C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp

"C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp" /SL5="$4016C,2424585,54272,C:\Users\Admin\AppData\Local\Temp\8DA3.exe"

C:\Users\Admin\AppData\Local\Temp\FBB2.exe

C:\Users\Admin\AppData\Local\Temp\FBB2.exe

C:\Users\Admin\AppData\Local\Temp\152C.exe

C:\Users\Admin\AppData\Local\Temp\152C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\5F28.exe

C:\Users\Admin\AppData\Local\Temp\5F28.exe

C:\Users\Admin\AppData\Local\Temp\nso6D84.tmp

C:\Users\Admin\AppData\Local\Temp\nso6D84.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 124

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227014352.log C:\Windows\Logs\CBS\CbsPersist_20240227014352.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
MX 189.232.56.10:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
NL 185.227.82.7:443 tcp
FR 62.210.123.24:443 tcp
DE 148.251.91.87:443 tcp
DE 195.122.181.242:9001 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
PL 51.68.137.186:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
DE 148.251.91.87:443 tcp
DE 195.122.181.242:9001 tcp
US 8.8.8.8:53 kamsmad.com udp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
DE 144.24.163.104:443 tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 f5dbb6bc-e2c9-4100-ab7c-d2d6cc5c387f.uuid.statsexplorer.org udp
BA 185.12.79.25:80 kamsmad.com tcp

Files

memory/1956-1-0x0000000002430000-0x0000000002530000-memory.dmp

memory/1956-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1956-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1104-4-0x0000000002570000-0x0000000002586000-memory.dmp

memory/1956-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E5D.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2592-17-0x0000000000CC0000-0x000000000156F000-memory.dmp

memory/2592-16-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2592-19-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2592-21-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2592-22-0x0000000000CC0000-0x000000000156F000-memory.dmp

memory/2592-24-0x0000000077830000-0x0000000077831000-memory.dmp

memory/2592-25-0x0000000000250000-0x0000000000251000-memory.dmp

\Users\Admin\AppData\Local\Temp\6E5D.exe

MD5 343a5d9559a29d25e91a890b6db43cf7
SHA1 ec3b5d5b6edff0a048af32d02f0ba7a410c26e4c
SHA256 d00b3e61019fdbdf38b95240dbff0d4c740f068c6dece2df8e5e46744a1aed17
SHA512 925ada47b9561d16649153f4049d1e7fc8ce9d23dc4ce0f8eaf524dad645cee1a12e0be15b0c521d9d337fa8e29839dd930266c1ad68d70e8499061053d41767

\Users\Admin\AppData\Local\Temp\6E5D.exe

MD5 07da0de9d1e1f35c7256751066eab517
SHA1 c0725f8aa5765b0b822ec64e8c05bff72c973245
SHA256 04ce9df48f74b6dad9f9a0dcf2f4390bdc1c5a1ff287508759f260f052f162d4
SHA512 64600ab629dd0735736bc410b52dbe799bb48fd7a8a4de9dfe70fed22086e138d89e7a7cf025bad5b18f21c300c8caae471ec95eec5e92572dabe4bb3a11375a

\Users\Admin\AppData\Local\Temp\6E5D.exe

MD5 b8d1a5881ae3c792b819b1a043c0631b
SHA1 e837a5104f49fa6159293ed37c2a809cc6bfc875
SHA256 5474b5e83578c8fbd2ab9f82b13c85041306228b56cf1edf74e426d2c7fdd9cc
SHA512 7f0eefbaa5760832eb2903a151cc89d1e3461c01357560740b9536817aa90bf7411cd36ff521a0727e58c9fd5220069b2090a16bd1fea8c481cbe760463035b2

C:\Users\Admin\AppData\Local\Temp\7428.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2560-32-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2560-33-0x0000000000130000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A41.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2436-41-0x0000000003420000-0x00000000035D8000-memory.dmp

memory/2436-42-0x0000000003420000-0x00000000035D8000-memory.dmp

memory/2436-43-0x00000000035E0000-0x0000000003797000-memory.dmp

memory/2444-48-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2444-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2444-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2444-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2444-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2444-59-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DCA.exe

MD5 724ded619685ad37a52e4c5df67ed089
SHA1 e35e67dd8806a1e8683a44bbf7c2c7094361622b
SHA256 b0219ae324f2acd400a39120087753eceb6d3f2e53ec5b46240bbe95b1b7bf6d
SHA512 caa18e031e461d96c4e9abc5531a5d5157fef1bbf7c79477df421c76cdcac137be5efe2ca3ae5633eaf58c9dff2c51d867f895aa84e0de6935587914881397bc

C:\Users\Admin\AppData\Local\Temp\7DCA.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2444-62-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\7428.dll

MD5 c63893c98236d8df8e0dd6363b504ebe
SHA1 876082f00af9318877dbd19ad499b268e144ddc2
SHA256 41c42d40dd28ef8db44ed6a04d058e6082016bba29cda362c38f98d4eebd9b17
SHA512 078badac8f6f81f91f44c617f50648a5678aff3797f84c75f16c57af3ed34f55871d6ff0938c3ac56300e7405929dc80d4dbfa6e8ad45449d1d0b920832bc4de

memory/2580-66-0x0000000000290000-0x00000000002FB000-memory.dmp

memory/2444-68-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2580-63-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/2580-70-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2580-69-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8DA3.exe

MD5 7b96170ca36e7650b9d3a075126b8622
SHA1 311068f2f6282577513123b9181283ffb01d55ce
SHA256 e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512 e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd

memory/2592-76-0x0000000000CC0000-0x000000000156F000-memory.dmp

memory/2840-75-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp

MD5 38005377c4b89dd0f8d6b99610fd2871
SHA1 1f8ea24cf01f4e416fda0f44d9b6bcddf6631125
SHA256 e619a8b063287c5aae0ae35ab7ebb569a720f401a0e8c1fd6483c88d217c069a
SHA512 fc5f8d7006ba7227aaaea8fbe740d80d6225b804a98083f73d0c4efc79b4609b535e00c3dac5e8eefcc515e0e0f0cef0e0a4c619eb9a31bb9fa34c0ff7d314c4

C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp

MD5 1756d6fc7bf4213c8f0a521cd42d0ac6
SHA1 871962e45061751468d940000ee536794c269532
SHA256 c4b71ffb200f4b41f95b23aa3a2b90e6f87e5cd7ca4a9234e33ed441dcde7594
SHA512 694a8b76ffd5a1b78d63b628680e8997dbc0f06c4524804cd9da4e4d015c586c5a9145190a6dc44464592ac717df83ccce53401d68cd48703f932c6340e192ad

memory/2560-84-0x0000000002730000-0x0000000002859000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-13618.tmp\8da3.tmp

MD5 521b760d731a7579746ef6c0462fe5d2
SHA1 3bbb9d536f70345ce414cbdf6bef0edc3ffa4221
SHA256 469152509c507b6ecd9bff94ac2cbb3083725b75b28c93d5394480a846bf42e0
SHA512 d061c8bca15d9a229fa79a3a587d15f1856d7caf1fe6e6f1d346ca70ac71d46cd83ffdc5aaeae96a4f888921ad980855c69df1915264679b8f2ecedc81d85ba7

\Users\Admin\AppData\Local\Temp\is-7VER2.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-7VER2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1552-88-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2560-104-0x0000000002860000-0x000000000296E000-memory.dmp

memory/2560-105-0x0000000002860000-0x000000000296E000-memory.dmp

memory/2560-107-0x0000000002860000-0x000000000296E000-memory.dmp

memory/2444-108-0x0000000002A30000-0x0000000002B59000-memory.dmp

memory/2444-110-0x0000000002B60000-0x0000000002C6E000-memory.dmp

memory/2444-112-0x0000000002B60000-0x0000000002C6E000-memory.dmp

memory/2560-113-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2580-116-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2840-117-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1552-118-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FBB2.exe

MD5 09daace6074ca06ea3737d622083d5dd
SHA1 eb5e13591e3e86cfd51c0f284ca323aace0d1501
SHA256 bb7d28c3a4d3efc1b473a7b07c4d4af8ce775d1461eae61f6913c81b745997b2
SHA512 b5eff759b219614869d18b50fe80490a75a76db474f5f55d783b991f7fb5ecbc7b904a956a42badb6e6b9b08921b9dc00e567ff786b7ea315a9222c6944cc541

C:\Users\Admin\AppData\Local\Temp\FBB2.exe

MD5 17558b05d8c1b74da7640238b8240500
SHA1 2310d0cc2e8174e0fc3dee507d90ecbc22f7d32e
SHA256 a239217b8a4b0ea6bc796a71069fddd2cf40d6ceaeb8c105799a28244d6f1eba
SHA512 ae3d83c15c0f26ae70d1427ad11b100c359cd73c1746e146d81d18434e5045f75f1c766428e318cf89a53dd52f308f665aeb4a6e7887fb4e43100cca0736f07a

memory/1732-126-0x00000000011A0000-0x0000000001A56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\152C.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1 074958a02f3c65261dfe5d4c349b7af4849ee707
SHA256 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA512 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74

memory/1136-152-0x00000000026D0000-0x0000000002AC8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 76b128828f81877a5adfad5eb220a4fd
SHA1 ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA256 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA512 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 4b0c012a59404fe817f1f6b79b83aa74
SHA1 645324aa66bc9b7b7074d6d0be8f917e05e0095e
SHA256 9f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44
SHA512 8821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 65c145064bb3e087c2ec0ae6034c2df0
SHA1 5ec0f6d5fa4a931f5964c709ed79efae1520fefe
SHA256 2d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e
SHA512 7a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b45b646c5c3131dbbb69c15d98255ab1
SHA1 391cb13c4a7d43b683444f6c3a87305de5004a37
SHA256 e107f6f456b4f9c1138e7e0f1c7d4b88db97f62cb5e624da3e574d59681dd7a1
SHA512 13edee5cc6e7a05339aeb9ac4c91f7c787ba887192523f977a4eaac61aeecaccad01791ebee78ddf51196563397a3d52b064af0c897c241e6caf0466c9b7f479

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 c0a62641779a00a6ee4c01686de53107
SHA1 1cb45213ea856f778f2dd76983420139e64d17ab
SHA256 2312e31bb06e52e177d4a7ff2bc2d508c44ee1959dfc85ba99c0c5b5f80b7fdb
SHA512 7a1cdf556bce31591885812c48f013f3d5250ed4f0e2eacd239bc9366b42a48508cc92434138cc31703a28add32a9ce3efc11a289db1b5848a75ac5c33c39303

memory/1732-179-0x00000000735E0000-0x0000000073CCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ef1a808dd52f6a60f3decad399efc547
SHA1 63a81c82975b871239bdc61fc1c22fb705f263f2
SHA256 771a763f010cbe0f5e8091541e5942bb4ec4a685b25fc125fc7deb7fef1e0ca6
SHA512 233a0c76cc0c2dd7cc7ead4773539a2043f7a57e9c108e80542d13c9ee5abbe2f57ce0bd429b73336672ab76e45804eeafea4f1f3d04d0ab46615cba9d4c5f24

\Users\Admin\AppData\Local\Temp\nso3AA1.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 c66156682cd08ea200547907b7e5e1ea
SHA1 f6778e34905907b10fe0788e3ddd5e1766a7a205
SHA256 d1605c5bec82ffd54eeff6adfe5c1a700e4633232d27e903655adeadddab2347
SHA512 1a3da2b1c45a1a1a698c55a1dd09e1c88e174e13b7ed40dbda41f6a69077d613b7758f380dd28f29ebd9a41bc95e13e13c6fecc49c61d120e6671a4ff7fd4e3d

memory/1104-185-0x00000000031F0000-0x0000000003206000-memory.dmp

memory/1384-188-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1384-191-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1384-192-0x00000000024F3000-0x0000000002501000-memory.dmp

memory/1136-197-0x00000000026D0000-0x0000000002AC8000-memory.dmp

memory/1136-198-0x0000000002AD0000-0x00000000033BB000-memory.dmp

memory/1136-199-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1536-200-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\5F28.exe

MD5 e4c1d55bbdff10de1b0f44297551178e
SHA1 513c257cc4f51a76d64315675918dd02948373bc
SHA256 0cd3cb451b115f3cd9e255aec4d55e62260d201ca5a7972b222395a968c2d3f1
SHA512 03d61076e14d08d2cfae4c7a8487e1bc7f31b4e6dce11b57fea883aaad6e9f10c2aac8030989d6c9dcd1c00251c8bdfca58b5fc2670a7d82035f4bb474974f9c

C:\Users\Admin\AppData\Local\Temp\5F28.exe

MD5 6e120337ff7bad2c1a87c123ebdbaacf
SHA1 ae073d52495bb9c4ee9f52d7e510aa291ad5d693
SHA256 488971b3b35bd6ee6b330d67fde5bdd489dadaee06a91858c8f4238b45a29ec3
SHA512 3a62e8d8dd90a8e4808d27ed7152a5cada55338d21dff591522a3eed330be181996ba2e2f11f186e1bfe4fc456ce0670a340aff0f8120fb86dd96b91ef63c4a3

memory/1608-239-0x0000000000040000-0x0000000000AED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso6D84.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

memory/2580-277-0x0000000002F10000-0x0000000003010000-memory.dmp

memory/1608-278-0x0000000077830000-0x0000000077831000-memory.dmp

\Users\Admin\AppData\Local\Temp\5F28.exe

MD5 540e886ceda4024a5e88f092e8a319e9
SHA1 93e348bc5866518b4ecc3ab851d17b7d767916fa
SHA256 71ba09da1c16fa522855a673dadf2ce9d85c532229317e3de2a62dad2ba39703
SHA512 9d343574b59d39beaec2a484abf314d91fc805acaf3f9b33b099958a535751d290986532a7f86d7f18cdfbea3774104eb62ab7756f0dfb8f98684f9daa046184

memory/1608-284-0x0000000000D60000-0x0000000000D61000-memory.dmp

memory/2580-285-0x0000000000290000-0x00000000002FB000-memory.dmp

\Users\Admin\AppData\Local\Temp\5F28.exe

MD5 93482d73c7977a8486f8d1d59b8a5775
SHA1 cf17a1a776ccdb3993901f0e48383ed6803b3996
SHA256 4b47d6feba365f064331a63afd8132d95b9d6ddcaf3b715e17615774fa301192
SHA512 80885ea4aaacf99c1577dfe1c0e338f78d6543881a032eefb052be3c692e2950576e0bf21995c336c40b4f35f2cd98197f3fb1830d4ee8964b9c6b3c762b0094

\Users\Admin\AppData\Local\Temp\5F28.exe

MD5 192c2bee85452b62bbc7b9bd93b24b07
SHA1 3ef36ceccecb900280aff4297c8136a3746f024f
SHA256 cd989adfe10e50fb4bc10dd7b1cc24bc0729cc218a238cf3fb1fc268ad530ae4
SHA512 07981649ef443bce9eb1a5815321999dcc99cc96539dc2540d953b8208dcbbda24243ed4e542f6c9682a3d76eb7226d9fd6205e9631d96de85490b85f38b4b2f

memory/1608-279-0x0000000000C50000-0x0000000000C51000-memory.dmp

\Users\Admin\AppData\Local\Temp\5F28.exe

MD5 08020e607d441a30c943110958c3c119
SHA1 e10917fc4dbb0129c257104f1bbf657eab313f49
SHA256 15e1c0272cd04b5cb98d2234ed32d17c95a3019b7ca42e29ea886533663158f2
SHA512 a43255f546abaf8369591714efcaeee5b6031fe79d466c64ebb0141a25859332b0bd59079d9f275cf23be2b41de2461cd051d8eeabc32e4d966b6b806c8554c0

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 62529eb440decb9151687caa9728c97b
SHA1 101814c05cae4892ebc2de787223ca1f4dcb4aed
SHA256 0030bad31bb465a35b4ca0ba5a21eaf0f570f54e7a3ffecb1d98f76ce728e728
SHA512 82d7f0d5a032977ccf1bdf7a2672e58c0f2e41a7a159e654687974e88d557362396d047e3ca3e1aca125e3d59c2a66cd667232f7a2ba3c0b5caacc9921cbf113

memory/2904-309-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

memory/2904-311-0x00000000029B0000-0x00000000029B8000-memory.dmp

memory/2904-312-0x0000000002ABB000-0x0000000002B22000-memory.dmp

memory/2904-313-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp

memory/2904-314-0x0000000002AB4000-0x0000000002AB7000-memory.dmp

memory/1552-328-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1732-330-0x00000000735E0000-0x0000000073CCE000-memory.dmp

memory/2960-331-0x0000000000990000-0x0000000000998000-memory.dmp

memory/2960-332-0x000007FEF5980000-0x000007FEF631D000-memory.dmp

memory/2960-333-0x00000000015E0000-0x0000000001660000-memory.dmp

memory/2960-329-0x000000001A010000-0x000000001A2F2000-memory.dmp

memory/2960-334-0x000007FEF5980000-0x000007FEF631D000-memory.dmp

memory/1136-335-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2960-336-0x00000000015E0000-0x0000000001660000-memory.dmp

memory/1536-337-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2960-338-0x00000000015E0000-0x0000000001660000-memory.dmp

memory/2960-339-0x000007FEF5980000-0x000007FEF631D000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 be6df3d38e61bcc99c41c4f80aa3ef48
SHA1 02de2f7ef9d2f9e83b19f37b67fd0bdd1825832f
SHA256 ab3ab0bac897a52314b6239cdf59973c80ccd15d54750ceb5a6b8a0212483b76
SHA512 796fbf4c2bdce2ba8f16f7206d4c9fbbf59832fb93d98b99e476bb587db95348b6f77b368cf29bc6c763c245fbce7866bb711e0f7304a0dfed3ebfb4ce702494

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 adb29a2b3d4aae105be1eca35da10afc
SHA1 8496caa674d5bd59c37340e949871e6a33a6a6a9
SHA256 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7
SHA512 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 eb8346a0216dc0e4d020f86a5b55e039
SHA1 bdeef0988ae0d98cac6c70c4df21cadefe50b84a
SHA256 44577c4679dfee2b8e52f18ceca68928b340e4d3e4d112c64e05a39804656d47
SHA512 5e1d2fe839820c1beac51feb638ecc6ba7d7f0457deb3bb2f959ac630798809fed32f18ca03f4c6b117f6dec36880951b9a64f239f58f400e2d044e97f37258a

memory/880-380-0x00000000002B0000-0x00000000002D0000-memory.dmp

memory/1608-382-0x0000000000040000-0x0000000000AED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a97b7709ded87e52ee06c4b8b181034c
SHA1 b9d7b8477766d6316329c395eb38cc9fd914a00a
SHA256 9f470f144df5ad788b012450bdb5ae2007221434974ae64390081ec523e30169
SHA512 b8b9af25459da9e60935a0ffb807d8e3df291e7003f18f1b904817562c345c7652f249121d4ceed48c2d3d013a72393ed3637b74f91f602a6105ac60e55e53f0

memory/1136-386-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2864-403-0x0000000002660000-0x0000000002A58000-memory.dmp

memory/2864-404-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 c9f33f28eed7e5ef28539d920e5685f6
SHA1 bb13ffd57496502fcf29f1b2401c7920147b6e5c
SHA256 0f1b027e2fb53cc6a328eef93796f2c84ccb35831ad10ed6b2cf8e7a8e0e1059
SHA512 eccd54e3d743077b2c1af665d309df3c53cb47e8b8798900d87e98e4ff99e662719aff3353b6fe5f818cdcbeb36bbb0e1c0318a4a2e5029ac12a55fa9c5af2bc

\Windows\rss\csrss.exe

MD5 e11e8197f21bfdc9f3cd6513c691cee7
SHA1 1059b05c18922862fa877f54fa7ac6dfe0159c52
SHA256 d9af93732e02f73dcc88182f58feef91c9821c9f6e40a97fb3b07dd3577fc55a
SHA512 3a454d5c5b8100b0f07431d15ef343e611b55009da359a2a5a8ed2830ed7285765b64c025fed5c559b30741fc28e87fab1f14adec558ce989b870d017960e608

C:\Windows\rss\csrss.exe

MD5 dd76b1ea2a8bf2f7e800e0a11f01f5e9
SHA1 d31c1ff5b3bfff45af20f5fce0579b80819c5390
SHA256 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89
SHA512 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508

memory/2864-427-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1020-439-0x0000000002820000-0x0000000002C18000-memory.dmp

memory/1020-440-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 01:41

Reported

2024-02-27 01:44

Platform

win10v2004-20240226-en

Max time kernel

123s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11A4.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\CE9C.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\D341.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2934.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2934.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\2934.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2934.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3536 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3536 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3536 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0C0.exe
PID 3536 wrote to memory of 4480 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3536 wrote to memory of 4480 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4480 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 4604 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3536 wrote to memory of 4776 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 3536 wrote to memory of 4776 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 3536 wrote to memory of 4776 N/A N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 4776 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\CE9C.exe C:\Users\Admin\AppData\Local\Temp\CE9C.exe
PID 3536 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\D341.exe
PID 3536 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\D341.exe
PID 3536 wrote to memory of 2872 N/A N/A C:\Users\Admin\AppData\Local\Temp\D341.exe
PID 3536 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC4A.exe
PID 3536 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC4A.exe
PID 3536 wrote to memory of 1360 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC4A.exe
PID 1360 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\DC4A.exe C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp
PID 1360 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\DC4A.exe C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp
PID 1360 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\DC4A.exe C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp
PID 396 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp C:\Windows\SysWOW64\schtasks.exe
PID 396 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp C:\Windows\SysWOW64\schtasks.exe
PID 396 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp C:\Windows\SysWOW64\schtasks.exe
PID 396 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 396 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 396 wrote to memory of 492 N/A C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3536 wrote to memory of 4784 N/A N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe
PID 3536 wrote to memory of 4784 N/A N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe
PID 3536 wrote to memory of 4784 N/A N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe
PID 4784 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4784 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4784 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4784 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4784 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4784 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\11A4.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 2660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2660 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3536 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\2934.exe
PID 3536 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\2934.exe
PID 3536 wrote to memory of 2840 N/A N/A C:\Users\Admin\AppData\Local\Temp\2934.exe
PID 3112 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3112 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp
PID 2660 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp
PID 2660 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp
PID 1196 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1196 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 1196 wrote to memory of 4796 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\Conhost.exe
PID 3536 wrote to memory of 3676 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BBE.exe
PID 3536 wrote to memory of 3676 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BBE.exe
PID 3536 wrote to memory of 3676 N/A N/A C:\Users\Admin\AppData\Local\Temp\5BBE.exe
PID 1196 wrote to memory of 1804 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C620.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C620.dll

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

C:\Users\Admin\AppData\Local\Temp\D341.exe

C:\Users\Admin\AppData\Local\Temp\D341.exe

C:\Users\Admin\AppData\Local\Temp\DC4A.exe

C:\Users\Admin\AppData\Local\Temp\DC4A.exe

C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp" /SL5="$90118,2424585,54272,C:\Users\Admin\AppData\Local\Temp\DC4A.exe"

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s

C:\Users\Admin\AppData\Local\Temp\11A4.exe

C:\Users\Admin\AppData\Local\Temp\11A4.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\2934.exe

C:\Users\Admin\AppData\Local\Temp\2934.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp

C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\5BBE.exe

C:\Users\Admin\AppData\Local\Temp\5BBE.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 4664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2452

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 996 -ip 996

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1680 -ip 1680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
MX 187.134.82.150:80 trmpc.com tcp
US 8.8.8.8:53 150.82.134.187.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 185.159.70.47:46031 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
FR 163.172.29.34:443 tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
DE 217.160.255.217:443 tcp
US 8.8.8.8:53 kamsmad.com udp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
US 8.8.8.8:53 3485e802-6144-4201-b842-9acbfa59229a.uuid.statsexplorer.org udp
BA 185.12.79.25:80 kamsmad.com tcp
BA 185.12.79.25:80 kamsmad.com tcp
DE 62.171.180.6:9001 tcp
CA 199.58.81.140:443 tcp
US 8.8.8.8:53 6.180.171.62.in-addr.arpa udp
US 8.8.8.8:53 140.81.58.199.in-addr.arpa udp
GB 185.219.142.126:443 tcp
PL 46.248.187.90:19001 tcp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp
US 8.8.8.8:53 126.142.219.185.in-addr.arpa udp
US 8.8.8.8:53 90.187.248.46.in-addr.arpa udp
N/A 127.0.0.1:64851 tcp

Files

memory/2044-1-0x0000000002620000-0x0000000002720000-memory.dmp

memory/2044-2-0x0000000004020000-0x000000000402B000-memory.dmp

memory/2044-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3536-4-0x0000000002FA0000-0x0000000002FB6000-memory.dmp

memory/2044-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C0C0.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/4308-15-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/4308-17-0x0000000000320000-0x0000000000BCF000-memory.dmp

memory/4308-16-0x0000000000320000-0x0000000000BCF000-memory.dmp

memory/4308-21-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4308-20-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4308-22-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4308-23-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4308-25-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C620.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/4604-27-0x0000000001080000-0x0000000001086000-memory.dmp

memory/4604-28-0x0000000010000000-0x000000001020A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

MD5 057d4899785c88a4b96a30efac0a7f10
SHA1 2304be75b31060360a246617e18a147febbcd080
SHA256 66e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4
SHA512 240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

MD5 c5c406dbc57f69005ff8854f28e7bd92
SHA1 776bc4f2f64e6767c76ae22eaaa3156e92c8693e
SHA256 784a1816912b23c7940873f956fd731a9fcf728709c53bceca0cbeadc0b3bec0
SHA512 98dd4d749ec7e58f4eb4947e412e1c3d4d5ca28a98fb51d339a6a957acfe8bcae85cb54ef3627b31a9a95659a79f31637f97a6efd0efc43859caa254d447bc32

memory/4776-36-0x0000000003AE0000-0x0000000003C97000-memory.dmp

memory/4776-35-0x0000000003810000-0x00000000039D4000-memory.dmp

memory/3800-37-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4308-40-0x0000000000320000-0x0000000000BCF000-memory.dmp

memory/3800-41-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3800-39-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CE9C.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/3800-42-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3800-43-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3800-44-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3800-47-0x00000000009E0000-0x00000000009E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D341.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2872-55-0x0000000002FF0000-0x000000000305B000-memory.dmp

memory/2872-54-0x0000000003070000-0x0000000003170000-memory.dmp

memory/2872-57-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC4A.exe

MD5 b86998919a4e1da5fb28476eae12fa97
SHA1 702e008237e7af5035dd6c4d2bfed471638e19ed
SHA256 9d28a37835a289dc4327d08651a0cbe33cc319b3600797892d4229762030d783
SHA512 18e67397ba6ed962b8fe4011c3822a74ef913b7a3a3c3083b4ca3319183b9f886c699a0027419f0de1c635c2fe3a084f2f6f4c0246369385079a131abe7db9d5

memory/1360-63-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

C:\Users\Admin\AppData\Local\Temp\is-Q3AG6.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/396-78-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 5a27f80f19bad67851d9ffd9bf89b73c
SHA1 f5e92bee67485d24bcddb8d625d37d40617bee7d
SHA256 65ed6870aa83fae8073b13a096070addb4cf9eaf58c3f6841ffd0b83e4045971
SHA512 9925c7711720417e0720afbedacf714e013e9ca865e278ba2dde75699d556f152280974d524a70627a410956b84e5662f3e96a1c7c354d17738a2b1454537f53

memory/1804-108-0x0000000000400000-0x0000000000720000-memory.dmp

memory/1804-109-0x0000000000400000-0x0000000000720000-memory.dmp

C:\ProgramData\WBICreatorService 6.5\WBICreatorService 6.5.exe

MD5 fef5329b1845b83431efb891038c6277
SHA1 8c915dd7fd63a64b8551d4c8d69d68ab6ebdfcce
SHA256 81f0a4363167015c0556692a14b5f70898a1d11962d2b6b25058fbb12c12fab4
SHA512 69c9ecb56e3d83dc09c2aefc451402190a371a014c3ec9c56f70328358307be4d1db9b08c77456adaf028203e62c39296bac4019ede05d5f3aff16fca59a45c8

memory/1804-112-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 124477310352537f16c4a6c89204050d
SHA1 05bf58eaa2ad2d229cd312772a0300a853fa7d98
SHA256 928392fd3e6a51f0f77cbfe99a6d724f8450175d54fd9977d4d161d6130aa907
SHA512 495c85ef55f642f2c8611416fb90cd13075b3000b2eea191bd6473e5512aeecc450c472880ff148705b32489226c965fdc761a7165fba1a4223d4e8bb89705e3

memory/492-116-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4604-117-0x0000000002F30000-0x0000000003059000-memory.dmp

memory/3800-118-0x0000000002DB0000-0x0000000002ED9000-memory.dmp

memory/4604-119-0x0000000003060000-0x000000000316E000-memory.dmp

memory/4604-120-0x0000000003060000-0x000000000316E000-memory.dmp

memory/4604-122-0x0000000003060000-0x000000000316E000-memory.dmp

memory/3800-124-0x0000000002EE0000-0x0000000002FEE000-memory.dmp

memory/3800-126-0x0000000002EE0000-0x0000000002FEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11A4.exe

MD5 d101cd01ca4fb8de723665804c9e8fb7
SHA1 a5a9513a2f0154f9b18403bc2c52d9bb8afb1850
SHA256 1f913f7c8875124161e54fb7a4ad98c872584b0cadb72cb63e7a74dda366a169
SHA512 2f811a7f51feca560cbfd4bdd9e596371a42d3da32cd6fc6320d94533f48545e1e7ae1bf1cf2a14c3ee1085b2bef220ceac0a91f85c43ead9fcbed889060afa3

C:\Users\Admin\AppData\Local\Temp\11A4.exe

MD5 fa436ac081f0353e4c8a7a20547280d5
SHA1 7c2006a60a591139e619190b9ff1663d22e7c761
SHA256 01f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6
SHA512 a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c

memory/4784-132-0x0000000000160000-0x0000000000A16000-memory.dmp

memory/4604-131-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2872-135-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1360-137-0x0000000000400000-0x0000000000414000-memory.dmp

memory/396-138-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/492-139-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4784-141-0x0000000073020000-0x00000000737D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 aaf0bb37ae70edf36b650977fe25658f
SHA1 dec39feae72f0c5ae84775303e543ca353de6256
SHA256 bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512 d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 89848a95cf00ff11f64f2f17b36cf096
SHA1 0b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA256 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA512 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 4b0c012a59404fe817f1f6b79b83aa74
SHA1 645324aa66bc9b7b7074d6d0be8f917e05e0095e
SHA256 9f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44
SHA512 8821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 029a5147d2f0d080800b095d06298a55
SHA1 6d53b0c00f128318d23de9db082989e30369baad
SHA256 cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512 b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

C:\Users\Admin\AppData\Local\Temp\nsc23B1.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/4784-174-0x0000000073020000-0x00000000737D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 6e1c3da5e773acb3dfd13e38cd9c1898
SHA1 b9fb4c0bef05310d6528a1fb47dd702970302c56
SHA256 7d5ba777ef0835d0a7f38587ac7f6ba1a96a1288114f6157b55ede2d35658ff0
SHA512 814bfcac9800d5956fe2cd5dcf23f26fb6572386f829c58fd2a3eea3061a37d312e1766568595bf2e3bd33c3fababe220c8eac4d79712d2170cb3c6711e70ad5

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 03cb6141bacb061643b98c2742177f33
SHA1 cf55025b420a42639480aa1c47cb9037c82336d0
SHA256 df35d9cb0d209fd3ebaa5d258866e640d980278005bd3f5ebd100acac73c38b9
SHA512 d55bb9dc9222e23b776a44210e0d2fccf499db1c74c9401b4d267ca9e219e172c9f004445bf719c8290bb95d1737b62bd155b4ec50ee51a66626d1d586d0d1b4

C:\Users\Admin\AppData\Local\Temp\2934.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

memory/2872-190-0x0000000003070000-0x0000000003170000-memory.dmp

memory/3112-191-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/996-197-0x0000000002DC0000-0x00000000036AB000-memory.dmp

memory/996-192-0x00000000029C0000-0x0000000002DC0000-memory.dmp

memory/996-198-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/492-214-0x0000000000400000-0x0000000000720000-memory.dmp

memory/996-215-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3112-216-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/2840-217-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5BBE.exe

MD5 b10895f77c325310116cfc47095d9252
SHA1 4c1ae27fef692ec05ff826aa7eaab519ae5a8e06
SHA256 851657de20aed9fdce10b608dce83523d137771c2e1e9582f8d9eecff5a14453
SHA512 d21cca7801fcf891e88b39378a7f06179577b218f5660f4cc049b16f03f7bf8f910370734af7b005cf17bc5769fb6aef868e6659a1a648cf374c70d4aa9a7910

C:\Users\Admin\AppData\Local\Temp\5BBE.exe

MD5 0df5a7dfe70377a12ff756cc94d58f74
SHA1 b3a7875a676bdff82c90df9c0387083b981d817b
SHA256 2ef4171ff38cbc98e2a6641d949d88704fddb1a05402ff262fc64f91e9654e39
SHA512 f2dafef94ad9ed81e0e8078512b4ab961546baf32d4c95b19a6e25715392cf03c5ebf4926a75fcdd0a220d1e8ede888ed6eeda355c5afdc35f0db3103fdae523

memory/4664-224-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/492-221-0x0000000000400000-0x0000000000720000-memory.dmp

memory/2840-225-0x0000000002480000-0x0000000002580000-memory.dmp

memory/2840-226-0x0000000002440000-0x000000000244B000-memory.dmp

memory/4664-227-0x0000000003F10000-0x0000000003F37000-memory.dmp

memory/3676-228-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/3676-229-0x0000000002A20000-0x0000000002A21000-memory.dmp

memory/3676-230-0x0000000002CB0000-0x0000000002CB1000-memory.dmp

memory/4664-231-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/3676-232-0x0000000002CC0000-0x0000000002CC1000-memory.dmp

memory/3676-233-0x0000000002CD0000-0x0000000002CD1000-memory.dmp

memory/3676-235-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/4664-236-0x0000000002570000-0x0000000002670000-memory.dmp

memory/3676-242-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

memory/3676-240-0x00000000000A0000-0x0000000000B4D000-memory.dmp

memory/396-245-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/3676-247-0x0000000002D00000-0x0000000002D32000-memory.dmp

memory/3676-249-0x0000000002D00000-0x0000000002D32000-memory.dmp

memory/2840-251-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3676-253-0x0000000002D00000-0x0000000002D32000-memory.dmp

memory/3676-254-0x0000000002E80000-0x0000000002EC0000-memory.dmp

memory/3676-297-0x00000000000A0000-0x0000000000B4D000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 324f381f61901b22956e42cf3d16847f
SHA1 6b9c22fb8f4bff91f411d18c8fa50188b8e3465e
SHA256 74bee24ebac144ece1c4a7e2073bf7b7667e60a7c2cac2d2dc0a20dd2841288a
SHA512 db16516efdeb9a8f4bf3ea5166312e4d3af08d582e36d4cbbcb55b1e2a3e08d512ea2ba06268b6140796dfb2ebcdda6de613d304b8cfeede7b1eac540f504553

memory/3900-338-0x00007FFEFA110000-0x00007FFEFABD1000-memory.dmp

memory/3900-344-0x000001BC2B920000-0x000001BC2B942000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibklmn3u.cxb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3900-360-0x000001BC43D30000-0x000001BC43D40000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/3900-364-0x000001BC43D30000-0x000001BC43D40000-memory.dmp

memory/492-375-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3900-376-0x000001BC43D30000-0x000001BC43D40000-memory.dmp

memory/3900-377-0x000001BC43D30000-0x000001BC43D40000-memory.dmp

memory/4664-378-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/492-388-0x0000000000400000-0x0000000000720000-memory.dmp

memory/492-392-0x00000000008B0000-0x0000000000952000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 d5ac8347ec7fe6b3267af60cf71255a7
SHA1 f8258729ec532f3161b0affd5082fbb5b194805d
SHA256 ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27
SHA512 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 d36d5fcf6f7e6c67304fed7123a7f816
SHA1 e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA256 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA512 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa

memory/996-414-0x00000000029C0000-0x0000000002DC0000-memory.dmp

memory/3112-413-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/996-415-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1948-416-0x00007FFEFA110000-0x00007FFEFABD1000-memory.dmp

memory/1948-418-0x000001781BC80000-0x000001781BC90000-memory.dmp

memory/1948-419-0x000001781BC80000-0x000001781BC90000-memory.dmp

memory/3900-433-0x00007FFEFA110000-0x00007FFEFABD1000-memory.dmp

memory/4772-438-0x0000000002F20000-0x0000000002F56000-memory.dmp

memory/4772-439-0x0000000005790000-0x0000000005DB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a8c70b8503cf28727a8ab611f388ac76
SHA1 a841b20bb496d1f052fc4d479ab90b73e988fa0d
SHA256 fe5a07e1f54145e52034c341c79c66de11c8ea1e8ba9a0f1c27a82211a225a2e
SHA512 a7cf09cd58029d7f035672921c968ba485626263daac008b777a9291f4f51f170593a4919240c57867304fa2be8db2db7b7c62d8ed44c35b6dbc8f30601438b9

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ce2b1a4f202246cc4a91341b3462f9d6
SHA1 28f8f379304bef33cae2cefe9fe12e651b8d6950
SHA256 ebb114bcbee927b1a1a65374f36faec78a6ee3ad5397f57e6cd5a6c9dd9ecc6d
SHA512 fda52513711ba70f5d150799dd6855c8f5f2690614d0a204b57cc4318ffd0f125c61e066d93e98062e1af34a78a640e04a3faa22639f6badaf929e3774f6d654

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 5e7dd5caa09ee25339afb81210ca724a
SHA1 7ab191c78c2328a8c1688d6cc69649cd8d649b6c
SHA256 0521d2c2c37bf489c7146f601dc1cf22602adf75510630c9f74f1c63f0eb2d4b
SHA512 19e4561fded33f834ee4aa1c66e4add4a6cb5959e014fb612f2401f18b99f1b2e89e5fad767fd26db6b0ac0713bae40a5dcf6701f698137269e305b72f9c9341

C:\Windows\rss\csrss.exe

MD5 b8c50d741d429e4cd6210293c0f0d881
SHA1 059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512 b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096

C:\Windows\rss\csrss.exe

MD5 34666eafe0fffb6a73e31c1e09ecac4f
SHA1 ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256 d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d00678065bb6c27633c75d2af0029f49
SHA1 95cf1326576f434a488e9d31b35e81c30cb00973
SHA256 a0848387cc5e0fed636f4deb7d631354d94e08cab2115653a1ac2e6b21cbcec0
SHA512 580398d6a66e1007a45c532fe38f8df91bf76b776159404f3e24e327e3da68ab12ad7b0d1f86662bca795cfa77dfd12aa77757db5b122734de52b35400cd3294

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a837ad6506341ec3f01cb6058910cf26
SHA1 73157c603a4d84404e8080b5d44eb3e84c09befb
SHA256 40d507ab22907dd795d552ebddca1c5b1f94eba9bbe6ddf1f5aa898481c059bc
SHA512 30ffee1e72b3892f6ba96a28a0ec503830bc3a6472cff15ca53f60459dd66a90beafa82415194a4ef5d04a8a7058fedb1e4a4800fcd60a3c79321eebdcf6bac8

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d5e575668b4402e3c78cc94470e366d7
SHA1 af90b0df5d61297a1413d8bd234bc9f5ea05e1be
SHA256 2f35e04df286e597f0d3795f62c6c93546604e7e22fa8281463ff8513326b361
SHA512 1370a6d525c13d743d7c473d7869ecdeeec27f49f95474d3a2ed2cf11eb378cc6e1caf901dad096b8c84806f31dd625c0eb9d5486f420b472777089c1e41779d

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 adb29a2b3d4aae105be1eca35da10afc
SHA1 8496caa674d5bd59c37340e949871e6a33a6a6a9
SHA256 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7
SHA512 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9