Analysis Overview
SHA256
6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Threat Level: Known bad
The file 5cddaacf9782c030db128e3ebfd8f301.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba
Lumma Stealer
Glupteba payload
Detect Socks5Systemz Payload
Socks5Systemz
DcRat
SmokeLoader
Creates new service(s)
Modifies Windows Firewall
Downloads MZ/PE file
Stops running service(s)
Reads data files stored by FTP clients
UPX packed file
Deletes itself
Executes dropped EXE
Checks computer location settings
Reads user/profile data of web browsers
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: MapViewOfSection
Suspicious use of UnmapMainImage
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Modifies data under HKEY_USERS
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 01:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 01:41
Reported
2024-02-27 01:44
Platform
win7-20240215-en
Max time kernel
77s
Max time network
150s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6E5D.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7DCA.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DA3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\152C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8DA3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FBB2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\7DCA.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2436 set thread context of 2444 | N/A | C:\Users\Admin\AppData\Local\Temp\7A41.exe | C:\Users\Admin\AppData\Local\Temp\7A41.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6E5D.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\5F28.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\152C.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\152C.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\152C.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe
"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"
C:\Users\Admin\AppData\Local\Temp\6E5D.exe
C:\Users\Admin\AppData\Local\Temp\6E5D.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 124
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7428.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\7428.dll
C:\Users\Admin\AppData\Local\Temp\7A41.exe
C:\Users\Admin\AppData\Local\Temp\7A41.exe
C:\Users\Admin\AppData\Local\Temp\7A41.exe
C:\Users\Admin\AppData\Local\Temp\7A41.exe
C:\Users\Admin\AppData\Local\Temp\7DCA.exe
C:\Users\Admin\AppData\Local\Temp\7DCA.exe
C:\Users\Admin\AppData\Local\Temp\8DA3.exe
C:\Users\Admin\AppData\Local\Temp\8DA3.exe
C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp" /SL5="$4016C,2424585,54272,C:\Users\Admin\AppData\Local\Temp\8DA3.exe"
C:\Users\Admin\AppData\Local\Temp\FBB2.exe
C:\Users\Admin\AppData\Local\Temp\FBB2.exe
C:\Users\Admin\AppData\Local\Temp\152C.exe
C:\Users\Admin\AppData\Local\Temp\152C.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\5F28.exe
C:\Users\Admin\AppData\Local\Temp\5F28.exe
C:\Users\Admin\AppData\Local\Temp\nso6D84.tmp
C:\Users\Admin\AppData\Local\Temp\nso6D84.tmp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 124
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227014352.log C:\Windows\Logs\CBS\CbsPersist_20240227014352.cab
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MX | 189.232.56.10:80 | trmpc.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| NL | 185.227.82.7:443 | tcp | |
| FR | 62.210.123.24:443 | tcp | |
| DE | 148.251.91.87:443 | tcp | |
| DE | 195.122.181.242:9001 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| PL | 51.68.137.186:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 148.251.91.87:443 | tcp | |
| DE | 195.122.181.242:9001 | tcp | |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| DE | 144.24.163.104:443 | tcp | |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | f5dbb6bc-e2c9-4100-ab7c-d2d6cc5c387f.uuid.statsexplorer.org | udp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
Files
memory/1956-1-0x0000000002430000-0x0000000002530000-memory.dmp
memory/1956-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1956-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1104-4-0x0000000002570000-0x0000000002586000-memory.dmp
memory/1956-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\6E5D.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/2592-17-0x0000000000CC0000-0x000000000156F000-memory.dmp
memory/2592-16-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2592-19-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2592-21-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2592-22-0x0000000000CC0000-0x000000000156F000-memory.dmp
memory/2592-24-0x0000000077830000-0x0000000077831000-memory.dmp
memory/2592-25-0x0000000000250000-0x0000000000251000-memory.dmp
\Users\Admin\AppData\Local\Temp\6E5D.exe
| MD5 | 343a5d9559a29d25e91a890b6db43cf7 |
| SHA1 | ec3b5d5b6edff0a048af32d02f0ba7a410c26e4c |
| SHA256 | d00b3e61019fdbdf38b95240dbff0d4c740f068c6dece2df8e5e46744a1aed17 |
| SHA512 | 925ada47b9561d16649153f4049d1e7fc8ce9d23dc4ce0f8eaf524dad645cee1a12e0be15b0c521d9d337fa8e29839dd930266c1ad68d70e8499061053d41767 |
\Users\Admin\AppData\Local\Temp\6E5D.exe
| MD5 | 07da0de9d1e1f35c7256751066eab517 |
| SHA1 | c0725f8aa5765b0b822ec64e8c05bff72c973245 |
| SHA256 | 04ce9df48f74b6dad9f9a0dcf2f4390bdc1c5a1ff287508759f260f052f162d4 |
| SHA512 | 64600ab629dd0735736bc410b52dbe799bb48fd7a8a4de9dfe70fed22086e138d89e7a7cf025bad5b18f21c300c8caae471ec95eec5e92572dabe4bb3a11375a |
\Users\Admin\AppData\Local\Temp\6E5D.exe
| MD5 | b8d1a5881ae3c792b819b1a043c0631b |
| SHA1 | e837a5104f49fa6159293ed37c2a809cc6bfc875 |
| SHA256 | 5474b5e83578c8fbd2ab9f82b13c85041306228b56cf1edf74e426d2c7fdd9cc |
| SHA512 | 7f0eefbaa5760832eb2903a151cc89d1e3461c01357560740b9536817aa90bf7411cd36ff521a0727e58c9fd5220069b2090a16bd1fea8c481cbe760463035b2 |
C:\Users\Admin\AppData\Local\Temp\7428.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/2560-32-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2560-33-0x0000000000130000-0x0000000000136000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7A41.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/2436-41-0x0000000003420000-0x00000000035D8000-memory.dmp
memory/2436-42-0x0000000003420000-0x00000000035D8000-memory.dmp
memory/2436-43-0x00000000035E0000-0x0000000003797000-memory.dmp
memory/2444-48-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2444-51-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2444-52-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2444-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2444-53-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2444-59-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7DCA.exe
| MD5 | 724ded619685ad37a52e4c5df67ed089 |
| SHA1 | e35e67dd8806a1e8683a44bbf7c2c7094361622b |
| SHA256 | b0219ae324f2acd400a39120087753eceb6d3f2e53ec5b46240bbe95b1b7bf6d |
| SHA512 | caa18e031e461d96c4e9abc5531a5d5157fef1bbf7c79477df421c76cdcac137be5efe2ca3ae5633eaf58c9dff2c51d867f895aa84e0de6935587914881397bc |
C:\Users\Admin\AppData\Local\Temp\7DCA.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/2444-62-0x0000000000400000-0x0000000000848000-memory.dmp
\Users\Admin\AppData\Local\Temp\7428.dll
| MD5 | c63893c98236d8df8e0dd6363b504ebe |
| SHA1 | 876082f00af9318877dbd19ad499b268e144ddc2 |
| SHA256 | 41c42d40dd28ef8db44ed6a04d058e6082016bba29cda362c38f98d4eebd9b17 |
| SHA512 | 078badac8f6f81f91f44c617f50648a5678aff3797f84c75f16c57af3ed34f55871d6ff0938c3ac56300e7405929dc80d4dbfa6e8ad45449d1d0b920832bc4de |
memory/2580-66-0x0000000000290000-0x00000000002FB000-memory.dmp
memory/2444-68-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/2580-63-0x0000000002F10000-0x0000000003010000-memory.dmp
memory/2580-70-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2580-69-0x0000000000400000-0x0000000002D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8DA3.exe
| MD5 | 7b96170ca36e7650b9d3a075126b8622 |
| SHA1 | 311068f2f6282577513123b9181283ffb01d55ce |
| SHA256 | e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6 |
| SHA512 | e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd |
memory/2592-76-0x0000000000CC0000-0x000000000156F000-memory.dmp
memory/2840-75-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
| MD5 | 38005377c4b89dd0f8d6b99610fd2871 |
| SHA1 | 1f8ea24cf01f4e416fda0f44d9b6bcddf6631125 |
| SHA256 | e619a8b063287c5aae0ae35ab7ebb569a720f401a0e8c1fd6483c88d217c069a |
| SHA512 | fc5f8d7006ba7227aaaea8fbe740d80d6225b804a98083f73d0c4efc79b4609b535e00c3dac5e8eefcc515e0e0f0cef0e0a4c619eb9a31bb9fa34c0ff7d314c4 |
C:\Users\Admin\AppData\Local\Temp\is-13618.tmp\8DA3.tmp
| MD5 | 1756d6fc7bf4213c8f0a521cd42d0ac6 |
| SHA1 | 871962e45061751468d940000ee536794c269532 |
| SHA256 | c4b71ffb200f4b41f95b23aa3a2b90e6f87e5cd7ca4a9234e33ed441dcde7594 |
| SHA512 | 694a8b76ffd5a1b78d63b628680e8997dbc0f06c4524804cd9da4e4d015c586c5a9145190a6dc44464592ac717df83ccce53401d68cd48703f932c6340e192ad |
memory/2560-84-0x0000000002730000-0x0000000002859000-memory.dmp
\??\c:\users\admin\appdata\local\temp\is-13618.tmp\8da3.tmp
| MD5 | 521b760d731a7579746ef6c0462fe5d2 |
| SHA1 | 3bbb9d536f70345ce414cbdf6bef0edc3ffa4221 |
| SHA256 | 469152509c507b6ecd9bff94ac2cbb3083725b75b28c93d5394480a846bf42e0 |
| SHA512 | d061c8bca15d9a229fa79a3a587d15f1856d7caf1fe6e6f1d346ca70ac71d46cd83ffdc5aaeae96a4f888921ad980855c69df1915264679b8f2ecedc81d85ba7 |
\Users\Admin\AppData\Local\Temp\is-7VER2.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-7VER2.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1552-88-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2560-104-0x0000000002860000-0x000000000296E000-memory.dmp
memory/2560-105-0x0000000002860000-0x000000000296E000-memory.dmp
memory/2560-107-0x0000000002860000-0x000000000296E000-memory.dmp
memory/2444-108-0x0000000002A30000-0x0000000002B59000-memory.dmp
memory/2444-110-0x0000000002B60000-0x0000000002C6E000-memory.dmp
memory/2444-112-0x0000000002B60000-0x0000000002C6E000-memory.dmp
memory/2560-113-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2580-116-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2840-117-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1552-118-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FBB2.exe
| MD5 | 09daace6074ca06ea3737d622083d5dd |
| SHA1 | eb5e13591e3e86cfd51c0f284ca323aace0d1501 |
| SHA256 | bb7d28c3a4d3efc1b473a7b07c4d4af8ce775d1461eae61f6913c81b745997b2 |
| SHA512 | b5eff759b219614869d18b50fe80490a75a76db474f5f55d783b991f7fb5ecbc7b904a956a42badb6e6b9b08921b9dc00e567ff786b7ea315a9222c6944cc541 |
C:\Users\Admin\AppData\Local\Temp\FBB2.exe
| MD5 | 17558b05d8c1b74da7640238b8240500 |
| SHA1 | 2310d0cc2e8174e0fc3dee507d90ecbc22f7d32e |
| SHA256 | a239217b8a4b0ea6bc796a71069fddd2cf40d6ceaeb8c105799a28244d6f1eba |
| SHA512 | ae3d83c15c0f26ae70d1427ad11b100c359cd73c1746e146d81d18434e5045f75f1c766428e318cf89a53dd52f308f665aeb4a6e7887fb4e43100cca0736f07a |
memory/1732-126-0x00000000011A0000-0x0000000001A56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\152C.exe
| MD5 | 0ca68f13f3db569984dbcc9c0be6144a |
| SHA1 | 8c53b9026e3c34bcf20f35af15fc6545cb337936 |
| SHA256 | 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a |
| SHA512 | 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | b8bbbebf6a96db29f8a6c2c3e2726b72 |
| SHA1 | 074958a02f3c65261dfe5d4c349b7af4849ee707 |
| SHA256 | 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39 |
| SHA512 | 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74 |
memory/1136-152-0x00000000026D0000-0x0000000002AC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 76b128828f81877a5adfad5eb220a4fd |
| SHA1 | ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4 |
| SHA256 | 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5 |
| SHA512 | 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 4b0c012a59404fe817f1f6b79b83aa74 |
| SHA1 | 645324aa66bc9b7b7074d6d0be8f917e05e0095e |
| SHA256 | 9f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44 |
| SHA512 | 8821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 65c145064bb3e087c2ec0ae6034c2df0 |
| SHA1 | 5ec0f6d5fa4a931f5964c709ed79efae1520fefe |
| SHA256 | 2d8e8d5d3302cf18163d55b4e452c95fcec38931dcc8acf3ad2e0c2d8740376e |
| SHA512 | 7a87a15a1df889f38994f9a26313ab040ae596a7faeeb07faa556d932235486a295a2039fb3b70c0d5c806e136dfdb2c0ccfd58a17e7a68b1594559c59933f3f |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | b45b646c5c3131dbbb69c15d98255ab1 |
| SHA1 | 391cb13c4a7d43b683444f6c3a87305de5004a37 |
| SHA256 | e107f6f456b4f9c1138e7e0f1c7d4b88db97f62cb5e624da3e574d59681dd7a1 |
| SHA512 | 13edee5cc6e7a05339aeb9ac4c91f7c787ba887192523f977a4eaac61aeecaccad01791ebee78ddf51196563397a3d52b064af0c897c241e6caf0466c9b7f479 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | c0a62641779a00a6ee4c01686de53107 |
| SHA1 | 1cb45213ea856f778f2dd76983420139e64d17ab |
| SHA256 | 2312e31bb06e52e177d4a7ff2bc2d508c44ee1959dfc85ba99c0c5b5f80b7fdb |
| SHA512 | 7a1cdf556bce31591885812c48f013f3d5250ed4f0e2eacd239bc9366b42a48508cc92434138cc31703a28add32a9ce3efc11a289db1b5848a75ac5c33c39303 |
memory/1732-179-0x00000000735E0000-0x0000000073CCE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | ef1a808dd52f6a60f3decad399efc547 |
| SHA1 | 63a81c82975b871239bdc61fc1c22fb705f263f2 |
| SHA256 | 771a763f010cbe0f5e8091541e5942bb4ec4a685b25fc125fc7deb7fef1e0ca6 |
| SHA512 | 233a0c76cc0c2dd7cc7ead4773539a2043f7a57e9c108e80542d13c9ee5abbe2f57ce0bd429b73336672ab76e45804eeafea4f1f3d04d0ab46615cba9d4c5f24 |
\Users\Admin\AppData\Local\Temp\nso3AA1.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | c66156682cd08ea200547907b7e5e1ea |
| SHA1 | f6778e34905907b10fe0788e3ddd5e1766a7a205 |
| SHA256 | d1605c5bec82ffd54eeff6adfe5c1a700e4633232d27e903655adeadddab2347 |
| SHA512 | 1a3da2b1c45a1a1a698c55a1dd09e1c88e174e13b7ed40dbda41f6a69077d613b7758f380dd28f29ebd9a41bc95e13e13c6fecc49c61d120e6671a4ff7fd4e3d |
memory/1104-185-0x00000000031F0000-0x0000000003206000-memory.dmp
memory/1384-188-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1384-191-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1384-192-0x00000000024F3000-0x0000000002501000-memory.dmp
memory/1136-197-0x00000000026D0000-0x0000000002AC8000-memory.dmp
memory/1136-198-0x0000000002AD0000-0x00000000033BB000-memory.dmp
memory/1136-199-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1536-200-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\5F28.exe
| MD5 | e4c1d55bbdff10de1b0f44297551178e |
| SHA1 | 513c257cc4f51a76d64315675918dd02948373bc |
| SHA256 | 0cd3cb451b115f3cd9e255aec4d55e62260d201ca5a7972b222395a968c2d3f1 |
| SHA512 | 03d61076e14d08d2cfae4c7a8487e1bc7f31b4e6dce11b57fea883aaad6e9f10c2aac8030989d6c9dcd1c00251c8bdfca58b5fc2670a7d82035f4bb474974f9c |
C:\Users\Admin\AppData\Local\Temp\5F28.exe
| MD5 | 6e120337ff7bad2c1a87c123ebdbaacf |
| SHA1 | ae073d52495bb9c4ee9f52d7e510aa291ad5d693 |
| SHA256 | 488971b3b35bd6ee6b330d67fde5bdd489dadaee06a91858c8f4238b45a29ec3 |
| SHA512 | 3a62e8d8dd90a8e4808d27ed7152a5cada55338d21dff591522a3eed330be181996ba2e2f11f186e1bfe4fc456ce0670a340aff0f8120fb86dd96b91ef63c4a3 |
memory/1608-239-0x0000000000040000-0x0000000000AED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso6D84.tmp
| MD5 | 9089c5ddf54262d275ab0ea6ceaebcba |
| SHA1 | 4796313ad8d780936e549ea509c1932deb41e02a |
| SHA256 | 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a |
| SHA512 | ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c |
memory/2580-277-0x0000000002F10000-0x0000000003010000-memory.dmp
memory/1608-278-0x0000000077830000-0x0000000077831000-memory.dmp
\Users\Admin\AppData\Local\Temp\5F28.exe
| MD5 | 540e886ceda4024a5e88f092e8a319e9 |
| SHA1 | 93e348bc5866518b4ecc3ab851d17b7d767916fa |
| SHA256 | 71ba09da1c16fa522855a673dadf2ce9d85c532229317e3de2a62dad2ba39703 |
| SHA512 | 9d343574b59d39beaec2a484abf314d91fc805acaf3f9b33b099958a535751d290986532a7f86d7f18cdfbea3774104eb62ab7756f0dfb8f98684f9daa046184 |
memory/1608-284-0x0000000000D60000-0x0000000000D61000-memory.dmp
memory/2580-285-0x0000000000290000-0x00000000002FB000-memory.dmp
\Users\Admin\AppData\Local\Temp\5F28.exe
| MD5 | 93482d73c7977a8486f8d1d59b8a5775 |
| SHA1 | cf17a1a776ccdb3993901f0e48383ed6803b3996 |
| SHA256 | 4b47d6feba365f064331a63afd8132d95b9d6ddcaf3b715e17615774fa301192 |
| SHA512 | 80885ea4aaacf99c1577dfe1c0e338f78d6543881a032eefb052be3c692e2950576e0bf21995c336c40b4f35f2cd98197f3fb1830d4ee8964b9c6b3c762b0094 |
\Users\Admin\AppData\Local\Temp\5F28.exe
| MD5 | 192c2bee85452b62bbc7b9bd93b24b07 |
| SHA1 | 3ef36ceccecb900280aff4297c8136a3746f024f |
| SHA256 | cd989adfe10e50fb4bc10dd7b1cc24bc0729cc218a238cf3fb1fc268ad530ae4 |
| SHA512 | 07981649ef443bce9eb1a5815321999dcc99cc96539dc2540d953b8208dcbbda24243ed4e542f6c9682a3d76eb7226d9fd6205e9631d96de85490b85f38b4b2f |
memory/1608-279-0x0000000000C50000-0x0000000000C51000-memory.dmp
\Users\Admin\AppData\Local\Temp\5F28.exe
| MD5 | 08020e607d441a30c943110958c3c119 |
| SHA1 | e10917fc4dbb0129c257104f1bbf657eab313f49 |
| SHA256 | 15e1c0272cd04b5cb98d2234ed32d17c95a3019b7ca42e29ea886533663158f2 |
| SHA512 | a43255f546abaf8369591714efcaeee5b6031fe79d466c64ebb0141a25859332b0bd59079d9f275cf23be2b41de2461cd051d8eeabc32e4d966b6b806c8554c0 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 62529eb440decb9151687caa9728c97b |
| SHA1 | 101814c05cae4892ebc2de787223ca1f4dcb4aed |
| SHA256 | 0030bad31bb465a35b4ca0ba5a21eaf0f570f54e7a3ffecb1d98f76ce728e728 |
| SHA512 | 82d7f0d5a032977ccf1bdf7a2672e58c0f2e41a7a159e654687974e88d557362396d047e3ca3e1aca125e3d59c2a66cd667232f7a2ba3c0b5caacc9921cbf113 |
memory/2904-309-0x000000001B3F0000-0x000000001B6D2000-memory.dmp
memory/2904-311-0x00000000029B0000-0x00000000029B8000-memory.dmp
memory/2904-312-0x0000000002ABB000-0x0000000002B22000-memory.dmp
memory/2904-313-0x000007FEF58E0000-0x000007FEF627D000-memory.dmp
memory/2904-314-0x0000000002AB4000-0x0000000002AB7000-memory.dmp
memory/1552-328-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1732-330-0x00000000735E0000-0x0000000073CCE000-memory.dmp
memory/2960-331-0x0000000000990000-0x0000000000998000-memory.dmp
memory/2960-332-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
memory/2960-333-0x00000000015E0000-0x0000000001660000-memory.dmp
memory/2960-329-0x000000001A010000-0x000000001A2F2000-memory.dmp
memory/2960-334-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
memory/1136-335-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2960-336-0x00000000015E0000-0x0000000001660000-memory.dmp
memory/1536-337-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2960-338-0x00000000015E0000-0x0000000001660000-memory.dmp
memory/2960-339-0x000007FEF5980000-0x000007FEF631D000-memory.dmp
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | be6df3d38e61bcc99c41c4f80aa3ef48 |
| SHA1 | 02de2f7ef9d2f9e83b19f37b67fd0bdd1825832f |
| SHA256 | ab3ab0bac897a52314b6239cdf59973c80ccd15d54750ceb5a6b8a0212483b76 |
| SHA512 | 796fbf4c2bdce2ba8f16f7206d4c9fbbf59832fb93d98b99e476bb587db95348b6f77b368cf29bc6c763c245fbce7866bb711e0f7304a0dfed3ebfb4ce702494 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | adb29a2b3d4aae105be1eca35da10afc |
| SHA1 | 8496caa674d5bd59c37340e949871e6a33a6a6a9 |
| SHA256 | 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7 |
| SHA512 | 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | eb8346a0216dc0e4d020f86a5b55e039 |
| SHA1 | bdeef0988ae0d98cac6c70c4df21cadefe50b84a |
| SHA256 | 44577c4679dfee2b8e52f18ceca68928b340e4d3e4d112c64e05a39804656d47 |
| SHA512 | 5e1d2fe839820c1beac51feb638ecc6ba7d7f0457deb3bb2f959ac630798809fed32f18ca03f4c6b117f6dec36880951b9a64f239f58f400e2d044e97f37258a |
memory/880-380-0x00000000002B0000-0x00000000002D0000-memory.dmp
memory/1608-382-0x0000000000040000-0x0000000000AED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | a97b7709ded87e52ee06c4b8b181034c |
| SHA1 | b9d7b8477766d6316329c395eb38cc9fd914a00a |
| SHA256 | 9f470f144df5ad788b012450bdb5ae2007221434974ae64390081ec523e30169 |
| SHA512 | b8b9af25459da9e60935a0ffb807d8e3df291e7003f18f1b904817562c345c7652f249121d4ceed48c2d3d013a72393ed3637b74f91f602a6105ac60e55e53f0 |
memory/1136-386-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2864-403-0x0000000002660000-0x0000000002A58000-memory.dmp
memory/2864-404-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | c9f33f28eed7e5ef28539d920e5685f6 |
| SHA1 | bb13ffd57496502fcf29f1b2401c7920147b6e5c |
| SHA256 | 0f1b027e2fb53cc6a328eef93796f2c84ccb35831ad10ed6b2cf8e7a8e0e1059 |
| SHA512 | eccd54e3d743077b2c1af665d309df3c53cb47e8b8798900d87e98e4ff99e662719aff3353b6fe5f818cdcbeb36bbb0e1c0318a4a2e5029ac12a55fa9c5af2bc |
\Windows\rss\csrss.exe
| MD5 | e11e8197f21bfdc9f3cd6513c691cee7 |
| SHA1 | 1059b05c18922862fa877f54fa7ac6dfe0159c52 |
| SHA256 | d9af93732e02f73dcc88182f58feef91c9821c9f6e40a97fb3b07dd3577fc55a |
| SHA512 | 3a454d5c5b8100b0f07431d15ef343e611b55009da359a2a5a8ed2830ed7285765b64c025fed5c559b30741fc28e87fab1f14adec558ce989b870d017960e608 |
C:\Windows\rss\csrss.exe
| MD5 | dd76b1ea2a8bf2f7e800e0a11f01f5e9 |
| SHA1 | d31c1ff5b3bfff45af20f5fce0579b80819c5390 |
| SHA256 | 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89 |
| SHA512 | 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508 |
memory/2864-427-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1020-439-0x0000000002820000-0x0000000002C18000-memory.dmp
memory/1020-440-0x0000000000400000-0x0000000000D1C000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 01:41
Reported
2024-02-27 01:44
Platform
win10v2004-20240226-en
Max time kernel
123s
Max time network
153s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Detect Socks5Systemz Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Socks5Systemz
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11A4.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CE9C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\CE9C.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\D341.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4776 set thread context of 3800 | N/A | C:\Users\Admin\AppData\Local\Temp\CE9C.exe | C:\Users\Admin\AppData\Local\Temp\CE9C.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2934.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2934.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\2934.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2934.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe
"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"
C:\Users\Admin\AppData\Local\Temp\C0C0.exe
C:\Users\Admin\AppData\Local\Temp\C0C0.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C620.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C620.dll
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
C:\Users\Admin\AppData\Local\Temp\D341.exe
C:\Users\Admin\AppData\Local\Temp\D341.exe
C:\Users\Admin\AppData\Local\Temp\DC4A.exe
C:\Users\Admin\AppData\Local\Temp\DC4A.exe
C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp" /SL5="$90118,2424585,54272,C:\Users\Admin\AppData\Local\Temp\DC4A.exe"
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s
C:\Users\Admin\AppData\Local\Temp\11A4.exe
C:\Users\Admin\AppData\Local\Temp\11A4.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\2934.exe
C:\Users\Admin\AppData\Local\Temp\2934.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp
C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\5BBE.exe
C:\Users\Admin\AppData\Local\Temp\5BBE.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4664 -ip 4664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4664 -s 2452
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 996 -ip 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 996 -s 888
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1680 -ip 1680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1680 -s 612
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 172.67.171.112:80 | joly.bestsup.su | tcp |
| US | 8.8.8.8:53 | 112.171.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MX | 187.134.82.150:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 150.82.134.187.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 185.159.70.47:46031 | tcp | |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| FR | 163.172.29.34:443 | tcp | |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| DE | 217.160.255.217:443 | tcp | |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | 3485e802-6144-4201-b842-9acbfa59229a.uuid.statsexplorer.org | udp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| BA | 185.12.79.25:80 | kamsmad.com | tcp |
| DE | 62.171.180.6:9001 | tcp | |
| CA | 199.58.81.140:443 | tcp | |
| US | 8.8.8.8:53 | 6.180.171.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.81.58.199.in-addr.arpa | udp |
| GB | 185.219.142.126:443 | tcp | |
| PL | 46.248.187.90:19001 | tcp | |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.142.219.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.187.248.46.in-addr.arpa | udp |
| N/A | 127.0.0.1:64851 | tcp |
Files
memory/2044-1-0x0000000002620000-0x0000000002720000-memory.dmp
memory/2044-2-0x0000000004020000-0x000000000402B000-memory.dmp
memory/2044-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3536-4-0x0000000002FA0000-0x0000000002FB6000-memory.dmp
memory/2044-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C0C0.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/4308-15-0x0000000002BD0000-0x0000000002BD1000-memory.dmp
memory/4308-17-0x0000000000320000-0x0000000000BCF000-memory.dmp
memory/4308-16-0x0000000000320000-0x0000000000BCF000-memory.dmp
memory/4308-21-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/4308-20-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/4308-22-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/4308-23-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/4308-25-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C620.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/4604-27-0x0000000001080000-0x0000000001086000-memory.dmp
memory/4604-28-0x0000000010000000-0x000000001020A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
| MD5 | 057d4899785c88a4b96a30efac0a7f10 |
| SHA1 | 2304be75b31060360a246617e18a147febbcd080 |
| SHA256 | 66e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4 |
| SHA512 | 240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574 |
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
| MD5 | c5c406dbc57f69005ff8854f28e7bd92 |
| SHA1 | 776bc4f2f64e6767c76ae22eaaa3156e92c8693e |
| SHA256 | 784a1816912b23c7940873f956fd731a9fcf728709c53bceca0cbeadc0b3bec0 |
| SHA512 | 98dd4d749ec7e58f4eb4947e412e1c3d4d5ca28a98fb51d339a6a957acfe8bcae85cb54ef3627b31a9a95659a79f31637f97a6efd0efc43859caa254d447bc32 |
memory/4776-36-0x0000000003AE0000-0x0000000003C97000-memory.dmp
memory/4776-35-0x0000000003810000-0x00000000039D4000-memory.dmp
memory/3800-37-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4308-40-0x0000000000320000-0x0000000000BCF000-memory.dmp
memory/3800-41-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3800-39-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CE9C.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/3800-42-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3800-43-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3800-44-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3800-47-0x00000000009E0000-0x00000000009E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D341.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/2872-55-0x0000000002FF0000-0x000000000305B000-memory.dmp
memory/2872-54-0x0000000003070000-0x0000000003170000-memory.dmp
memory/2872-57-0x0000000000400000-0x0000000002D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC4A.exe
| MD5 | b86998919a4e1da5fb28476eae12fa97 |
| SHA1 | 702e008237e7af5035dd6c4d2bfed471638e19ed |
| SHA256 | 9d28a37835a289dc4327d08651a0cbe33cc319b3600797892d4229762030d783 |
| SHA512 | 18e67397ba6ed962b8fe4011c3822a74ef913b7a3a3c3083b4ca3319183b9f886c699a0027419f0de1c635c2fe3a084f2f6f4c0246369385079a131abe7db9d5 |
memory/1360-63-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KQHEP.tmp\DC4A.tmp
| MD5 | 951ac648539bfaa0f113db5e0406de5b |
| SHA1 | 1b42de9ef8aaf1740de90871c5fc16963a842f43 |
| SHA256 | bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe |
| SHA512 | 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d |
C:\Users\Admin\AppData\Local\Temp\is-Q3AG6.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/396-78-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
| MD5 | 5a27f80f19bad67851d9ffd9bf89b73c |
| SHA1 | f5e92bee67485d24bcddb8d625d37d40617bee7d |
| SHA256 | 65ed6870aa83fae8073b13a096070addb4cf9eaf58c3f6841ffd0b83e4045971 |
| SHA512 | 9925c7711720417e0720afbedacf714e013e9ca865e278ba2dde75699d556f152280974d524a70627a410956b84e5662f3e96a1c7c354d17738a2b1454537f53 |
memory/1804-108-0x0000000000400000-0x0000000000720000-memory.dmp
memory/1804-109-0x0000000000400000-0x0000000000720000-memory.dmp
C:\ProgramData\WBICreatorService 6.5\WBICreatorService 6.5.exe
| MD5 | fef5329b1845b83431efb891038c6277 |
| SHA1 | 8c915dd7fd63a64b8551d4c8d69d68ab6ebdfcce |
| SHA256 | 81f0a4363167015c0556692a14b5f70898a1d11962d2b6b25058fbb12c12fab4 |
| SHA512 | 69c9ecb56e3d83dc09c2aefc451402190a371a014c3ec9c56f70328358307be4d1db9b08c77456adaf028203e62c39296bac4019ede05d5f3aff16fca59a45c8 |
memory/1804-112-0x0000000000400000-0x0000000000720000-memory.dmp
C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
| MD5 | 124477310352537f16c4a6c89204050d |
| SHA1 | 05bf58eaa2ad2d229cd312772a0300a853fa7d98 |
| SHA256 | 928392fd3e6a51f0f77cbfe99a6d724f8450175d54fd9977d4d161d6130aa907 |
| SHA512 | 495c85ef55f642f2c8611416fb90cd13075b3000b2eea191bd6473e5512aeecc450c472880ff148705b32489226c965fdc761a7165fba1a4223d4e8bb89705e3 |
memory/492-116-0x0000000000400000-0x0000000000720000-memory.dmp
memory/4604-117-0x0000000002F30000-0x0000000003059000-memory.dmp
memory/3800-118-0x0000000002DB0000-0x0000000002ED9000-memory.dmp
memory/4604-119-0x0000000003060000-0x000000000316E000-memory.dmp
memory/4604-120-0x0000000003060000-0x000000000316E000-memory.dmp
memory/4604-122-0x0000000003060000-0x000000000316E000-memory.dmp
memory/3800-124-0x0000000002EE0000-0x0000000002FEE000-memory.dmp
memory/3800-126-0x0000000002EE0000-0x0000000002FEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\11A4.exe
| MD5 | d101cd01ca4fb8de723665804c9e8fb7 |
| SHA1 | a5a9513a2f0154f9b18403bc2c52d9bb8afb1850 |
| SHA256 | 1f913f7c8875124161e54fb7a4ad98c872584b0cadb72cb63e7a74dda366a169 |
| SHA512 | 2f811a7f51feca560cbfd4bdd9e596371a42d3da32cd6fc6320d94533f48545e1e7ae1bf1cf2a14c3ee1085b2bef220ceac0a91f85c43ead9fcbed889060afa3 |
C:\Users\Admin\AppData\Local\Temp\11A4.exe
| MD5 | fa436ac081f0353e4c8a7a20547280d5 |
| SHA1 | 7c2006a60a591139e619190b9ff1663d22e7c761 |
| SHA256 | 01f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6 |
| SHA512 | a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c |
memory/4784-132-0x0000000000160000-0x0000000000A16000-memory.dmp
memory/4604-131-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2872-135-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/1360-137-0x0000000000400000-0x0000000000414000-memory.dmp
memory/396-138-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/492-139-0x0000000000400000-0x0000000000720000-memory.dmp
memory/4784-141-0x0000000073020000-0x00000000737D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | aaf0bb37ae70edf36b650977fe25658f |
| SHA1 | dec39feae72f0c5ae84775303e543ca353de6256 |
| SHA256 | bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06 |
| SHA512 | d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 89848a95cf00ff11f64f2f17b36cf096 |
| SHA1 | 0b457b1790674539c7c8309ef7ed1c9751fbfdbb |
| SHA256 | 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9 |
| SHA512 | 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d3c015d761ac4697c31779ebd67685fe |
| SHA1 | 6eda243187265592a404feca52bf612ddc66e396 |
| SHA256 | 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea |
| SHA512 | 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 4b0c012a59404fe817f1f6b79b83aa74 |
| SHA1 | 645324aa66bc9b7b7074d6d0be8f917e05e0095e |
| SHA256 | 9f982dd9649c268011003f805c41db3d2e1df629aefd9c35724626c87bae8f44 |
| SHA512 | 8821467c4fc3768ecc6d86e8e1c8e9261a9b0d3baed0ebe85bb0b36bf884657dbdf5a24b481cfec21408cddcf39db3746248c7edce3627bda07cbf3b44aaf56a |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 029a5147d2f0d080800b095d06298a55 |
| SHA1 | 6d53b0c00f128318d23de9db082989e30369baad |
| SHA256 | cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566 |
| SHA512 | b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 147b6aa5bd0222e5d58af8984b073c56 |
| SHA1 | 399923e38ba252bffbe5c13b39bcbf41798e15f5 |
| SHA256 | 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9 |
| SHA512 | c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70 |
C:\Users\Admin\AppData\Local\Temp\nsc23B1.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/4784-174-0x0000000073020000-0x00000000737D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 6e1c3da5e773acb3dfd13e38cd9c1898 |
| SHA1 | b9fb4c0bef05310d6528a1fb47dd702970302c56 |
| SHA256 | 7d5ba777ef0835d0a7f38587ac7f6ba1a96a1288114f6157b55ede2d35658ff0 |
| SHA512 | 814bfcac9800d5956fe2cd5dcf23f26fb6572386f829c58fd2a3eea3061a37d312e1766568595bf2e3bd33c3fababe220c8eac4d79712d2170cb3c6711e70ad5 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 03cb6141bacb061643b98c2742177f33 |
| SHA1 | cf55025b420a42639480aa1c47cb9037c82336d0 |
| SHA256 | df35d9cb0d209fd3ebaa5d258866e640d980278005bd3f5ebd100acac73c38b9 |
| SHA512 | d55bb9dc9222e23b776a44210e0d2fccf499db1c74c9401b4d267ca9e219e172c9f004445bf719c8290bb95d1737b62bd155b4ec50ee51a66626d1d586d0d1b4 |
C:\Users\Admin\AppData\Local\Temp\2934.exe
| MD5 | 0ca68f13f3db569984dbcc9c0be6144a |
| SHA1 | 8c53b9026e3c34bcf20f35af15fc6545cb337936 |
| SHA256 | 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a |
| SHA512 | 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d |
memory/2872-190-0x0000000003070000-0x0000000003170000-memory.dmp
memory/3112-191-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/996-197-0x0000000002DC0000-0x00000000036AB000-memory.dmp
memory/996-192-0x00000000029C0000-0x0000000002DC0000-memory.dmp
memory/996-198-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsh3035.tmp
| MD5 | 9089c5ddf54262d275ab0ea6ceaebcba |
| SHA1 | 4796313ad8d780936e549ea509c1932deb41e02a |
| SHA256 | 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a |
| SHA512 | ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/492-214-0x0000000000400000-0x0000000000720000-memory.dmp
memory/996-215-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3112-216-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/2840-217-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5BBE.exe
| MD5 | b10895f77c325310116cfc47095d9252 |
| SHA1 | 4c1ae27fef692ec05ff826aa7eaab519ae5a8e06 |
| SHA256 | 851657de20aed9fdce10b608dce83523d137771c2e1e9582f8d9eecff5a14453 |
| SHA512 | d21cca7801fcf891e88b39378a7f06179577b218f5660f4cc049b16f03f7bf8f910370734af7b005cf17bc5769fb6aef868e6659a1a648cf374c70d4aa9a7910 |
C:\Users\Admin\AppData\Local\Temp\5BBE.exe
| MD5 | 0df5a7dfe70377a12ff756cc94d58f74 |
| SHA1 | b3a7875a676bdff82c90df9c0387083b981d817b |
| SHA256 | 2ef4171ff38cbc98e2a6641d949d88704fddb1a05402ff262fc64f91e9654e39 |
| SHA512 | f2dafef94ad9ed81e0e8078512b4ab961546baf32d4c95b19a6e25715392cf03c5ebf4926a75fcdd0a220d1e8ede888ed6eeda355c5afdc35f0db3103fdae523 |
memory/4664-224-0x0000000000400000-0x00000000022D9000-memory.dmp
memory/492-221-0x0000000000400000-0x0000000000720000-memory.dmp
memory/2840-225-0x0000000002480000-0x0000000002580000-memory.dmp
memory/2840-226-0x0000000002440000-0x000000000244B000-memory.dmp
memory/4664-227-0x0000000003F10000-0x0000000003F37000-memory.dmp
memory/3676-228-0x0000000002A10000-0x0000000002A11000-memory.dmp
memory/3676-229-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/3676-230-0x0000000002CB0000-0x0000000002CB1000-memory.dmp
memory/4664-231-0x0000000000400000-0x00000000022D9000-memory.dmp
memory/3676-232-0x0000000002CC0000-0x0000000002CC1000-memory.dmp
memory/3676-233-0x0000000002CD0000-0x0000000002CD1000-memory.dmp
memory/3676-235-0x0000000002CE0000-0x0000000002CE1000-memory.dmp
memory/4664-236-0x0000000002570000-0x0000000002670000-memory.dmp
memory/3676-242-0x0000000002CF0000-0x0000000002CF1000-memory.dmp
memory/3676-240-0x00000000000A0000-0x0000000000B4D000-memory.dmp
memory/396-245-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/3676-247-0x0000000002D00000-0x0000000002D32000-memory.dmp
memory/3676-249-0x0000000002D00000-0x0000000002D32000-memory.dmp
memory/2840-251-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3676-253-0x0000000002D00000-0x0000000002D32000-memory.dmp
memory/3676-254-0x0000000002E80000-0x0000000002EC0000-memory.dmp
memory/3676-297-0x00000000000A0000-0x0000000000B4D000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 324f381f61901b22956e42cf3d16847f |
| SHA1 | 6b9c22fb8f4bff91f411d18c8fa50188b8e3465e |
| SHA256 | 74bee24ebac144ece1c4a7e2073bf7b7667e60a7c2cac2d2dc0a20dd2841288a |
| SHA512 | db16516efdeb9a8f4bf3ea5166312e4d3af08d582e36d4cbbcb55b1e2a3e08d512ea2ba06268b6140796dfb2ebcdda6de613d304b8cfeede7b1eac540f504553 |
memory/3900-338-0x00007FFEFA110000-0x00007FFEFABD1000-memory.dmp
memory/3900-344-0x000001BC2B920000-0x000001BC2B942000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ibklmn3u.cxb.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3900-360-0x000001BC43D30000-0x000001BC43D40000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/3900-364-0x000001BC43D30000-0x000001BC43D40000-memory.dmp
memory/492-375-0x0000000000400000-0x0000000000720000-memory.dmp
memory/3900-376-0x000001BC43D30000-0x000001BC43D40000-memory.dmp
memory/3900-377-0x000001BC43D30000-0x000001BC43D40000-memory.dmp
memory/4664-378-0x0000000000400000-0x00000000022D9000-memory.dmp
memory/492-388-0x0000000000400000-0x0000000000720000-memory.dmp
memory/492-392-0x00000000008B0000-0x0000000000952000-memory.dmp
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | d5ac8347ec7fe6b3267af60cf71255a7 |
| SHA1 | f8258729ec532f3161b0affd5082fbb5b194805d |
| SHA256 | ee209b00280174cb7429c8540fd48f9fdee1634cdc26a6639b32af6f0cbc1c27 |
| SHA512 | 7fc29e5305f71df670ad85ea59a7d30b89dbee5183fb4e5f670a7a7c17a0b0c4898177ac6e4d1d401dddf7c38e106f9ff1f5ca2f33a399009232bcb0a5b47296 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | d36d5fcf6f7e6c67304fed7123a7f816 |
| SHA1 | e8fd7e15c0e589532c8c2f908f68db1c39b326c5 |
| SHA256 | 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657 |
| SHA512 | 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa |
memory/996-414-0x00000000029C0000-0x0000000002DC0000-memory.dmp
memory/3112-413-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/996-415-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1948-416-0x00007FFEFA110000-0x00007FFEFABD1000-memory.dmp
memory/1948-418-0x000001781BC80000-0x000001781BC90000-memory.dmp
memory/1948-419-0x000001781BC80000-0x000001781BC90000-memory.dmp
memory/3900-433-0x00007FFEFA110000-0x00007FFEFABD1000-memory.dmp
memory/4772-438-0x0000000002F20000-0x0000000002F56000-memory.dmp
memory/4772-439-0x0000000005790000-0x0000000005DB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | a8c70b8503cf28727a8ab611f388ac76 |
| SHA1 | a841b20bb496d1f052fc4d479ab90b73e988fa0d |
| SHA256 | fe5a07e1f54145e52034c341c79c66de11c8ea1e8ba9a0f1c27a82211a225a2e |
| SHA512 | a7cf09cd58029d7f035672921c968ba485626263daac008b777a9291f4f51f170593a4919240c57867304fa2be8db2db7b7c62d8ed44c35b6dbc8f30601438b9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | ce2b1a4f202246cc4a91341b3462f9d6 |
| SHA1 | 28f8f379304bef33cae2cefe9fe12e651b8d6950 |
| SHA256 | ebb114bcbee927b1a1a65374f36faec78a6ee3ad5397f57e6cd5a6c9dd9ecc6d |
| SHA512 | fda52513711ba70f5d150799dd6855c8f5f2690614d0a204b57cc4318ffd0f125c61e066d93e98062e1af34a78a640e04a3faa22639f6badaf929e3774f6d654 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 5e7dd5caa09ee25339afb81210ca724a |
| SHA1 | 7ab191c78c2328a8c1688d6cc69649cd8d649b6c |
| SHA256 | 0521d2c2c37bf489c7146f601dc1cf22602adf75510630c9f74f1c63f0eb2d4b |
| SHA512 | 19e4561fded33f834ee4aa1c66e4add4a6cb5959e014fb612f2401f18b99f1b2e89e5fad767fd26db6b0ac0713bae40a5dcf6701f698137269e305b72f9c9341 |
C:\Windows\rss\csrss.exe
| MD5 | b8c50d741d429e4cd6210293c0f0d881 |
| SHA1 | 059f1aa663f344b66b7ab96bd092bfd08ef6b091 |
| SHA256 | 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b |
| SHA512 | b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096 |
C:\Windows\rss\csrss.exe
| MD5 | 34666eafe0fffb6a73e31c1e09ecac4f |
| SHA1 | ffd5c92070e4a8fab8f8095316d73ccd485f6294 |
| SHA256 | d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232 |
| SHA512 | 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d00678065bb6c27633c75d2af0029f49 |
| SHA1 | 95cf1326576f434a488e9d31b35e81c30cb00973 |
| SHA256 | a0848387cc5e0fed636f4deb7d631354d94e08cab2115653a1ac2e6b21cbcec0 |
| SHA512 | 580398d6a66e1007a45c532fe38f8df91bf76b776159404f3e24e327e3da68ab12ad7b0d1f86662bca795cfa77dfd12aa77757db5b122734de52b35400cd3294 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | a837ad6506341ec3f01cb6058910cf26 |
| SHA1 | 73157c603a4d84404e8080b5d44eb3e84c09befb |
| SHA256 | 40d507ab22907dd795d552ebddca1c5b1f94eba9bbe6ddf1f5aa898481c059bc |
| SHA512 | 30ffee1e72b3892f6ba96a28a0ec503830bc3a6472cff15ca53f60459dd66a90beafa82415194a4ef5d04a8a7058fedb1e4a4800fcd60a3c79321eebdcf6bac8 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d5e575668b4402e3c78cc94470e366d7 |
| SHA1 | af90b0df5d61297a1413d8bd234bc9f5ea05e1be |
| SHA256 | 2f35e04df286e597f0d3795f62c6c93546604e7e22fa8281463ff8513326b361 |
| SHA512 | 1370a6d525c13d743d7c473d7869ecdeeec27f49f95474d3a2ed2cf11eb378cc6e1caf901dad096b8c84806f31dd625c0eb9d5486f420b472777089c1e41779d |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | adb29a2b3d4aae105be1eca35da10afc |
| SHA1 | 8496caa674d5bd59c37340e949871e6a33a6a6a9 |
| SHA256 | 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7 |
| SHA512 | 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9 |