Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-f6qvsshc97
Target 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe
SHA256 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524
Tags
dcrat glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524

Threat Level: Known bad

The file 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx lumma

Glupteba payload

Glupteba

DcRat

Lumma Stealer

SmokeLoader

Detects executables packed with VMProtect.

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables Discord URL observed in first stage droppers

Detects Windows executables referencing non-Windows User-Agents

Detects executables containing artifacts associated with disabling Widnows Defender

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables containing URLs to raw contents of a Github gist

UPX dump on OEP (original entry point)

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detect binaries embedding considerable number of MFA browser extension IDs.

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Creates new service(s)

Reads user/profile data of web browsers

UPX packed file

Deletes itself

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 05:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 05:29

Reported

2024-02-27 05:31

Platform

win7-20240221-en

Max time kernel

115s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4907.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\CFFE.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\D665.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2844 set thread context of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240227053107.cab C:\Windows\system32\makecab.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\etgaufb N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\etgaufb N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6493.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6493.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6493.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\etgaufb N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe
PID 1192 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe
PID 1192 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe
PID 1192 wrote to memory of 2672 N/A N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe
PID 2672 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe C:\Windows\SysWOW64\WerFault.exe
PID 2672 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\BC1E.exe C:\Windows\SysWOW64\WerFault.exe
PID 1192 wrote to memory of 2400 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2400 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2400 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2400 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1192 wrote to memory of 2400 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2416 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1192 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 1192 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 1192 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 1192 wrote to memory of 2844 N/A N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 2844 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\CFFE.exe C:\Users\Admin\AppData\Local\Temp\CFFE.exe
PID 1192 wrote to memory of 668 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 1192 wrote to memory of 668 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 1192 wrote to memory of 668 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 1192 wrote to memory of 668 N/A N/A C:\Users\Admin\AppData\Local\Temp\D665.exe
PID 640 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\etgaufb
PID 640 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\etgaufb
PID 640 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\etgaufb
PID 640 wrote to memory of 1228 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\etgaufb
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1192 wrote to memory of 1976 N/A N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 1976 wrote to memory of 332 N/A C:\Users\Admin\AppData\Local\Temp\FECD.exe C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
PID 332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 332 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 1192 wrote to memory of 1904 N/A N/A C:\Users\Admin\AppData\Local\Temp\4907.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe

"C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe"

C:\Users\Admin\AppData\Local\Temp\BC1E.exe

C:\Users\Admin\AppData\Local\Temp\BC1E.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C8FB.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C8FB.dll

C:\Users\Admin\AppData\Local\Temp\CFFE.exe

C:\Users\Admin\AppData\Local\Temp\CFFE.exe

C:\Users\Admin\AppData\Local\Temp\CFFE.exe

C:\Users\Admin\AppData\Local\Temp\CFFE.exe

C:\Users\Admin\AppData\Local\Temp\D665.exe

C:\Users\Admin\AppData\Local\Temp\D665.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {DE9C9D23-C790-46CA-B566-B32E86106C38} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\etgaufb

C:\Users\Admin\AppData\Roaming\etgaufb

C:\Users\Admin\AppData\Local\Temp\FECD.exe

C:\Users\Admin\AppData\Local\Temp\FECD.exe

C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp

"C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp" /SL5="$E015A,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FECD.exe"

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s

C:\Users\Admin\AppData\Local\Temp\4907.exe

C:\Users\Admin\AppData\Local\Temp\4907.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\6493.exe

C:\Users\Admin\AppData\Local\Temp\6493.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp

C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\9F24.exe

C:\Users\Admin\AppData\Local\Temp\9F24.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 124

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227053107.log C:\Windows\Logs\CBS\CbsPersist_20240227053107.cab

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
SE 45.15.16.116:9001 tcp
SG 116.12.180.237:7443 tcp
FI 95.216.33.58:443 tcp
US 172.241.224.145:443 tcp
PL 95.214.53.96:8445 tcp
N/A 127.0.0.1:49348 tcp
US 172.241.224.145:443 tcp
PL 95.214.53.96:8445 tcp
N/A 127.0.0.1:52440 tcp
US 8.8.8.8:53 trmpc.com udp
MO 122.100.154.145:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
N/A 127.0.0.1:52440 tcp
N/A 127.0.0.1:52440 tcp
N/A 127.0.0.1:52440 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
N/A 127.0.0.1:52440 tcp
N/A 127.0.0.1:52440 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 kamsmad.com udp
KR 211.171.233.129:80 kamsmad.com tcp
KR 211.171.233.129:80 kamsmad.com tcp
KR 211.171.233.129:80 kamsmad.com tcp
N/A 127.0.0.1:52440 tcp
KR 211.171.233.129:80 kamsmad.com tcp
US 8.8.8.8:53 a04b6ba0-262d-4d7e-9033-470e9c0c10bb.uuid.statsexplorer.org udp

Files

memory/2276-1-0x0000000002480000-0x0000000002580000-memory.dmp

memory/2276-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2276-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1192-4-0x0000000002910000-0x0000000002926000-memory.dmp

memory/2276-5-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/2276-8-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BC1E.exe

MD5 5490d7eec052f9c9455cbe620e4727df
SHA1 675d36ba9e07af1d046751ca2fad2747a1ee5beb
SHA256 4e59303b109e7c5bd5bb68de70e40867a1db560cac19d5409d60b08cffcc7e38
SHA512 24268d2426f65074ec28d5069ca1ae3e8219fc744782d1dcf1fbce7bcc476d1a835a3685d115854861cb176e2c3b9d52484f9907096e871ca66cccedfd1627ea

C:\Users\Admin\AppData\Local\Temp\BC1E.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2672-17-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2672-19-0x0000000000FB0000-0x000000000185F000-memory.dmp

memory/2672-20-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2672-22-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2672-24-0x0000000077130000-0x0000000077131000-memory.dmp

memory/2672-26-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/2672-23-0x0000000000FB0000-0x000000000185F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8FB.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2416-33-0x0000000000170000-0x0000000000176000-memory.dmp

memory/2416-34-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2844-42-0x00000000035B0000-0x0000000003768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CFFE.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

C:\Users\Admin\AppData\Local\Temp\CFFE.exe

MD5 057d4899785c88a4b96a30efac0a7f10
SHA1 2304be75b31060360a246617e18a147febbcd080
SHA256 66e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4
SHA512 240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574

memory/2844-43-0x00000000035B0000-0x0000000003768000-memory.dmp

memory/2844-44-0x0000000003770000-0x0000000003927000-memory.dmp

memory/2088-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2088-49-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2088-59-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2088-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2844-52-0x00000000035B0000-0x0000000003768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D665.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/668-62-0x00000000031D0000-0x00000000032D0000-memory.dmp

memory/668-63-0x0000000002FF0000-0x000000000305B000-memory.dmp

memory/2088-65-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2088-66-0x0000000000400000-0x0000000000848000-memory.dmp

memory/668-64-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2672-67-0x0000000000FB0000-0x000000000185F000-memory.dmp

memory/2088-68-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2088-70-0x00000000001C0000-0x00000000001C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\C8FB.dll

MD5 6cbda329ef8abcbd3a3f89e2443ab193
SHA1 d33e9a03165a8e56af77c08b56f8a8deb39adb84
SHA256 d201e13530b3353924fa26d594fd5fce105f9ccc833c1ec7ca79258bf396b9eb
SHA512 ed3465dc54b46e2fca0f3c78de9fe52809bf0ad99b20719d81064e5280ef26fc7ceb009d33482664cf5504d14f719f75be84adff6907614a1d600192c9bb50c4

C:\Users\Admin\AppData\Roaming\etgaufb

MD5 a1329151a972d67a22194a25d25d1828
SHA1 1e40ce3146eef2fabe27e50cbc715cfef4a5e8dd
SHA256 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524
SHA512 277d7c55a412f9dc3c534d458b0c6fd3102e80bdc71700a78f9b9bd66b7455d8ab7580f6ec4b4ea39d6916a6f7ecf02ab3ff8a8ae17ae3cd64fc7f71c53f6a3a

memory/2088-76-0x0000000002A50000-0x0000000002B79000-memory.dmp

memory/2416-75-0x00000000022E0000-0x0000000002409000-memory.dmp

memory/1976-81-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FECD.exe

MD5 507c0587f547e4d752fef1eee444688c
SHA1 dc40e87cb42dcd196ada46a6361c2abc27d575df
SHA256 fb56ea35195cb286ca68ee0966cdbc0fe50a2ae2b408588add239099be52d584
SHA512 a55c5833543c6f4695ffe6435688fde5fca08086f2e75a266d6437ff15e697127bef33863de6d7367f17be60881a73402f5a39ae9566352ad433f16ebcdeabf4

memory/2416-82-0x0000000010000000-0x000000001020A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FECD.exe

MD5 943c6189a9578da1aacaeb312b20aca1
SHA1 9d83cadf8e2ead38da5084342f069e79167abc7e
SHA256 f5a26cae0d7eb46d7f40ed57efe86daf2eb9723c2ae483bfb44bd99b78c52318
SHA512 c7d4ee04ec2e80b18ee39420bfd23bd24fd4ab99db8007c8c50ff4eab9984fb1f3a8ebfc2c42bf79a82732bdc834905cf5ba3aa0e12fc20d419da53e02a765e2

memory/2088-84-0x0000000002B80000-0x0000000002C8E000-memory.dmp

memory/2088-87-0x0000000002B80000-0x0000000002C8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

\Users\Admin\AppData\Local\Temp\is-KPQAT.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-KPQAT.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-KPQAT.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2088-110-0x0000000002B80000-0x0000000002C8E000-memory.dmp

memory/2088-92-0x0000000002B80000-0x0000000002C8E000-memory.dmp

memory/1976-146-0x0000000000400000-0x0000000000414000-memory.dmp

memory/332-147-0x0000000000240000-0x0000000000241000-memory.dmp

memory/668-90-0x0000000000400000-0x0000000002D8C000-memory.dmp

\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 1de4ba8e9721174b4a990b9f797ace1d
SHA1 9b2de046627cd338813a0a17e4475b6756c21285
SHA256 f52daee054ca50edf1cfe6e97aef541f59119cbeab030539aaf7db5238da9583
SHA512 31f302b73affd8c12a97055b18a0e4f8494fdf9633d312488433cc1f08cb233f02691cf4bfb597f0c17c5022e8cfc1e8e2c5a1c3c0105277443df143a3e8aad2

memory/332-149-0x0000000003140000-0x0000000003428000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 0573eb0d993de0aed803e44bfe2aeb67
SHA1 4d3ee601009b516c658225bab01ec08becf6ab51
SHA256 386a4e27bfffda89d6a6b4444e103ddda6821c6c49be58b11f339c9b5144a7e0
SHA512 3d52e97d807575e41b28a2befa8b844e7c67bc0410519d261e0747d157f65a2af790d960061a8fa2824786a136452c3e7e88feba05078e56f6b190a75511f9e9

memory/2416-151-0x0000000002410000-0x000000000251E000-memory.dmp

memory/1896-150-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2416-153-0x0000000002410000-0x000000000251E000-memory.dmp

memory/2416-154-0x0000000002410000-0x000000000251E000-memory.dmp

memory/1228-156-0x00000000023A0000-0x00000000024A0000-memory.dmp

memory/1228-159-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 000c956a435d279a967527f027bab0c3
SHA1 a1f352562d1b76b9bbb070797207cf4285f70ec4
SHA256 dd56bc18e8fb3830924b45ee9a5570eff3be912cee3b14a69f798a4a48ce578f
SHA512 27d9e2be619c2730e374a706d17ca7675e9d9d60251ff8c4908f2445152f564dd243dfb0b2dfc706c09e4198781e9147d8d662612c2cd162a1cc0db5d1fa5acb

memory/2088-160-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1896-167-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1896-171-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 fc9adc3be6d2f7b25cca4796edd030b6
SHA1 f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42
SHA256 880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f
SHA512 c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd

memory/1132-174-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1192-176-0x0000000002CF0000-0x0000000002D06000-memory.dmp

memory/1228-177-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 d271f35709efd6cd1691086695ceb058
SHA1 4a05c891ac1ad54dac24c292b2a4365e4a794f1a
SHA256 1dd3e2c4244232f726a2079e9e088ae42aeca16c1d86add8794ddc0ec9b45410
SHA512 dcc8020af77f66c2f81594baeae85e8f5e3ce584fcce6dc94603232b1610176f6a319f88b4332d9406d51d816be3ee18dd2d6016dd1eaa8f05c171dfb28b727a

C:\Users\Admin\AppData\Local\Temp\4907.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

memory/1904-201-0x00000000011D0000-0x0000000001A86000-memory.dmp

memory/332-204-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1132-205-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2088-206-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c5d05a44a1ca1f1154c88bab1656dca3
SHA1 2434e83c82fb1e9ce49d7a9a0273e84923a31c9e
SHA256 c24cf0edca16de10533a3ea5400ece4660d0ce4377fa9556fa532e3fef37083a
SHA512 930806de0665b6a052637588aec22dcb8bdead6e18d7ff95c3c4fde04a28b69ac22a4be39c27ce09dcb582d10b436b602b1da39da549da48d7b4335fb57b207e

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 dd76b1ea2a8bf2f7e800e0a11f01f5e9
SHA1 d31c1ff5b3bfff45af20f5fce0579b80819c5390
SHA256 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89
SHA512 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fb8129e365391576bb219e9c32633d1e
SHA1 8bea7c52cfb0921c24446e00351d19c8a9cb8484
SHA256 9e73f75e4b618189e5624f02c4cc5dfb810600181434ede34815a645cc4b24b1
SHA512 941ab808da324d78f3aeef63e274994ff50d8d4270315fe9f3a4029ce86efe372c28b6ab6d39accb61f03eab27ae432fc11155d2dc2f74fe0fb621675016c93f

memory/2004-217-0x0000000002600000-0x00000000029F8000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28158c533348f213e23e5bdac3b09369
SHA1 ce453cdc9510ea68131ba32f86430e98920ab21c
SHA256 c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4
SHA512 974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 e57b67d14aa175312da3f5a69294668e
SHA1 01618135f1a7177023c59fd8d1fed58e03c59945
SHA256 170a9e9bf03a35b9d62cc43bcd485ca87482e0dab5ce1a6eaa1a38c0f73425da
SHA512 0fdcc9b5a2018c67c2cb7019e8684f9f44d5af83d36cde827d38c1fc35def799af6a056d0bf023a6f164f7b87a281cb7816c433221e3068357e7d65e96b4f299

C:\Users\Admin\AppData\Local\Temp\6493.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/1904-229-0x0000000072D30000-0x000000007341E000-memory.dmp

memory/2004-240-0x0000000002A00000-0x00000000032EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 293540d49b082b33a5b90f862cee513c
SHA1 fce1f069059573bb29042aec52811bc25c94b3bd
SHA256 a9bf23a5e82c6c1d1080cc104d6cfba492fa997f636fee12483a763d066ed126
SHA512 444e7b121dddd74a57b4f1cef4de435748892493909969c2d51370a8de5b24ab950c60ee9e391fd1d07cad6e45552ca1c22eab41708ad85be5c7ee4ef6a1f343

memory/2004-243-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 ebb513d4d6d769ae21e14c45f491ca1b
SHA1 5f97e01f98b58a17e538a71b81b7a24c999c1859
SHA256 5e467197e806babc85b146d0456992a2a72060494e4dd0a00dc05813f71381c6
SHA512 6e28db09bb87188eeb331f695e9505e80a06286191c29599d0d113e64013a818c0d537040eb527a5da4298adac057ae08928e84cca85d08301c9312e5da36a21

memory/1132-244-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2288-246-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1904-245-0x0000000072D30000-0x000000007341E000-memory.dmp

memory/2288-247-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/2288-255-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

memory/2088-254-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2004-253-0x0000000002600000-0x00000000029F8000-memory.dmp

memory/2908-262-0x0000000000240000-0x0000000000241000-memory.dmp

memory/668-261-0x00000000031D0000-0x00000000032D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso708F.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2088-248-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 099a01a0e345d3e2aa24a22f249a79a1
SHA1 1f48e4ecec382be9d40a9cf34e642973f3c9309c
SHA256 100a56875d3c7f2a5cf04973d0235f7fc9bffac1a1e3dd85370134b0f9134288
SHA512 da0e18438e95f3739649e136a8dcd5319d4e26dae7d80450f1b339ab786cd1cc860f9cca58093333bfc750f194baae22195d5e395033260b053837aa4c89422f

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 7393e9ceac5b7c5c6a95990611f5a7d2
SHA1 a4972ef4df2785f81b7bf75dee9929743d64fa28
SHA256 43015170df2f8cf88aab1539751ae7a6f0c4589049efbaa6cc9228d0ad6d4c1d
SHA512 29f83878efe85147617713cc544c9e431fe7f15c6b02495cc9fc79c1339d1fbf7415a92c2712ab9aa1e0f81adbb50ea88c22322d0f086168a7e0c39778d2fc9a

memory/2088-265-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2288-276-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/2724-299-0x0000000001B60000-0x0000000001C60000-memory.dmp

memory/2724-300-0x0000000000230000-0x0000000000257000-memory.dmp

memory/2724-301-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9F24.exe

MD5 a4d57af70b8ede7e27889c75753d8591
SHA1 21938793438b09650fd05f9a32557866c4e806a6
SHA256 96b637caba7db2a63f809fa052304807470c297db3bd5d7c8d4bd8fed16c9660
SHA512 8e18cca9da6dcfed59e263357a12012cf244f24d5166b0e121aeda86cd61408389228efe1b2893844e167ff177cd8950a02f31edfd32ed3d203fed0e315e5236

C:\Users\Admin\AppData\Local\Temp\9F24.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c0cbbc37afd3038489867a901c78525d
SHA1 45c528c015647624bd72cca399115a4f77a98a2e
SHA256 85d8fa5ebfc3fc150872fd0fb5dd3388dd58af0aea8ce0f6f8408dddd2bb0247
SHA512 994e3bc4058cc285cf3439e1611a7365b9a38aa95de924038e9242d100308d3f5d7be51460e5777913daba683714cf53242a06ec9d84576a9fd999a3c56d586f

memory/1240-339-0x0000000000160000-0x0000000000C0D000-memory.dmp

memory/332-390-0x0000000003140000-0x0000000003428000-memory.dmp

memory/1240-393-0x00000000010F0000-0x00000000010F1000-memory.dmp

memory/1240-392-0x0000000077130000-0x0000000077131000-memory.dmp

memory/1240-394-0x0000000001100000-0x0000000001101000-memory.dmp

\Users\Admin\AppData\Local\Temp\9F24.exe

MD5 b143d48c368463d7f7e3ae8b7a60087d
SHA1 cc678bc186b8b857a920d68913700349cce4bca6
SHA256 3d18c64305bfa558008530af0f2999f8635f215428970e7af9f769c2da4bda91
SHA512 ca7b7f77d505264d299102d7a02ee3352660b2ecba6edc09a394ff79dd21a5938b561ff59f4984f2d992a2d3437d02227153cadf800f45f6debc9e0485d881ce

\Users\Admin\AppData\Local\Temp\9F24.exe

MD5 677d7b5651859bf07422545022b9f153
SHA1 7feed4ee9dbde049276d10d912a2353fbc5ff97b
SHA256 9f43b5e64a4c2b0d91925298b9ad510a5cc2cd15597d776b5e95363a670368e6
SHA512 16f2d73a969b7e2a4b4bf1200648de742da2663c64b42771614af3b5aa2c8ecad9f0ec03effaad3f36623d0b62e8903a1a19d7807bc13592db3eaea92c6c2249

\Users\Admin\AppData\Local\Temp\9F24.exe

MD5 e05338227a83124f557ed756094a6ff4
SHA1 e759c022e482be13c8650b20832eebfb7f97f850
SHA256 c38e43aa8cd2dc76fda3afbd06a7762beb58ad9e971a09a299a82ab670486fe6
SHA512 95d9f77fae36ba27c6dda9c27f72c16e882278d5b732528223cd41386a11d538a96d20ec8bb309821f2f3f947259c242d78b91ab7c42332b79d0657dff94ae7c

\Users\Admin\AppData\Local\Temp\9F24.exe

MD5 83bc564a1f87d0e3bf339172152761f3
SHA1 490a365cafefbe57966ccd604c5d061c57721b31
SHA256 4bbad5daa194c085913bfe28af016f6c21ee0a3137ca956d8fadbe3db0d15b24
SHA512 68b1c37aa3a337b01cbd98d0296fbc9adbf9cb960514e715981771cf6d270cd9ddcf3319052400638b5d75442fae279a9a2702226600506f450e9278ff28d6c1

\ProgramData\nss3.dll

MD5 c2880aa35138e7b312eafd93bb636f06
SHA1 97230828569eff070bc295674944752a4a427797
SHA256 323b7760cfdcd4ba75d280f7bcd0d2ee0f749e6965138860d5276f8865ab46a6
SHA512 c5275422ecff50c3b56aa5553f8061fc647c773efb1c87e36e844b8fdfdc9db04f23ce72ba2e2b5641336c659c5b9a932e8fdc3428e4d6e1aa3dbf2193d56233

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 075ba87f561aabdf85b6304d4c016cce
SHA1 8d328481f29e6f33f2abdf47846e4078d6963ae0
SHA256 6398b519b64633375c432b8a02c9e2e7b5292180ffa6aa76adff0354d05ab7dd
SHA512 37812042b601b75ce29f2ffc32307ed08cd7fb58dd0b86bc30664af4941423faa042560281b7b1920aa9b94daa0fddae0f4536fcdbefff42d007296bf92827d2

memory/2004-453-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2284-475-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

memory/2284-476-0x0000000001F10000-0x0000000001F18000-memory.dmp

memory/2284-477-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

memory/2284-478-0x0000000002560000-0x00000000025E0000-memory.dmp

memory/2284-479-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

memory/1152-481-0x00000000026C0000-0x0000000002AB8000-memory.dmp

memory/1132-482-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2284-483-0x000000000256B000-0x00000000025D2000-memory.dmp

memory/1152-485-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2284-484-0x0000000002564000-0x0000000002567000-memory.dmp

memory/2284-488-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp

memory/1132-489-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d36d5fcf6f7e6c67304fed7123a7f816
SHA1 e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA256 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA512 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 361e3588f3a36f468cb193a3fe81716f
SHA1 e14c4082cb9b103262db16cad16bcb987533610b
SHA256 deb79d0a4a4ed61a04471bef47f085a84002e3c64979b3d9f7e5e2b2e74eb775
SHA512 553dcd9bcd76ddaba16dba635abe3bd33d49c242846dadab0272b7616c63905bd2ad3674306ce2236965f7810041a4afe707ce73bff149535eef3f7f156862c4

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 f7be4711796c5bf8288008ffc5f939c7
SHA1 3ffc33333779c8ba82f491c4d6db608fb95dff45
SHA256 e91f1b1aa49ce745d7c10c0085bf317e6d53373f95f805338c3c0919a89cc223
SHA512 6fa7d1b1e6407d65d81db90072c8262447b589741fa5d267d54f46b7f48b75d89bd6d5c957979a9f886ac035bbbe8e9073291020e02df84c89ad28eba3fd45f9

memory/1788-498-0x0000000019AB0000-0x0000000019D92000-memory.dmp

memory/1788-499-0x0000000000360000-0x0000000000368000-memory.dmp

memory/2724-500-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1788-511-0x000007FEF4EE0000-0x000007FEF587D000-memory.dmp

memory/1788-512-0x0000000001100000-0x0000000001180000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 05:29

Reported

2024-02-27 05:32

Platform

win10v2004-20240226-en

Max time kernel

79s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\29DF.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\E07F.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\E419.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4416 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3867.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3867.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\htuivrc N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\htuivrc N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3867.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\htuivrc N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3412 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\D38C.exe
PID 3412 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\D38C.exe
PID 3412 wrote to memory of 1372 N/A N/A C:\Users\Admin\AppData\Local\Temp\D38C.exe
PID 3412 wrote to memory of 5040 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3412 wrote to memory of 5040 N/A N/A C:\Windows\system32\regsvr32.exe
PID 5040 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5040 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5040 wrote to memory of 2600 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3412 wrote to memory of 4416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 3412 wrote to memory of 4416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 3412 wrote to memory of 4416 N/A N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 4416 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\E07F.exe C:\Users\Admin\AppData\Local\Temp\E07F.exe
PID 3412 wrote to memory of 3780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E419.exe
PID 3412 wrote to memory of 3780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E419.exe
PID 3412 wrote to memory of 3780 N/A N/A C:\Users\Admin\AppData\Local\Temp\E419.exe
PID 3412 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5E.exe
PID 3412 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5E.exe
PID 3412 wrote to memory of 3860 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB5E.exe
PID 3860 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\EB5E.exe C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp
PID 3860 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\EB5E.exe C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp
PID 3860 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\EB5E.exe C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp
PID 4460 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4460 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4460 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4460 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4460 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4460 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 3412 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe
PID 3412 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe
PID 3412 wrote to memory of 3192 N/A N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe
PID 3412 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\3867.exe
PID 3412 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\3867.exe
PID 3412 wrote to memory of 224 N/A N/A C:\Users\Admin\AppData\Local\Temp\3867.exe
PID 3192 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3192 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3192 wrote to memory of 5052 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3192 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3192 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3192 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3192 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3192 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\29DF.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3968 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3968 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3968 wrote to memory of 3804 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp
PID 3968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp
PID 3968 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp
PID 3804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3804 wrote to memory of 4708 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4708 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4708 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4708 wrote to memory of 688 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3412 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\Temp\547B.exe
PID 3412 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\Temp\547B.exe
PID 3412 wrote to memory of 1088 N/A N/A C:\Users\Admin\AppData\Local\Temp\547B.exe
PID 4708 wrote to memory of 3104 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe

"C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe"

C:\Users\Admin\AppData\Local\Temp\D38C.exe

C:\Users\Admin\AppData\Local\Temp\D38C.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DA34.dll

C:\Users\Admin\AppData\Roaming\htuivrc

C:\Users\Admin\AppData\Roaming\htuivrc

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\DA34.dll

C:\Users\Admin\AppData\Local\Temp\E07F.exe

C:\Users\Admin\AppData\Local\Temp\E07F.exe

C:\Users\Admin\AppData\Local\Temp\E07F.exe

C:\Users\Admin\AppData\Local\Temp\E07F.exe

C:\Users\Admin\AppData\Local\Temp\E419.exe

C:\Users\Admin\AppData\Local\Temp\E419.exe

C:\Users\Admin\AppData\Local\Temp\EB5E.exe

C:\Users\Admin\AppData\Local\Temp\EB5E.exe

C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp

"C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp" /SL5="$F01FE,2349102,54272,C:\Users\Admin\AppData\Local\Temp\EB5E.exe"

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s

C:\Users\Admin\AppData\Local\Temp\29DF.exe

C:\Users\Admin\AppData\Local\Temp\29DF.exe

C:\Users\Admin\AppData\Local\Temp\3867.exe

C:\Users\Admin\AppData\Local\Temp\3867.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp

C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\547B.exe

C:\Users\Admin\AppData\Local\Temp\547B.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1928 -ip 1928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1972

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
MX 187.211.34.223:80 trmpc.com tcp
US 8.8.8.8:53 223.34.211.187.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
NL 95.211.136.23:443 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 23.136.211.95.in-addr.arpa udp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
NL 185.244.24.44:8443 tcp
PL 95.214.53.96:8443 tcp
US 8.8.8.8:53 44.24.244.185.in-addr.arpa udp
US 8.8.8.8:53 96.53.214.95.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 associationokeo.shop tcp
PL 95.214.53.96:8443 tcp
NL 185.244.24.44:8443 tcp
N/A 127.0.0.1:59776 tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 cruzrejb.er.cr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 cruzrejb.er.cr udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 cruzrejb.er.cr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 gdb.sz udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 gdb.sz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 cruzrejb.er.cr udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 gdb.sz udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 bbbzgbres.ge.cr udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 cruzrejb.er.cr udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 ftp.cruzrejb.er.cr udp
US 8.8.8.8:53 bbbzgbres.ge.cr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 ojp.ce.jh udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 ojp.ce.jh udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ssh.eujleek.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 gdb.sz udp
US 8.8.8.8:53 bbbzgbres.ge.cr udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 ftp.cruzrejb.er.cr udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 ojp.ce.jh udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mail.cruzrejb.er.cr udp
US 8.8.8.8:53 cruzrejb.er.cr udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 bbbzgbres.ge.cr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 gmobl.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 ozbps.zej udp
US 8.8.8.8:53 gmobl.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ojp.ce.jh udp
US 8.8.8.8:53 sgs.cem udp
US 8.8.8.8:53 ftp.mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 gdb.sz udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mwblomu.jsc.ge.ke udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mail.eujleek.cem udp

Files

memory/4248-1-0x0000000002630000-0x0000000002730000-memory.dmp

memory/4248-2-0x0000000003EE0000-0x0000000003EEB000-memory.dmp

memory/4248-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3412-4-0x00000000010A0000-0x00000000010B6000-memory.dmp

memory/4248-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D38C.exe

MD5 017e91029e84529d2f62e55ecd6bf357
SHA1 3732255ecd4d107b48143980d4af83d489ee167a
SHA256 3ae0460b36c12c770de86700901dacc02b2b7854c9579bc590d82b0e72ff1888
SHA512 9c08e1cccdabcb92027d7215a6decae237757a97650ad5c797a85e176f98d08e6ea8d1a35c0d79090149595f4d566906de19fe4882af769ea7350f4e42fff632

C:\Users\Admin\AppData\Local\Temp\D38C.exe

MD5 f024b5c63f0be482106d561d9b0fcbf4
SHA1 0273c450a41bf8df49eaae756fefc23d86c73d6d
SHA256 e3345c4b6ffad6e8a7ad15b664d80bcda9c26cba46e1c30312eb6ee748464c8a
SHA512 4610e2a371cc39cf48835723a3320fe61bcc9ffa62973f3c22291cc9555cc531372a074c249b28ad933b60e8e638cdb19bf6ac44d8e578d9ee4f8e3400c680d0

memory/1372-16-0x0000000003310000-0x0000000003311000-memory.dmp

memory/1372-18-0x0000000000FF0000-0x000000000189F000-memory.dmp

memory/1372-17-0x0000000000FF0000-0x000000000189F000-memory.dmp

C:\Users\Admin\AppData\Roaming\htuivrc

MD5 a1329151a972d67a22194a25d25d1828
SHA1 1e40ce3146eef2fabe27e50cbc715cfef4a5e8dd
SHA256 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524
SHA512 277d7c55a412f9dc3c534d458b0c6fd3102e80bdc71700a78f9b9bd66b7455d8ab7580f6ec4b4ea39d6916a6f7ecf02ab3ff8a8ae17ae3cd64fc7f71c53f6a3a

C:\Users\Admin\AppData\Local\Temp\DA34.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/1372-24-0x0000000003420000-0x0000000003452000-memory.dmp

memory/1372-25-0x0000000003420000-0x0000000003452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA34.dll

MD5 3f4c79cf877790e86749ac31e4382796
SHA1 ff4326819edca2eaf8431a28c6238f1f72b59a2f
SHA256 5d95ec0f6b0cbf2bc4e784c329b0b872cecbf9816c5d412225d443ff65a07564
SHA512 41b011b69717e9ac53582360261e290b85e7cd5343a614e638d3cb3eb81b00e16a27ecc3d3fcb41958f8f4a7d7a6842ab6806786359ce32ced1e146b5552b31c

memory/1372-27-0x0000000003420000-0x0000000003452000-memory.dmp

memory/1372-29-0x0000000003420000-0x0000000003452000-memory.dmp

memory/2600-28-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1372-31-0x0000000003420000-0x0000000003452000-memory.dmp

memory/1372-32-0x0000000003420000-0x0000000003452000-memory.dmp

memory/2600-33-0x00000000007E0000-0x00000000007E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E07F.exe

MD5 b73b13620f82e24559a5adc75072ccc5
SHA1 152a2acdc433928c05d891af5b624efb77b14d94
SHA256 492cdaf4386e89cf3d92561c95b68984a666a1ecbcaacdece69171ae41790a3f
SHA512 99f45a110a9b576e53cc220277fcedc02d2b9fec189e7a1f31bb018703936345c8050a561e0b8551922c97aa2a5ccee15827482fc81f845dc86ed1d62dc300ed

C:\Users\Admin\AppData\Local\Temp\E07F.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/4416-40-0x0000000003AD0000-0x0000000003C87000-memory.dmp

memory/4416-39-0x0000000003900000-0x0000000003AC5000-memory.dmp

memory/2556-41-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E07F.exe

MD5 aa4d2da41beb1cff9d5e8976a6614c9b
SHA1 55220085d0eadc5801f11d13a42407abb18164ec
SHA256 070358003d65fc59726a1c10c5f12ace47a20891037abc050e63a746b61a86f7
SHA512 28d1884ae99281e8dd87d19b3a321741a8473c069531a5afdce52dc0dbd010e0af8cdb1b29d8af601b2eabb00be7a622aa35a385d5d711951a3ed35dea4d445f

memory/2556-43-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1372-47-0x0000000000FF0000-0x000000000189F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E419.exe

MD5 355d7a6ebc834664c21dfa6a879f3793
SHA1 e0ef2e7bf9fc2596141b7062c8c2e0e0d6b1ac0f
SHA256 68f8fd043507c99c1675b9343d447df1aaf61aa3587cb4d95fb0ff5d08e89b57
SHA512 20f64d6e79a0c13cb36524e7a876029c1d1fa7711d7dc472403c954fc2904c8143934f1e08d0ab91ca61ab21415c082255e9ccda5264da2d9529d5a695ae3ab1

memory/2556-46-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3780-52-0x0000000004990000-0x00000000049FB000-memory.dmp

memory/3780-53-0x00000000030F0000-0x00000000031F0000-memory.dmp

memory/2556-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2556-51-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E419.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2556-56-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DA34.dll

MD5 e3b8e383022b3af2c70c8568939d4251
SHA1 05927063ad0764604bceb6259c5de23979925aca
SHA256 2b372daeba40f531192eed4cda44fdab5e0bd67de2d8fdf372fa34cf33704ad8
SHA512 8bb1c9a78f4562f5d7b7db8977f7b8e9bcb6cd9465b379332cd74f2e9795d229c6313c5622ebc89e66b178acc476e6d2da0d92495041665d989b136de2e9ea02

memory/3780-60-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2556-62-0x0000000000E50000-0x0000000000E56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB5E.exe

MD5 9f75ab2ec51429dc80b24707ff673877
SHA1 bbd7c8b5c5bcdfc2c7d7bba9b367aeb75904ed04
SHA256 51ae0e6ea809f583d46f33fce430daa6914a12075f3a1a61d7a40d53854ce282
SHA512 3cac99c3f8e69c17886b5180a5c1ac950d7dc77858b50e3712baab9ca21568f60aea61628a16c88880d421ff162a14d53d0bc8ba4a21ed8dee24d06034935209

C:\Users\Admin\AppData\Local\Temp\EB5E.exe

MD5 62221e8bbec32f20548c2a6d3f7da37c
SHA1 6bf84ef5927a25a85370b5b13bfc60cc66c8c26c
SHA256 4c4df70a91f3174faec494566999e6d5ee46964ef9bc88c4f20ee486110f80a9
SHA512 2e5c05d72da91b32024fd2dcab4c7988a29e5082e50481e9708cc4de524f8b664dee69b16dfc42bcb6da204b60678121d6f59b4333b87a19f8968630f8fd6ba5

memory/3860-67-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

memory/4460-78-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LEQQ7.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-LEQQ7.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 a72be66ee22f712f4a71f16b2fcae13f
SHA1 f961aff1411149f6f473c5212ab131d8dce1949b
SHA256 00321d6debad0135ba2e75b0757e9837a834c29b491f13dca709214029eb1fd1
SHA512 6f14af603819260756a330c646809504eb2d2bcd86ddd88f4a1457bcfca950658fc9b876f07e1f9d8ed2360b70e866cf00ae42fb6ebd308655b09dec83cb46cb

memory/4300-119-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4300-118-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 74d1ce4a30ef1b2e0cd37d5f2add79f5
SHA1 7369b7107a273ba2cd2bcf8a97c49fc0b32382af
SHA256 6c47809191303b3b234b99cafa641f1f21d2e211b93cf3ffc7b0ad837e1805d5
SHA512 f371619db2ad2a92737d04ac001784ffed44b3b6a4ae10d154834e05c0f0c682a690de6e50aaa321fa572e486ec135439098f0d052b97e201974b48894beb2ee

memory/4300-123-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 b6306f517955df9de322322be172e7fd
SHA1 df87dd32567bd41b6cda7b119999a77085f7e415
SHA256 56916b43c77700bcbe3170def2ed5fccb94d74088bae26d8521d53b8f28cdd9e
SHA512 3cf8d03ae85a8da2cf06a2da72145533e1d69d5ea653e2a25d19acbe2d11e424bb34bf5e5f39f45114ad805fcf3e9a16051836de7ad6fffc44f1da3078cb31d6

memory/5096-126-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2600-127-0x00000000027F0000-0x0000000002919000-memory.dmp

memory/2600-128-0x0000000002920000-0x0000000002A2E000-memory.dmp

memory/2600-129-0x0000000002920000-0x0000000002A2E000-memory.dmp

memory/2600-131-0x0000000002920000-0x0000000002A2E000-memory.dmp

memory/2600-132-0x0000000002920000-0x0000000002A2E000-memory.dmp

memory/3780-135-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/3860-136-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4460-137-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/3780-138-0x0000000004990000-0x00000000049FB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\29DF.exe

MD5 5432ccce8ac6890762a57543fc7fc6fe
SHA1 2a0dd2d54d22635f370cafc0a228fc1fe36eccce
SHA256 ad38ac932048d0129f07dd0e2149605115949f7f22fb865b279a154b247363ab
SHA512 8e4448b923f0306acfa0c7b3e5113235c1fad45f49d9a0210cd50fac2e458c03a037892ae613ec8cfc53d1e003d8be72336a3b993dc74c7beeea29e292664a88

C:\Users\Admin\AppData\Local\Temp\29DF.exe

MD5 81a4b7e8eb05ba5252fcf6f06fa1d8ad
SHA1 36e9c9a943f841a8f4b48c2f8a22ca1c32861144
SHA256 fa6d0da78f7ce3c47e7840075dcd1c5f6d90f42c815f68ce69b1b093b661bde3
SHA512 0fd7bbc145abe87470b2f878b67db0e35358fcf06a8ce82b06364e0d6e8b1712e41e0be6010f53478676622237c7e13766f934d264a8a17cdb3f83ca341d0bb4

memory/2556-145-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2556-146-0x0000000002D50000-0x0000000002E79000-memory.dmp

memory/5096-147-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/3192-144-0x00000000000D0000-0x0000000000986000-memory.dmp

memory/3192-150-0x00000000728E0000-0x0000000073090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 aaf0bb37ae70edf36b650977fe25658f
SHA1 dec39feae72f0c5ae84775303e543ca353de6256
SHA256 bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512 d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4

C:\Users\Admin\AppData\Local\Temp\3867.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/3780-164-0x00000000030F0000-0x00000000031F0000-memory.dmp

memory/2556-165-0x0000000002E80000-0x0000000002F8E000-memory.dmp

memory/224-166-0x0000000001D90000-0x0000000001E90000-memory.dmp

memory/2556-170-0x0000000002E80000-0x0000000002F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 33173a5f01c70ff647485f5427453242
SHA1 5a8b4455ed301b4c0d9870625d7b642ad843902e
SHA256 415ae01e28996f7ac8c5178d401e04aaf324527ebd8ac050a7c0ad4632df8b18
SHA512 0a236b0ec3162ab9fa51fda9672b69cc9d6762d06bd04d2fc6ab261b2341ed854c5896ae4bd2108ad019211330e5437c0a2afd6b10093346d667cef47932cafc

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 fd7431015eb5f5ebfe9e4a7397bb7b45
SHA1 fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914
SHA256 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04
SHA512 dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 eab2fcd5ec933106a83b15fac38a8694
SHA1 13fa5c0464e1be041adb926aa61e90636463863d
SHA256 652e0d8953899a43735e3a819818674d9f4c1215b7c55d12424273102058698c
SHA512 e1e2cc108211d8efab0060aba41acc105b84f0ccf0fc88ae4214027e2b3d1e305d48371a352b3e168a1cc208ba5e31106cc7bdb6ed2c0d243ae093337d52e523

memory/224-169-0x0000000001B80000-0x0000000001B8B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 2070026b7db06b39dd6476c97afa194c
SHA1 a642b95f2c4ea50b3da347a008b3a06daf06a5ee
SHA256 c2a79a1de75bb7e6b9b67aed334a19914a99c235ac0ea8505825105f90d3e1a2
SHA512 bf5d149ae468bba39f44cf2269ff424e9afcdd7a2952a6cd59a6c6c7992c146ce23aea83c607e5059bb94f550512421dd7bdf741ac99b928fab32599dedfa8f6

memory/224-180-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 5ca7fc407124217ed4ac456d5369e951
SHA1 5defeaea509bafe38005a9232d94282b59525ef3
SHA256 dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120
SHA512 dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572

memory/2556-194-0x0000000002E80000-0x0000000002F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 f26249769d27c4988588974f0afc5ad0
SHA1 e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 cba61c6f09b46910ba0aa6335b36cae8
SHA1 f8f5d22d61869a9980efc55ea67bcb87cc4a55f4
SHA256 af406d613938ae99168b34397442249f9fc38ca8088aa89304f7930abead16fe
SHA512 d3536c599323eec439806367ba6876c9e0cd62858a02f557d89ffd00f544c84fc774f4c1a6d1bfc88c0840f96e445672ef7c47088ad63171d4506d7bbcd9f96f

memory/3192-198-0x00000000728E0000-0x0000000073090000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsn3F76.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 a3eaab9f439c9bb52284dc546480592b
SHA1 7ae92507310476f8d1043657e65378a3d937371f
SHA256 61cbc7bb8342d192e3694c1906c7d0e7977d8556a34fb6bf4d9d742339641f07
SHA512 68399a821687c586b2a3547268e3f7d8d5860112da0a6fae2db3f820e6c01102723a4e9258efcaecbe43976c5a884884ec7abf7d5d31a7c15b3b7dbe2a5ebf27

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 10deabd095dc095e77c48555ab53d5c4
SHA1 5bf54ed2e67743c171de79913656ff48c9223969
SHA256 c2f300f07eeac472a94f5433292c5c299282bb6a783d47693a31d7b9d056bae7
SHA512 5fab9e2b333373f9e7b575b65ba2dfe4d232de8206f99eeb5479aeae78c84e353c2872a1ba8747ca5caf71aeed0a3f7d3e499c1f45d5d8a8082c6f4d4fb7e3d2

memory/3804-210-0x0000000000A60000-0x0000000000A61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/5096-223-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1928-224-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

memory/1928-227-0x0000000001B90000-0x0000000001BB7000-memory.dmp

memory/4460-231-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 d3141c717de0c637ea40b23bcc2933e0
SHA1 cf62f4e89f430fd81523547c8cbe22f28d881126
SHA256 606646b56458a708975a6b6031ab86492af26d1ff59b010499c276dd8cd7b66d
SHA512 72f121ece2f3e9a231e3c81a9dff2eda4445cae444bceda399926b662ad8dc6ec34cf42f858dfa488bd2b213d81b6ec699e6ee0d0119b1197d2fa729d8cff329

memory/3412-235-0x0000000008A00000-0x0000000008A16000-memory.dmp

memory/1928-241-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/224-240-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/5052-243-0x0000000002850000-0x0000000002C56000-memory.dmp

memory/4300-244-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/5052-245-0x0000000002D60000-0x000000000364B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\547B.exe

MD5 582ac0392899d308c4113843b5f498a3
SHA1 ca11f73f565f1f9a2f988c8fda74db0d9edeac5e
SHA256 3b9269e0b3dd8d5ea2abd4aaca665e4cd9783d804039a19485f03c86e8598bad
SHA512 a3aee6d12ac0cbd2ed622e66d170b0a10f04df3fa6e772707a8cd66629e670143d2f32d2de4cdee18c5c23bfb76fb2fe08aec3fea5b952d77c94e2fd306bb0d0

memory/2556-251-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\547B.exe

MD5 4384ce54ebe3d2a2eb4639f545b459ed
SHA1 3a34d86eee0b1ed86ae1b74376788f137a8dff64
SHA256 8ff8a9147982b721c61637926fc8b8f2f32a47c8c5e39278a699185c595f6148
SHA512 75a916e42140ef1349ea2004f0110493e98560cdc048be8196641a4cc12dd116295853a5ead4eea7e189052f7930d051b63dcaad91b1023cf53d4e94ec315d31

memory/5052-258-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3804-259-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/5096-260-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/3116-261-0x0000000002680000-0x0000000002780000-memory.dmp

memory/3116-262-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/5052-263-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5096-264-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1088-267-0x0000000003440000-0x0000000003441000-memory.dmp

memory/1088-268-0x0000000003450000-0x0000000003451000-memory.dmp

memory/1088-270-0x0000000003480000-0x0000000003481000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 fd63e98b42a34b9f0c33656e1c5f38d0
SHA1 9ef02175178275b6d138ab6bec40ff5dccdc453e
SHA256 5a43db6f82114d9842b954bb2c749d14eb66e34158407ac0e082cce03c409369
SHA512 cd40a677d79477fef079ce1f50f6df46a04cfe27056f1d4ed4512bb785554059c62d2f163871f38d013a6bd3550522da5294cf399046b01b2ddd7d5288be184d

memory/1088-273-0x00000000034A0000-0x00000000034A1000-memory.dmp

memory/1928-275-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1088-272-0x0000000003490000-0x0000000003491000-memory.dmp

memory/1088-282-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/1088-271-0x0000000000990000-0x000000000143D000-memory.dmp

memory/1088-293-0x00000000034D0000-0x0000000003502000-memory.dmp

memory/1088-295-0x00000000034D0000-0x0000000003502000-memory.dmp

memory/1088-297-0x00000000034D0000-0x0000000003502000-memory.dmp

memory/1088-291-0x00000000034D0000-0x0000000003502000-memory.dmp

memory/1088-299-0x00000000034D0000-0x0000000003502000-memory.dmp

memory/1088-332-0x0000000000990000-0x000000000143D000-memory.dmp

C:\ProgramData\nss3.dll

MD5 4df2bf0ae4cdb77998d0c70281d3ca12
SHA1 935d164feabd42243aa34f96e8b6af39c93b6306
SHA256 e83d04c5b94f9228037452a4d98b9b495e9f0ccae61fd379bc6ca6819ce904d2
SHA512 bd8c22fbe054da820656e78eb1f00a2da810d99f31100efc47fc1182a24d014890a158fcd606a0beba011194620c4f9153f3be4b6acdd0c59858cd3d4a2c1138

C:\ProgramData\mozglue.dll

MD5 d56637ea2ca40bc8b22303c9f274cd91
SHA1 c729b37a70880edae19c9cbfc37d6abc54d8dae9
SHA256 0d3f8ec284e987e994a99f7929aa65842cf17d2f88deff7358fa5cd90ff51de1
SHA512 c6ce71956e40f75b70f2bd74a063d4ba3cb7384d50fc01d06c6a1e969d53b0044257262c683f931ee5e43e5f9062e9ffdd1aca46eb1f8be75cb2c39d843bcbe3

C:\ProgramData\mozglue.dll

MD5 a47c9a22d04f7a89ffb338ec0d9163f2
SHA1 c779b4e0bd380889d053a5a2e64fac7e5c9f0d85
SHA256 c67b8f01d1b007cf0abea4f89d1272a146116b398d97c0873889e4f3bc1aa2a5
SHA512 64ebbee2f2f0884096e5b0996b30adae289549ba24f19fb3858f638148f358cd9a6f2fb370c0b2a44e821cb00b5a49468f849c97e9aa8ee413bbae11b57d72f4

memory/3504-364-0x0000000004930000-0x0000000004966000-memory.dmp

memory/3504-371-0x0000000005140000-0x0000000005768000-memory.dmp

memory/3804-385-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/1928-386-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

memory/3504-387-0x0000000071A10000-0x00000000721C0000-memory.dmp

memory/3504-389-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3504-390-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3504-388-0x0000000004F50000-0x0000000004F72000-memory.dmp

memory/3504-391-0x0000000005870000-0x00000000058D6000-memory.dmp

memory/3504-392-0x00000000058E0000-0x0000000005946000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0g0ynqp2.eyj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3504-402-0x0000000005A50000-0x0000000005DA4000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8968359e460df9992c18c113c1c17674
SHA1 1370811cb82506f311c9ea7564df9a0029bd2265
SHA256 da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c
SHA512 cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3