Analysis Overview
SHA256
9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524
Threat Level: Known bad
The file 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
Glupteba
DcRat
Lumma Stealer
SmokeLoader
Detects executables packed with VMProtect.
Detects executables referencing many varying, potentially fake Windows User-Agents
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Detects executables Discord URL observed in first stage droppers
Detects Windows executables referencing non-Windows User-Agents
Detects executables containing artifacts associated with disabling Widnows Defender
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables containing URLs to raw contents of a Github gist
UPX dump on OEP (original entry point)
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detect binaries embedding considerable number of MFA browser extension IDs.
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Creates new service(s)
Reads user/profile data of web browsers
UPX packed file
Deletes itself
Reads data files stored by FTP clients
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 05:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 05:29
Reported
2024-02-27 05:31
Platform
win7-20240221-en
Max time kernel
115s
Max time network
153s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\CFFE.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\D665.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2844 set thread context of 2088 | N/A | C:\Users\Admin\AppData\Local\Temp\CFFE.exe | C:\Users\Admin\AppData\Local\Temp\CFFE.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240227053107.cab | C:\Windows\system32\makecab.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BC1E.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\9F24.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\etgaufb | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\etgaufb | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6493.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6493.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\6493.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\etgaufb | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\etgaufb | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6493.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe
"C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe"
C:\Users\Admin\AppData\Local\Temp\BC1E.exe
C:\Users\Admin\AppData\Local\Temp\BC1E.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2672 -s 124
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C8FB.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C8FB.dll
C:\Users\Admin\AppData\Local\Temp\CFFE.exe
C:\Users\Admin\AppData\Local\Temp\CFFE.exe
C:\Users\Admin\AppData\Local\Temp\CFFE.exe
C:\Users\Admin\AppData\Local\Temp\CFFE.exe
C:\Users\Admin\AppData\Local\Temp\D665.exe
C:\Users\Admin\AppData\Local\Temp\D665.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {DE9C9D23-C790-46CA-B566-B32E86106C38} S-1-5-21-1650401615-1019878084-3673944445-1000:UADPPTXT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\etgaufb
C:\Users\Admin\AppData\Roaming\etgaufb
C:\Users\Admin\AppData\Local\Temp\FECD.exe
C:\Users\Admin\AppData\Local\Temp\FECD.exe
C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
"C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp" /SL5="$E015A,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FECD.exe"
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s
C:\Users\Admin\AppData\Local\Temp\4907.exe
C:\Users\Admin\AppData\Local\Temp\4907.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\6493.exe
C:\Users\Admin\AppData\Local\Temp\6493.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp
C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\9F24.exe
C:\Users\Admin\AppData\Local\Temp\9F24.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1240 -s 124
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227053107.log C:\Windows\Logs\CBS\CbsPersist_20240227053107.cab
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| SE | 45.15.16.116:9001 | tcp | |
| SG | 116.12.180.237:7443 | tcp | |
| FI | 95.216.33.58:443 | tcp | |
| US | 172.241.224.145:443 | tcp | |
| PL | 95.214.53.96:8445 | tcp | |
| N/A | 127.0.0.1:49348 | tcp | |
| US | 172.241.224.145:443 | tcp | |
| PL | 95.214.53.96:8445 | tcp | |
| N/A | 127.0.0.1:52440 | tcp | |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MO | 122.100.154.145:80 | trmpc.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| N/A | 127.0.0.1:52440 | tcp | |
| N/A | 127.0.0.1:52440 | tcp | |
| N/A | 127.0.0.1:52440 | tcp | |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| N/A | 127.0.0.1:52440 | tcp | |
| N/A | 127.0.0.1:52440 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| KR | 211.171.233.129:80 | kamsmad.com | tcp |
| KR | 211.171.233.129:80 | kamsmad.com | tcp |
| KR | 211.171.233.129:80 | kamsmad.com | tcp |
| N/A | 127.0.0.1:52440 | tcp | |
| KR | 211.171.233.129:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | a04b6ba0-262d-4d7e-9033-470e9c0c10bb.uuid.statsexplorer.org | udp |
Files
memory/2276-1-0x0000000002480000-0x0000000002580000-memory.dmp
memory/2276-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2276-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1192-4-0x0000000002910000-0x0000000002926000-memory.dmp
memory/2276-5-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/2276-8-0x0000000000220000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BC1E.exe
| MD5 | 5490d7eec052f9c9455cbe620e4727df |
| SHA1 | 675d36ba9e07af1d046751ca2fad2747a1ee5beb |
| SHA256 | 4e59303b109e7c5bd5bb68de70e40867a1db560cac19d5409d60b08cffcc7e38 |
| SHA512 | 24268d2426f65074ec28d5069ca1ae3e8219fc744782d1dcf1fbce7bcc476d1a835a3685d115854861cb176e2c3b9d52484f9907096e871ca66cccedfd1627ea |
C:\Users\Admin\AppData\Local\Temp\BC1E.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/2672-17-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2672-19-0x0000000000FB0000-0x000000000185F000-memory.dmp
memory/2672-20-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2672-22-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2672-24-0x0000000077130000-0x0000000077131000-memory.dmp
memory/2672-26-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/2672-23-0x0000000000FB0000-0x000000000185F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C8FB.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/2416-33-0x0000000000170000-0x0000000000176000-memory.dmp
memory/2416-34-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2844-42-0x00000000035B0000-0x0000000003768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CFFE.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
C:\Users\Admin\AppData\Local\Temp\CFFE.exe
| MD5 | 057d4899785c88a4b96a30efac0a7f10 |
| SHA1 | 2304be75b31060360a246617e18a147febbcd080 |
| SHA256 | 66e7dcd0c0e64d8f2e89f4e589a6928bd76342c9a7e5c2215bcba0d10c15fbd4 |
| SHA512 | 240b11dbadcc5d84c4b000c13d23507d7f4883a1ea12d5aba15b9252da91f3b755c7951ed4a1218fbcdf1e9e710d227d7ffd5e7fe7c09bceda7d3b05072a2574 |
memory/2844-43-0x00000000035B0000-0x0000000003768000-memory.dmp
memory/2844-44-0x0000000003770000-0x0000000003927000-memory.dmp
memory/2088-47-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2088-49-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2088-59-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2088-53-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2844-52-0x00000000035B0000-0x0000000003768000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D665.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/668-62-0x00000000031D0000-0x00000000032D0000-memory.dmp
memory/668-63-0x0000000002FF0000-0x000000000305B000-memory.dmp
memory/2088-65-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2088-66-0x0000000000400000-0x0000000000848000-memory.dmp
memory/668-64-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2672-67-0x0000000000FB0000-0x000000000185F000-memory.dmp
memory/2088-68-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2088-70-0x00000000001C0000-0x00000000001C6000-memory.dmp
\Users\Admin\AppData\Local\Temp\C8FB.dll
| MD5 | 6cbda329ef8abcbd3a3f89e2443ab193 |
| SHA1 | d33e9a03165a8e56af77c08b56f8a8deb39adb84 |
| SHA256 | d201e13530b3353924fa26d594fd5fce105f9ccc833c1ec7ca79258bf396b9eb |
| SHA512 | ed3465dc54b46e2fca0f3c78de9fe52809bf0ad99b20719d81064e5280ef26fc7ceb009d33482664cf5504d14f719f75be84adff6907614a1d600192c9bb50c4 |
C:\Users\Admin\AppData\Roaming\etgaufb
| MD5 | a1329151a972d67a22194a25d25d1828 |
| SHA1 | 1e40ce3146eef2fabe27e50cbc715cfef4a5e8dd |
| SHA256 | 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524 |
| SHA512 | 277d7c55a412f9dc3c534d458b0c6fd3102e80bdc71700a78f9b9bd66b7455d8ab7580f6ec4b4ea39d6916a6f7ecf02ab3ff8a8ae17ae3cd64fc7f71c53f6a3a |
memory/2088-76-0x0000000002A50000-0x0000000002B79000-memory.dmp
memory/2416-75-0x00000000022E0000-0x0000000002409000-memory.dmp
memory/1976-81-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FECD.exe
| MD5 | 507c0587f547e4d752fef1eee444688c |
| SHA1 | dc40e87cb42dcd196ada46a6361c2abc27d575df |
| SHA256 | fb56ea35195cb286ca68ee0966cdbc0fe50a2ae2b408588add239099be52d584 |
| SHA512 | a55c5833543c6f4695ffe6435688fde5fca08086f2e75a266d6437ff15e697127bef33863de6d7367f17be60881a73402f5a39ae9566352ad433f16ebcdeabf4 |
memory/2416-82-0x0000000010000000-0x000000001020A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FECD.exe
| MD5 | 943c6189a9578da1aacaeb312b20aca1 |
| SHA1 | 9d83cadf8e2ead38da5084342f069e79167abc7e |
| SHA256 | f5a26cae0d7eb46d7f40ed57efe86daf2eb9723c2ae483bfb44bd99b78c52318 |
| SHA512 | c7d4ee04ec2e80b18ee39420bfd23bd24fd4ab99db8007c8c50ff4eab9984fb1f3a8ebfc2c42bf79a82732bdc834905cf5ba3aa0e12fc20d419da53e02a765e2 |
memory/2088-84-0x0000000002B80000-0x0000000002C8E000-memory.dmp
memory/2088-87-0x0000000002B80000-0x0000000002C8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-C8GOI.tmp\FECD.tmp
| MD5 | 14db4253fd181e84e26eebc8f4150402 |
| SHA1 | 79e77f75b5b8b1386c1bb76324790caaa908ca8d |
| SHA256 | 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28 |
| SHA512 | 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e |
\Users\Admin\AppData\Local\Temp\is-KPQAT.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-KPQAT.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-KPQAT.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2088-110-0x0000000002B80000-0x0000000002C8E000-memory.dmp
memory/2088-92-0x0000000002B80000-0x0000000002C8E000-memory.dmp
memory/1976-146-0x0000000000400000-0x0000000000414000-memory.dmp
memory/332-147-0x0000000000240000-0x0000000000241000-memory.dmp
memory/668-90-0x0000000000400000-0x0000000002D8C000-memory.dmp
\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | 1de4ba8e9721174b4a990b9f797ace1d |
| SHA1 | 9b2de046627cd338813a0a17e4475b6756c21285 |
| SHA256 | f52daee054ca50edf1cfe6e97aef541f59119cbeab030539aaf7db5238da9583 |
| SHA512 | 31f302b73affd8c12a97055b18a0e4f8494fdf9633d312488433cc1f08cb233f02691cf4bfb597f0c17c5022e8cfc1e8e2c5a1c3c0105277443df143a3e8aad2 |
memory/332-149-0x0000000003140000-0x0000000003428000-memory.dmp
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | 0573eb0d993de0aed803e44bfe2aeb67 |
| SHA1 | 4d3ee601009b516c658225bab01ec08becf6ab51 |
| SHA256 | 386a4e27bfffda89d6a6b4444e103ddda6821c6c49be58b11f339c9b5144a7e0 |
| SHA512 | 3d52e97d807575e41b28a2befa8b844e7c67bc0410519d261e0747d157f65a2af790d960061a8fa2824786a136452c3e7e88feba05078e56f6b190a75511f9e9 |
memory/2416-151-0x0000000002410000-0x000000000251E000-memory.dmp
memory/1896-150-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2416-153-0x0000000002410000-0x000000000251E000-memory.dmp
memory/2416-154-0x0000000002410000-0x000000000251E000-memory.dmp
memory/1228-156-0x00000000023A0000-0x00000000024A0000-memory.dmp
memory/1228-159-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 000c956a435d279a967527f027bab0c3 |
| SHA1 | a1f352562d1b76b9bbb070797207cf4285f70ec4 |
| SHA256 | dd56bc18e8fb3830924b45ee9a5570eff3be912cee3b14a69f798a4a48ce578f |
| SHA512 | 27d9e2be619c2730e374a706d17ca7675e9d9d60251ff8c4908f2445152f564dd243dfb0b2dfc706c09e4198781e9147d8d662612c2cd162a1cc0db5d1fa5acb |
memory/2088-160-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1896-167-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/1896-171-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | fc9adc3be6d2f7b25cca4796edd030b6 |
| SHA1 | f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42 |
| SHA256 | 880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f |
| SHA512 | c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd |
memory/1132-174-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/1192-176-0x0000000002CF0000-0x0000000002D06000-memory.dmp
memory/1228-177-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | d271f35709efd6cd1691086695ceb058 |
| SHA1 | 4a05c891ac1ad54dac24c292b2a4365e4a794f1a |
| SHA256 | 1dd3e2c4244232f726a2079e9e088ae42aeca16c1d86add8794ddc0ec9b45410 |
| SHA512 | dcc8020af77f66c2f81594baeae85e8f5e3ce584fcce6dc94603232b1610176f6a319f88b4332d9406d51d816be3ee18dd2d6016dd1eaa8f05c171dfb28b727a |
C:\Users\Admin\AppData\Local\Temp\4907.exe
| MD5 | ceae65ee17ff158877706edfe2171501 |
| SHA1 | b1f807080da9c25393c85f5d57105090f5629500 |
| SHA256 | 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49 |
| SHA512 | 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b |
memory/1904-201-0x00000000011D0000-0x0000000001A86000-memory.dmp
memory/332-204-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/1132-205-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2088-206-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c5d05a44a1ca1f1154c88bab1656dca3 |
| SHA1 | 2434e83c82fb1e9ce49d7a9a0273e84923a31c9e |
| SHA256 | c24cf0edca16de10533a3ea5400ece4660d0ce4377fa9556fa532e3fef37083a |
| SHA512 | 930806de0665b6a052637588aec22dcb8bdead6e18d7ff95c3c4fde04a28b69ac22a4be39c27ce09dcb582d10b436b602b1da39da549da48d7b4335fb57b207e |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | dd76b1ea2a8bf2f7e800e0a11f01f5e9 |
| SHA1 | d31c1ff5b3bfff45af20f5fce0579b80819c5390 |
| SHA256 | 98ddd0a4e39f3693a0bdda3844934a3211e119eee2d5155e17778b0af18e6b89 |
| SHA512 | 2b3118524ede04678a6306af55dff202a5dbd1a5443bd815dc6a7e3122518ca3593841b942b46b04c3053e553cf20c8baca39461f27cc7fe5d293e26050b2508 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | fb8129e365391576bb219e9c32633d1e |
| SHA1 | 8bea7c52cfb0921c24446e00351d19c8a9cb8484 |
| SHA256 | 9e73f75e4b618189e5624f02c4cc5dfb810600181434ede34815a645cc4b24b1 |
| SHA512 | 941ab808da324d78f3aeef63e274994ff50d8d4270315fe9f3a4029ce86efe372c28b6ab6d39accb61f03eab27ae432fc11155d2dc2f74fe0fb621675016c93f |
memory/2004-217-0x0000000002600000-0x00000000029F8000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28158c533348f213e23e5bdac3b09369 |
| SHA1 | ce453cdc9510ea68131ba32f86430e98920ab21c |
| SHA256 | c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4 |
| SHA512 | 974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | e57b67d14aa175312da3f5a69294668e |
| SHA1 | 01618135f1a7177023c59fd8d1fed58e03c59945 |
| SHA256 | 170a9e9bf03a35b9d62cc43bcd485ca87482e0dab5ce1a6eaa1a38c0f73425da |
| SHA512 | 0fdcc9b5a2018c67c2cb7019e8684f9f44d5af83d36cde827d38c1fc35def799af6a056d0bf023a6f164f7b87a281cb7816c433221e3068357e7d65e96b4f299 |
C:\Users\Admin\AppData\Local\Temp\6493.exe
| MD5 | fbc2d00d3becdb29396535bc33ec9f1e |
| SHA1 | cffe38ebcdb49bc0bba1b38eadee4829c8c7d287 |
| SHA256 | adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516 |
| SHA512 | 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa |
memory/1904-229-0x0000000072D30000-0x000000007341E000-memory.dmp
memory/2004-240-0x0000000002A00000-0x00000000032EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 293540d49b082b33a5b90f862cee513c |
| SHA1 | fce1f069059573bb29042aec52811bc25c94b3bd |
| SHA256 | a9bf23a5e82c6c1d1080cc104d6cfba492fa997f636fee12483a763d066ed126 |
| SHA512 | 444e7b121dddd74a57b4f1cef4de435748892493909969c2d51370a8de5b24ab950c60ee9e391fd1d07cad6e45552ca1c22eab41708ad85be5c7ee4ef6a1f343 |
memory/2004-243-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | ebb513d4d6d769ae21e14c45f491ca1b |
| SHA1 | 5f97e01f98b58a17e538a71b81b7a24c999c1859 |
| SHA256 | 5e467197e806babc85b146d0456992a2a72060494e4dd0a00dc05813f71381c6 |
| SHA512 | 6e28db09bb87188eeb331f695e9505e80a06286191c29599d0d113e64013a818c0d537040eb527a5da4298adac057ae08928e84cca85d08301c9312e5da36a21 |
memory/1132-244-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2288-246-0x0000000000220000-0x000000000022B000-memory.dmp
memory/1904-245-0x0000000072D30000-0x000000007341E000-memory.dmp
memory/2288-247-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/2288-255-0x0000000001BD0000-0x0000000001CD0000-memory.dmp
memory/2088-254-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2004-253-0x0000000002600000-0x00000000029F8000-memory.dmp
memory/2908-262-0x0000000000240000-0x0000000000241000-memory.dmp
memory/668-261-0x00000000031D0000-0x00000000032D0000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso708F.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2088-248-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 099a01a0e345d3e2aa24a22f249a79a1 |
| SHA1 | 1f48e4ecec382be9d40a9cf34e642973f3c9309c |
| SHA256 | 100a56875d3c7f2a5cf04973d0235f7fc9bffac1a1e3dd85370134b0f9134288 |
| SHA512 | da0e18438e95f3739649e136a8dcd5319d4e26dae7d80450f1b339ab786cd1cc860f9cca58093333bfc750f194baae22195d5e395033260b053837aa4c89422f |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 7393e9ceac5b7c5c6a95990611f5a7d2 |
| SHA1 | a4972ef4df2785f81b7bf75dee9929743d64fa28 |
| SHA256 | 43015170df2f8cf88aab1539751ae7a6f0c4589049efbaa6cc9228d0ad6d4c1d |
| SHA512 | 29f83878efe85147617713cc544c9e431fe7f15c6b02495cc9fc79c1339d1fbf7415a92c2712ab9aa1e0f81adbb50ea88c22322d0f086168a7e0c39778d2fc9a |
memory/2088-265-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2288-276-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\nsz8191.tmp
| MD5 | c7f4dfe314dd61bc9ff56fdffe58bc58 |
| SHA1 | 92149a4cc12b6e284f672897408ed7fe2c08cd39 |
| SHA256 | 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591 |
| SHA512 | 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44 |
memory/2724-299-0x0000000001B60000-0x0000000001C60000-memory.dmp
memory/2724-300-0x0000000000230000-0x0000000000257000-memory.dmp
memory/2724-301-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9F24.exe
| MD5 | a4d57af70b8ede7e27889c75753d8591 |
| SHA1 | 21938793438b09650fd05f9a32557866c4e806a6 |
| SHA256 | 96b637caba7db2a63f809fa052304807470c297db3bd5d7c8d4bd8fed16c9660 |
| SHA512 | 8e18cca9da6dcfed59e263357a12012cf244f24d5166b0e121aeda86cd61408389228efe1b2893844e167ff177cd8950a02f31edfd32ed3d203fed0e315e5236 |
C:\Users\Admin\AppData\Local\Temp\9F24.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c0cbbc37afd3038489867a901c78525d |
| SHA1 | 45c528c015647624bd72cca399115a4f77a98a2e |
| SHA256 | 85d8fa5ebfc3fc150872fd0fb5dd3388dd58af0aea8ce0f6f8408dddd2bb0247 |
| SHA512 | 994e3bc4058cc285cf3439e1611a7365b9a38aa95de924038e9242d100308d3f5d7be51460e5777913daba683714cf53242a06ec9d84576a9fd999a3c56d586f |
memory/1240-339-0x0000000000160000-0x0000000000C0D000-memory.dmp
memory/332-390-0x0000000003140000-0x0000000003428000-memory.dmp
memory/1240-393-0x00000000010F0000-0x00000000010F1000-memory.dmp
memory/1240-392-0x0000000077130000-0x0000000077131000-memory.dmp
memory/1240-394-0x0000000001100000-0x0000000001101000-memory.dmp
\Users\Admin\AppData\Local\Temp\9F24.exe
| MD5 | b143d48c368463d7f7e3ae8b7a60087d |
| SHA1 | cc678bc186b8b857a920d68913700349cce4bca6 |
| SHA256 | 3d18c64305bfa558008530af0f2999f8635f215428970e7af9f769c2da4bda91 |
| SHA512 | ca7b7f77d505264d299102d7a02ee3352660b2ecba6edc09a394ff79dd21a5938b561ff59f4984f2d992a2d3437d02227153cadf800f45f6debc9e0485d881ce |
\Users\Admin\AppData\Local\Temp\9F24.exe
| MD5 | 677d7b5651859bf07422545022b9f153 |
| SHA1 | 7feed4ee9dbde049276d10d912a2353fbc5ff97b |
| SHA256 | 9f43b5e64a4c2b0d91925298b9ad510a5cc2cd15597d776b5e95363a670368e6 |
| SHA512 | 16f2d73a969b7e2a4b4bf1200648de742da2663c64b42771614af3b5aa2c8ecad9f0ec03effaad3f36623d0b62e8903a1a19d7807bc13592db3eaea92c6c2249 |
\Users\Admin\AppData\Local\Temp\9F24.exe
| MD5 | e05338227a83124f557ed756094a6ff4 |
| SHA1 | e759c022e482be13c8650b20832eebfb7f97f850 |
| SHA256 | c38e43aa8cd2dc76fda3afbd06a7762beb58ad9e971a09a299a82ab670486fe6 |
| SHA512 | 95d9f77fae36ba27c6dda9c27f72c16e882278d5b732528223cd41386a11d538a96d20ec8bb309821f2f3f947259c242d78b91ab7c42332b79d0657dff94ae7c |
\Users\Admin\AppData\Local\Temp\9F24.exe
| MD5 | 83bc564a1f87d0e3bf339172152761f3 |
| SHA1 | 490a365cafefbe57966ccd604c5d061c57721b31 |
| SHA256 | 4bbad5daa194c085913bfe28af016f6c21ee0a3137ca956d8fadbe3db0d15b24 |
| SHA512 | 68b1c37aa3a337b01cbd98d0296fbc9adbf9cb960514e715981771cf6d270cd9ddcf3319052400638b5d75442fae279a9a2702226600506f450e9278ff28d6c1 |
\ProgramData\nss3.dll
| MD5 | c2880aa35138e7b312eafd93bb636f06 |
| SHA1 | 97230828569eff070bc295674944752a4a427797 |
| SHA256 | 323b7760cfdcd4ba75d280f7bcd0d2ee0f749e6965138860d5276f8865ab46a6 |
| SHA512 | c5275422ecff50c3b56aa5553f8061fc647c773efb1c87e36e844b8fdfdc9db04f23ce72ba2e2b5641336c659c5b9a932e8fdc3428e4d6e1aa3dbf2193d56233 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 075ba87f561aabdf85b6304d4c016cce |
| SHA1 | 8d328481f29e6f33f2abdf47846e4078d6963ae0 |
| SHA256 | 6398b519b64633375c432b8a02c9e2e7b5292180ffa6aa76adff0354d05ab7dd |
| SHA512 | 37812042b601b75ce29f2ffc32307ed08cd7fb58dd0b86bc30664af4941423faa042560281b7b1920aa9b94daa0fddae0f4536fcdbefff42d007296bf92827d2 |
memory/2004-453-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2284-475-0x000000001B1C0000-0x000000001B4A2000-memory.dmp
memory/2284-476-0x0000000001F10000-0x0000000001F18000-memory.dmp
memory/2284-477-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp
memory/2284-478-0x0000000002560000-0x00000000025E0000-memory.dmp
memory/2284-479-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp
memory/1152-481-0x00000000026C0000-0x0000000002AB8000-memory.dmp
memory/1132-482-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2284-483-0x000000000256B000-0x00000000025D2000-memory.dmp
memory/1152-485-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2284-484-0x0000000002564000-0x0000000002567000-memory.dmp
memory/2284-488-0x000007FEF4F50000-0x000007FEF58ED000-memory.dmp
memory/1132-489-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d36d5fcf6f7e6c67304fed7123a7f816 |
| SHA1 | e8fd7e15c0e589532c8c2f908f68db1c39b326c5 |
| SHA256 | 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657 |
| SHA512 | 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 361e3588f3a36f468cb193a3fe81716f |
| SHA1 | e14c4082cb9b103262db16cad16bcb987533610b |
| SHA256 | deb79d0a4a4ed61a04471bef47f085a84002e3c64979b3d9f7e5e2b2e74eb775 |
| SHA512 | 553dcd9bcd76ddaba16dba635abe3bd33d49c242846dadab0272b7616c63905bd2ad3674306ce2236965f7810041a4afe707ce73bff149535eef3f7f156862c4 |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | f7be4711796c5bf8288008ffc5f939c7 |
| SHA1 | 3ffc33333779c8ba82f491c4d6db608fb95dff45 |
| SHA256 | e91f1b1aa49ce745d7c10c0085bf317e6d53373f95f805338c3c0919a89cc223 |
| SHA512 | 6fa7d1b1e6407d65d81db90072c8262447b589741fa5d267d54f46b7f48b75d89bd6d5c957979a9f886ac035bbbe8e9073291020e02df84c89ad28eba3fd45f9 |
memory/1788-498-0x0000000019AB0000-0x0000000019D92000-memory.dmp
memory/1788-499-0x0000000000360000-0x0000000000368000-memory.dmp
memory/2724-500-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/1788-511-0x000007FEF4EE0000-0x000007FEF587D000-memory.dmp
memory/1788-512-0x0000000001100000-0x0000000001180000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 05:29
Reported
2024-02-27 05:32
Platform
win10v2004-20240226-en
Max time kernel
79s
Max time network
156s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\29DF.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\E07F.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\E07F.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\E419.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4416 set thread context of 2556 | N/A | C:\Users\Admin\AppData\Local\Temp\E07F.exe | C:\Users\Admin\AppData\Local\Temp\E07F.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3867.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3867.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\htuivrc | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\htuivrc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3867.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\htuivrc | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3867.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\htuivrc | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe
"C:\Users\Admin\AppData\Local\Temp\9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524.exe"
C:\Users\Admin\AppData\Local\Temp\D38C.exe
C:\Users\Admin\AppData\Local\Temp\D38C.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DA34.dll
C:\Users\Admin\AppData\Roaming\htuivrc
C:\Users\Admin\AppData\Roaming\htuivrc
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\DA34.dll
C:\Users\Admin\AppData\Local\Temp\E07F.exe
C:\Users\Admin\AppData\Local\Temp\E07F.exe
C:\Users\Admin\AppData\Local\Temp\E07F.exe
C:\Users\Admin\AppData\Local\Temp\E07F.exe
C:\Users\Admin\AppData\Local\Temp\E419.exe
C:\Users\Admin\AppData\Local\Temp\E419.exe
C:\Users\Admin\AppData\Local\Temp\EB5E.exe
C:\Users\Admin\AppData\Local\Temp\EB5E.exe
C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp" /SL5="$F01FE,2349102,54272,C:\Users\Admin\AppData\Local\Temp\EB5E.exe"
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s
C:\Users\Admin\AppData\Local\Temp\29DF.exe
C:\Users\Admin\AppData\Local\Temp\29DF.exe
C:\Users\Admin\AppData\Local\Temp\3867.exe
C:\Users\Admin\AppData\Local\Temp\3867.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp
C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\547B.exe
C:\Users\Admin\AppData\Local\Temp\547B.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1928 -ip 1928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1972
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 92.60.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 191.202.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MX | 187.211.34.223:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 223.34.211.187.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| NL | 95.211.136.23:443 | tcp | |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 23.136.211.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| NL | 185.244.24.44:8443 | tcp | |
| PL | 95.214.53.96:8443 | tcp | |
| US | 8.8.8.8:53 | 44.24.244.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.53.214.95.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 104.21.60.92:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 172.67.202.191:443 | turkeyunlikelyofw.shop | tcp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| PL | 95.214.53.96:8443 | tcp | |
| NL | 185.244.24.44:8443 | tcp | |
| N/A | 127.0.0.1:59776 | tcp | |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | gdb.sz | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | gdb.sz | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | gdb.sz | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | bbbzgbres.ge.cr | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | ftp.cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | bbbzgbres.ge.cr | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | ojp.ce.jh | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | ojp.ce.jh | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ssh.eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | gdb.sz | udp |
| US | 8.8.8.8:53 | bbbzgbres.ge.cr | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | ojp.ce.jh | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | cruzrejb.er.cr | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | bbbzgbres.ge.cr | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | gmobl.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ozbps.zej | udp |
| US | 8.8.8.8:53 | gmobl.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ojp.ce.jh | udp |
| US | 8.8.8.8:53 | sgs.cem | udp |
| US | 8.8.8.8:53 | ftp.mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | gdb.sz | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mwblomu.jsc.ge.ke | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
Files
memory/4248-1-0x0000000002630000-0x0000000002730000-memory.dmp
memory/4248-2-0x0000000003EE0000-0x0000000003EEB000-memory.dmp
memory/4248-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/3412-4-0x00000000010A0000-0x00000000010B6000-memory.dmp
memory/4248-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D38C.exe
| MD5 | 017e91029e84529d2f62e55ecd6bf357 |
| SHA1 | 3732255ecd4d107b48143980d4af83d489ee167a |
| SHA256 | 3ae0460b36c12c770de86700901dacc02b2b7854c9579bc590d82b0e72ff1888 |
| SHA512 | 9c08e1cccdabcb92027d7215a6decae237757a97650ad5c797a85e176f98d08e6ea8d1a35c0d79090149595f4d566906de19fe4882af769ea7350f4e42fff632 |
C:\Users\Admin\AppData\Local\Temp\D38C.exe
| MD5 | f024b5c63f0be482106d561d9b0fcbf4 |
| SHA1 | 0273c450a41bf8df49eaae756fefc23d86c73d6d |
| SHA256 | e3345c4b6ffad6e8a7ad15b664d80bcda9c26cba46e1c30312eb6ee748464c8a |
| SHA512 | 4610e2a371cc39cf48835723a3320fe61bcc9ffa62973f3c22291cc9555cc531372a074c249b28ad933b60e8e638cdb19bf6ac44d8e578d9ee4f8e3400c680d0 |
memory/1372-16-0x0000000003310000-0x0000000003311000-memory.dmp
memory/1372-18-0x0000000000FF0000-0x000000000189F000-memory.dmp
memory/1372-17-0x0000000000FF0000-0x000000000189F000-memory.dmp
C:\Users\Admin\AppData\Roaming\htuivrc
| MD5 | a1329151a972d67a22194a25d25d1828 |
| SHA1 | 1e40ce3146eef2fabe27e50cbc715cfef4a5e8dd |
| SHA256 | 9c4b2a7f10af5e2cf97af9e132a2e98007a55d3bd64318772452d410e2a4f524 |
| SHA512 | 277d7c55a412f9dc3c534d458b0c6fd3102e80bdc71700a78f9b9bd66b7455d8ab7580f6ec4b4ea39d6916a6f7ecf02ab3ff8a8ae17ae3cd64fc7f71c53f6a3a |
C:\Users\Admin\AppData\Local\Temp\DA34.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/1372-24-0x0000000003420000-0x0000000003452000-memory.dmp
memory/1372-25-0x0000000003420000-0x0000000003452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA34.dll
| MD5 | 3f4c79cf877790e86749ac31e4382796 |
| SHA1 | ff4326819edca2eaf8431a28c6238f1f72b59a2f |
| SHA256 | 5d95ec0f6b0cbf2bc4e784c329b0b872cecbf9816c5d412225d443ff65a07564 |
| SHA512 | 41b011b69717e9ac53582360261e290b85e7cd5343a614e638d3cb3eb81b00e16a27ecc3d3fcb41958f8f4a7d7a6842ab6806786359ce32ced1e146b5552b31c |
memory/1372-27-0x0000000003420000-0x0000000003452000-memory.dmp
memory/1372-29-0x0000000003420000-0x0000000003452000-memory.dmp
memory/2600-28-0x0000000010000000-0x000000001020A000-memory.dmp
memory/1372-31-0x0000000003420000-0x0000000003452000-memory.dmp
memory/1372-32-0x0000000003420000-0x0000000003452000-memory.dmp
memory/2600-33-0x00000000007E0000-0x00000000007E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E07F.exe
| MD5 | b73b13620f82e24559a5adc75072ccc5 |
| SHA1 | 152a2acdc433928c05d891af5b624efb77b14d94 |
| SHA256 | 492cdaf4386e89cf3d92561c95b68984a666a1ecbcaacdece69171ae41790a3f |
| SHA512 | 99f45a110a9b576e53cc220277fcedc02d2b9fec189e7a1f31bb018703936345c8050a561e0b8551922c97aa2a5ccee15827482fc81f845dc86ed1d62dc300ed |
C:\Users\Admin\AppData\Local\Temp\E07F.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/4416-40-0x0000000003AD0000-0x0000000003C87000-memory.dmp
memory/4416-39-0x0000000003900000-0x0000000003AC5000-memory.dmp
memory/2556-41-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E07F.exe
| MD5 | aa4d2da41beb1cff9d5e8976a6614c9b |
| SHA1 | 55220085d0eadc5801f11d13a42407abb18164ec |
| SHA256 | 070358003d65fc59726a1c10c5f12ace47a20891037abc050e63a746b61a86f7 |
| SHA512 | 28d1884ae99281e8dd87d19b3a321741a8473c069531a5afdce52dc0dbd010e0af8cdb1b29d8af601b2eabb00be7a622aa35a385d5d711951a3ed35dea4d445f |
memory/2556-43-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1372-47-0x0000000000FF0000-0x000000000189F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E419.exe
| MD5 | 355d7a6ebc834664c21dfa6a879f3793 |
| SHA1 | e0ef2e7bf9fc2596141b7062c8c2e0e0d6b1ac0f |
| SHA256 | 68f8fd043507c99c1675b9343d447df1aaf61aa3587cb4d95fb0ff5d08e89b57 |
| SHA512 | 20f64d6e79a0c13cb36524e7a876029c1d1fa7711d7dc472403c954fc2904c8143934f1e08d0ab91ca61ab21415c082255e9ccda5264da2d9529d5a695ae3ab1 |
memory/2556-46-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3780-52-0x0000000004990000-0x00000000049FB000-memory.dmp
memory/3780-53-0x00000000030F0000-0x00000000031F0000-memory.dmp
memory/2556-54-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2556-51-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E419.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/2556-56-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DA34.dll
| MD5 | e3b8e383022b3af2c70c8568939d4251 |
| SHA1 | 05927063ad0764604bceb6259c5de23979925aca |
| SHA256 | 2b372daeba40f531192eed4cda44fdab5e0bd67de2d8fdf372fa34cf33704ad8 |
| SHA512 | 8bb1c9a78f4562f5d7b7db8977f7b8e9bcb6cd9465b379332cd74f2e9795d229c6313c5622ebc89e66b178acc476e6d2da0d92495041665d989b136de2e9ea02 |
memory/3780-60-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2556-62-0x0000000000E50000-0x0000000000E56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EB5E.exe
| MD5 | 9f75ab2ec51429dc80b24707ff673877 |
| SHA1 | bbd7c8b5c5bcdfc2c7d7bba9b367aeb75904ed04 |
| SHA256 | 51ae0e6ea809f583d46f33fce430daa6914a12075f3a1a61d7a40d53854ce282 |
| SHA512 | 3cac99c3f8e69c17886b5180a5c1ac950d7dc77858b50e3712baab9ca21568f60aea61628a16c88880d421ff162a14d53d0bc8ba4a21ed8dee24d06034935209 |
C:\Users\Admin\AppData\Local\Temp\EB5E.exe
| MD5 | 62221e8bbec32f20548c2a6d3f7da37c |
| SHA1 | 6bf84ef5927a25a85370b5b13bfc60cc66c8c26c |
| SHA256 | 4c4df70a91f3174faec494566999e6d5ee46964ef9bc88c4f20ee486110f80a9 |
| SHA512 | 2e5c05d72da91b32024fd2dcab4c7988a29e5082e50481e9708cc4de524f8b664dee69b16dfc42bcb6da204b60678121d6f59b4333b87a19f8968630f8fd6ba5 |
memory/3860-67-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-AT8NC.tmp\EB5E.tmp
| MD5 | 14db4253fd181e84e26eebc8f4150402 |
| SHA1 | 79e77f75b5b8b1386c1bb76324790caaa908ca8d |
| SHA256 | 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28 |
| SHA512 | 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e |
memory/4460-78-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-LEQQ7.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
C:\Users\Admin\AppData\Local\Temp\is-LEQQ7.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | a72be66ee22f712f4a71f16b2fcae13f |
| SHA1 | f961aff1411149f6f473c5212ab131d8dce1949b |
| SHA256 | 00321d6debad0135ba2e75b0757e9837a834c29b491f13dca709214029eb1fd1 |
| SHA512 | 6f14af603819260756a330c646809504eb2d2bcd86ddd88f4a1457bcfca950658fc9b876f07e1f9d8ed2360b70e866cf00ae42fb6ebd308655b09dec83cb46cb |
memory/4300-119-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/4300-118-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | 74d1ce4a30ef1b2e0cd37d5f2add79f5 |
| SHA1 | 7369b7107a273ba2cd2bcf8a97c49fc0b32382af |
| SHA256 | 6c47809191303b3b234b99cafa641f1f21d2e211b93cf3ffc7b0ad837e1805d5 |
| SHA512 | f371619db2ad2a92737d04ac001784ffed44b3b6a4ae10d154834e05c0f0c682a690de6e50aaa321fa572e486ec135439098f0d052b97e201974b48894beb2ee |
memory/4300-123-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | b6306f517955df9de322322be172e7fd |
| SHA1 | df87dd32567bd41b6cda7b119999a77085f7e415 |
| SHA256 | 56916b43c77700bcbe3170def2ed5fccb94d74088bae26d8521d53b8f28cdd9e |
| SHA512 | 3cf8d03ae85a8da2cf06a2da72145533e1d69d5ea653e2a25d19acbe2d11e424bb34bf5e5f39f45114ad805fcf3e9a16051836de7ad6fffc44f1da3078cb31d6 |
memory/5096-126-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2600-127-0x00000000027F0000-0x0000000002919000-memory.dmp
memory/2600-128-0x0000000002920000-0x0000000002A2E000-memory.dmp
memory/2600-129-0x0000000002920000-0x0000000002A2E000-memory.dmp
memory/2600-131-0x0000000002920000-0x0000000002A2E000-memory.dmp
memory/2600-132-0x0000000002920000-0x0000000002A2E000-memory.dmp
memory/3780-135-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/3860-136-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4460-137-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/3780-138-0x0000000004990000-0x00000000049FB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\29DF.exe
| MD5 | 5432ccce8ac6890762a57543fc7fc6fe |
| SHA1 | 2a0dd2d54d22635f370cafc0a228fc1fe36eccce |
| SHA256 | ad38ac932048d0129f07dd0e2149605115949f7f22fb865b279a154b247363ab |
| SHA512 | 8e4448b923f0306acfa0c7b3e5113235c1fad45f49d9a0210cd50fac2e458c03a037892ae613ec8cfc53d1e003d8be72336a3b993dc74c7beeea29e292664a88 |
C:\Users\Admin\AppData\Local\Temp\29DF.exe
| MD5 | 81a4b7e8eb05ba5252fcf6f06fa1d8ad |
| SHA1 | 36e9c9a943f841a8f4b48c2f8a22ca1c32861144 |
| SHA256 | fa6d0da78f7ce3c47e7840075dcd1c5f6d90f42c815f68ce69b1b093b661bde3 |
| SHA512 | 0fd7bbc145abe87470b2f878b67db0e35358fcf06a8ce82b06364e0d6e8b1712e41e0be6010f53478676622237c7e13766f934d264a8a17cdb3f83ca341d0bb4 |
memory/2556-145-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2556-146-0x0000000002D50000-0x0000000002E79000-memory.dmp
memory/5096-147-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/3192-144-0x00000000000D0000-0x0000000000986000-memory.dmp
memory/3192-150-0x00000000728E0000-0x0000000073090000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | aaf0bb37ae70edf36b650977fe25658f |
| SHA1 | dec39feae72f0c5ae84775303e543ca353de6256 |
| SHA256 | bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06 |
| SHA512 | d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4 |
C:\Users\Admin\AppData\Local\Temp\3867.exe
| MD5 | fbc2d00d3becdb29396535bc33ec9f1e |
| SHA1 | cffe38ebcdb49bc0bba1b38eadee4829c8c7d287 |
| SHA256 | adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516 |
| SHA512 | 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa |
memory/3780-164-0x00000000030F0000-0x00000000031F0000-memory.dmp
memory/2556-165-0x0000000002E80000-0x0000000002F8E000-memory.dmp
memory/224-166-0x0000000001D90000-0x0000000001E90000-memory.dmp
memory/2556-170-0x0000000002E80000-0x0000000002F8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 33173a5f01c70ff647485f5427453242 |
| SHA1 | 5a8b4455ed301b4c0d9870625d7b642ad843902e |
| SHA256 | 415ae01e28996f7ac8c5178d401e04aaf324527ebd8ac050a7c0ad4632df8b18 |
| SHA512 | 0a236b0ec3162ab9fa51fda9672b69cc9d6762d06bd04d2fc6ab261b2341ed854c5896ae4bd2108ad019211330e5437c0a2afd6b10093346d667cef47932cafc |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | fd7431015eb5f5ebfe9e4a7397bb7b45 |
| SHA1 | fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914 |
| SHA256 | 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04 |
| SHA512 | dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | eab2fcd5ec933106a83b15fac38a8694 |
| SHA1 | 13fa5c0464e1be041adb926aa61e90636463863d |
| SHA256 | 652e0d8953899a43735e3a819818674d9f4c1215b7c55d12424273102058698c |
| SHA512 | e1e2cc108211d8efab0060aba41acc105b84f0ccf0fc88ae4214027e2b3d1e305d48371a352b3e168a1cc208ba5e31106cc7bdb6ed2c0d243ae093337d52e523 |
memory/224-169-0x0000000001B80000-0x0000000001B8B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 2070026b7db06b39dd6476c97afa194c |
| SHA1 | a642b95f2c4ea50b3da347a008b3a06daf06a5ee |
| SHA256 | c2a79a1de75bb7e6b9b67aed334a19914a99c235ac0ea8505825105f90d3e1a2 |
| SHA512 | bf5d149ae468bba39f44cf2269ff424e9afcdd7a2952a6cd59a6c6c7992c146ce23aea83c607e5059bb94f550512421dd7bdf741ac99b928fab32599dedfa8f6 |
memory/224-180-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 5ca7fc407124217ed4ac456d5369e951 |
| SHA1 | 5defeaea509bafe38005a9232d94282b59525ef3 |
| SHA256 | dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120 |
| SHA512 | dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572 |
memory/2556-194-0x0000000002E80000-0x0000000002F8E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | f26249769d27c4988588974f0afc5ad0 |
| SHA1 | e8b18cd33637ba0baebb2e1e0140103debcc264a |
| SHA256 | 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363 |
| SHA512 | 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | cba61c6f09b46910ba0aa6335b36cae8 |
| SHA1 | f8f5d22d61869a9980efc55ea67bcb87cc4a55f4 |
| SHA256 | af406d613938ae99168b34397442249f9fc38ca8088aa89304f7930abead16fe |
| SHA512 | d3536c599323eec439806367ba6876c9e0cd62858a02f557d89ffd00f544c84fc774f4c1a6d1bfc88c0840f96e445672ef7c47088ad63171d4506d7bbcd9f96f |
memory/3192-198-0x00000000728E0000-0x0000000073090000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsn3F76.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | a3eaab9f439c9bb52284dc546480592b |
| SHA1 | 7ae92507310476f8d1043657e65378a3d937371f |
| SHA256 | 61cbc7bb8342d192e3694c1906c7d0e7977d8556a34fb6bf4d9d742339641f07 |
| SHA512 | 68399a821687c586b2a3547268e3f7d8d5860112da0a6fae2db3f820e6c01102723a4e9258efcaecbe43976c5a884884ec7abf7d5d31a7c15b3b7dbe2a5ebf27 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 10deabd095dc095e77c48555ab53d5c4 |
| SHA1 | 5bf54ed2e67743c171de79913656ff48c9223969 |
| SHA256 | c2f300f07eeac472a94f5433292c5c299282bb6a783d47693a31d7b9d056bae7 |
| SHA512 | 5fab9e2b333373f9e7b575b65ba2dfe4d232de8206f99eeb5479aeae78c84e353c2872a1ba8747ca5caf71aeed0a3f7d3e499c1f45d5d8a8082c6f4d4fb7e3d2 |
memory/3804-210-0x0000000000A60000-0x0000000000A61000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsg46DA.tmp
| MD5 | c7f4dfe314dd61bc9ff56fdffe58bc58 |
| SHA1 | 92149a4cc12b6e284f672897408ed7fe2c08cd39 |
| SHA256 | 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591 |
| SHA512 | 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44 |
memory/5096-223-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/1928-224-0x0000000001BD0000-0x0000000001CD0000-memory.dmp
memory/1928-227-0x0000000001B90000-0x0000000001BB7000-memory.dmp
memory/4460-231-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | d3141c717de0c637ea40b23bcc2933e0 |
| SHA1 | cf62f4e89f430fd81523547c8cbe22f28d881126 |
| SHA256 | 606646b56458a708975a6b6031ab86492af26d1ff59b010499c276dd8cd7b66d |
| SHA512 | 72f121ece2f3e9a231e3c81a9dff2eda4445cae444bceda399926b662ad8dc6ec34cf42f858dfa488bd2b213d81b6ec699e6ee0d0119b1197d2fa729d8cff329 |
memory/3412-235-0x0000000008A00000-0x0000000008A16000-memory.dmp
memory/1928-241-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/224-240-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/5052-243-0x0000000002850000-0x0000000002C56000-memory.dmp
memory/4300-244-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/5052-245-0x0000000002D60000-0x000000000364B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\547B.exe
| MD5 | 582ac0392899d308c4113843b5f498a3 |
| SHA1 | ca11f73f565f1f9a2f988c8fda74db0d9edeac5e |
| SHA256 | 3b9269e0b3dd8d5ea2abd4aaca665e4cd9783d804039a19485f03c86e8598bad |
| SHA512 | a3aee6d12ac0cbd2ed622e66d170b0a10f04df3fa6e772707a8cd66629e670143d2f32d2de4cdee18c5c23bfb76fb2fe08aec3fea5b952d77c94e2fd306bb0d0 |
memory/2556-251-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\547B.exe
| MD5 | 4384ce54ebe3d2a2eb4639f545b459ed |
| SHA1 | 3a34d86eee0b1ed86ae1b74376788f137a8dff64 |
| SHA256 | 8ff8a9147982b721c61637926fc8b8f2f32a47c8c5e39278a699185c595f6148 |
| SHA512 | 75a916e42140ef1349ea2004f0110493e98560cdc048be8196641a4cc12dd116295853a5ead4eea7e189052f7930d051b63dcaad91b1023cf53d4e94ec315d31 |
memory/5052-258-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3804-259-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/5096-260-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/3116-261-0x0000000002680000-0x0000000002780000-memory.dmp
memory/3116-262-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/5052-263-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5096-264-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/1088-267-0x0000000003440000-0x0000000003441000-memory.dmp
memory/1088-268-0x0000000003450000-0x0000000003451000-memory.dmp
memory/1088-270-0x0000000003480000-0x0000000003481000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | fd63e98b42a34b9f0c33656e1c5f38d0 |
| SHA1 | 9ef02175178275b6d138ab6bec40ff5dccdc453e |
| SHA256 | 5a43db6f82114d9842b954bb2c749d14eb66e34158407ac0e082cce03c409369 |
| SHA512 | cd40a677d79477fef079ce1f50f6df46a04cfe27056f1d4ed4512bb785554059c62d2f163871f38d013a6bd3550522da5294cf399046b01b2ddd7d5288be184d |
memory/1088-273-0x00000000034A0000-0x00000000034A1000-memory.dmp
memory/1928-275-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1088-272-0x0000000003490000-0x0000000003491000-memory.dmp
memory/1088-282-0x00000000034C0000-0x00000000034C1000-memory.dmp
memory/1088-271-0x0000000000990000-0x000000000143D000-memory.dmp
memory/1088-293-0x00000000034D0000-0x0000000003502000-memory.dmp
memory/1088-295-0x00000000034D0000-0x0000000003502000-memory.dmp
memory/1088-297-0x00000000034D0000-0x0000000003502000-memory.dmp
memory/1088-291-0x00000000034D0000-0x0000000003502000-memory.dmp
memory/1088-299-0x00000000034D0000-0x0000000003502000-memory.dmp
memory/1088-332-0x0000000000990000-0x000000000143D000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 4df2bf0ae4cdb77998d0c70281d3ca12 |
| SHA1 | 935d164feabd42243aa34f96e8b6af39c93b6306 |
| SHA256 | e83d04c5b94f9228037452a4d98b9b495e9f0ccae61fd379bc6ca6819ce904d2 |
| SHA512 | bd8c22fbe054da820656e78eb1f00a2da810d99f31100efc47fc1182a24d014890a158fcd606a0beba011194620c4f9153f3be4b6acdd0c59858cd3d4a2c1138 |
C:\ProgramData\mozglue.dll
| MD5 | d56637ea2ca40bc8b22303c9f274cd91 |
| SHA1 | c729b37a70880edae19c9cbfc37d6abc54d8dae9 |
| SHA256 | 0d3f8ec284e987e994a99f7929aa65842cf17d2f88deff7358fa5cd90ff51de1 |
| SHA512 | c6ce71956e40f75b70f2bd74a063d4ba3cb7384d50fc01d06c6a1e969d53b0044257262c683f931ee5e43e5f9062e9ffdd1aca46eb1f8be75cb2c39d843bcbe3 |
C:\ProgramData\mozglue.dll
| MD5 | a47c9a22d04f7a89ffb338ec0d9163f2 |
| SHA1 | c779b4e0bd380889d053a5a2e64fac7e5c9f0d85 |
| SHA256 | c67b8f01d1b007cf0abea4f89d1272a146116b398d97c0873889e4f3bc1aa2a5 |
| SHA512 | 64ebbee2f2f0884096e5b0996b30adae289549ba24f19fb3858f638148f358cd9a6f2fb370c0b2a44e821cb00b5a49468f849c97e9aa8ee413bbae11b57d72f4 |
memory/3504-364-0x0000000004930000-0x0000000004966000-memory.dmp
memory/3504-371-0x0000000005140000-0x0000000005768000-memory.dmp
memory/3804-385-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/1928-386-0x0000000001BD0000-0x0000000001CD0000-memory.dmp
memory/3504-387-0x0000000071A10000-0x00000000721C0000-memory.dmp
memory/3504-389-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/3504-390-0x0000000004B00000-0x0000000004B10000-memory.dmp
memory/3504-388-0x0000000004F50000-0x0000000004F72000-memory.dmp
memory/3504-391-0x0000000005870000-0x00000000058D6000-memory.dmp
memory/3504-392-0x00000000058E0000-0x0000000005946000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0g0ynqp2.eyj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3504-402-0x0000000005A50000-0x0000000005DA4000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 8968359e460df9992c18c113c1c17674 |
| SHA1 | 1370811cb82506f311c9ea7564df9a0029bd2265 |
| SHA256 | da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c |
| SHA512 | cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3 |