Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-f96enaaa6v
Target bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe
SHA256 bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11
Tags
glupteba smokeloader pub1 backdoor dropper evasion loader persistence trojan upx dcrat lumma bootkit discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11

Threat Level: Known bad

The file bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor dropper evasion loader persistence trojan upx dcrat lumma bootkit discovery infostealer rat spyware stealer

DcRat

SmokeLoader

Glupteba

Glupteba payload

Lumma Stealer

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects Windows executables referencing non-Windows User-Agents

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

UPX dump on OEP (original entry point)

Detects executables Discord URL observed in first stage droppers

Detects executables packed with VMProtect.

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables containing URLs to raw contents of a Github gist

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables containing artifacts associated with disabling Widnows Defender

Downloads MZ/PE file

Creates new service(s)

Modifies Windows Firewall

Stops running service(s)

Executes dropped EXE

Reads data files stored by FTP clients

Deletes itself

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Checks processor information in registry

Creates scheduled task(s)

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 05:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 05:35

Reported

2024-02-27 05:37

Platform

win7-20240221-en

Max time kernel

143s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2428 set thread context of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\ABBA.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1248 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe
PID 1248 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe
PID 1248 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe
PID 1248 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe
PID 2540 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe C:\Windows\SysWOW64\WerFault.exe
PID 2540 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe C:\Windows\SysWOW64\WerFault.exe
PID 2540 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe C:\Windows\SysWOW64\WerFault.exe
PID 2540 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\ABBA.exe C:\Windows\SysWOW64\WerFault.exe
PID 1248 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1248 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 1248 wrote to memory of 2428 N/A N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 2428 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\BBD2.exe C:\Users\Admin\AppData\Local\Temp\BBD2.exe
PID 1248 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\C93B.exe
PID 1248 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\C93B.exe
PID 1248 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\C93B.exe
PID 1248 wrote to memory of 1876 N/A N/A C:\Users\Admin\AppData\Local\Temp\C93B.exe

Processes

C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe

"C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe"

C:\Users\Admin\AppData\Local\Temp\ABBA.exe

C:\Users\Admin\AppData\Local\Temp\ABBA.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2540 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\B5B9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\B5B9.dll

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

C:\Users\Admin\AppData\Local\Temp\C93B.exe

C:\Users\Admin\AppData\Local\Temp\C93B.exe

C:\Users\Admin\AppData\Local\Temp\D5D9.exe

C:\Users\Admin\AppData\Local\Temp\D5D9.exe

C:\Users\Admin\AppData\Local\Temp\is-FTLPE.tmp\D5D9.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FTLPE.tmp\D5D9.tmp" /SL5="$201DC,2349102,54272,C:\Users\Admin\AppData\Local\Temp\D5D9.exe"

C:\Users\Admin\AppData\Local\Temp\1847.exe

C:\Users\Admin\AppData\Local\Temp\1847.exe

C:\Users\Admin\AppData\Local\Temp\2ACE.exe

C:\Users\Admin\AppData\Local\Temp\2ACE.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\480F.exe

C:\Users\Admin\AppData\Local\Temp\480F.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\nst6E8D.tmp

C:\Users\Admin\AppData\Local\Temp\nst6E8D.tmp

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227053643.log C:\Windows\Logs\CBS\CbsPersist_20240227053643.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
SE 185.97.32.34:9001 tcp
DE 78.46.174.72:9001 tcp
GB 51.38.65.160:9001 tcp
US 8.8.8.8:53 trmpc.com udp
NL 91.92.243.234:443 tcp
NO 185.14.97.37:8443 tcp
KR 211.171.233.129:80 trmpc.com tcp
NO 185.14.97.37:8443 tcp
NL 91.92.243.234:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 prejezmbol.cem udp
US 8.8.8.8:53 ybhee.cem.ph udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 jlez.pl udp
US 8.8.8.8:53 prejezmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 prejezmbol.cem udp
US 8.8.8.8:53 ybhee.cem.ph udp
US 8.8.8.8:53 ybhee.cem.ph udp
US 8.8.8.8:53 jlez.pl udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 schelbr.mou.edu.my udp
US 8.8.8.8:53 gmbol.embo udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 schelbr.mou.edu.my udp
US 8.8.8.8:53 schelbr.mou.edu.my udp
US 8.8.8.8:53 schelbr.mou.edu.my udp
US 8.8.8.8:53 gmbol.embo udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 blphbscrobes.cem udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 blphbscrobes.cem udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 hejmbol.de udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 hejmbol.de udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 bzhbr.mee.edu.eg udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 gmbol.hu udp
US 8.8.8.8:53 ubm.edu.sz udp
US 8.8.8.8:53 bzhbr.mee.edu.eg udp
US 8.8.8.8:53 bzhbr.mee.edu.eg udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ubm.edu.sz udp
US 8.8.8.8:53 gmbol.hu udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 jesj.cem udp
US 8.8.8.8:53 jesj.cem udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 45.79.222.138:80 ybhee.cem.ph tcp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 45.79.222.138:465 ybhee.cem.ph tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ubvpromejech.cem udp
US 8.8.8.8:53 exlservoce.cem udp
US 8.8.8.8:53 ftp.schelbr.mou.edu.my udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 fpj.cem.vz udp
US 8.8.8.8:53 vusrb.cem udp
US 8.8.8.8:53 ubvpromejech.cem udp
US 8.8.8.8:53 gosj.bc.kr udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 mail.jlez.pl udp
US 8.8.8.8:53 exlservoce.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 eujleek.es udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.jlez.pl udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 fpj.cem.vz udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 zeemkj.cem.br udp
US 8.8.8.8:53 vusrb.cem udp
US 8.8.8.8:53 boedoeselje.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 gosj.bc.kr udp
US 8.8.8.8:53 gosj.bc.kr udp
US 8.8.8.8:53 eujleek.es udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 boedoeselje.cem udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp

Files

memory/1992-1-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1992-2-0x00000000003A0000-0x00000000003AB000-memory.dmp

memory/1992-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1992-5-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1248-4-0x0000000002A20000-0x0000000002A36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ABBA.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2540-16-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2540-18-0x00000000010E0000-0x000000000198F000-memory.dmp

memory/2540-19-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2540-21-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2540-22-0x0000000076FC0000-0x0000000076FC1000-memory.dmp

memory/2540-23-0x00000000010E0000-0x000000000198F000-memory.dmp

memory/2540-25-0x0000000000090000-0x0000000000091000-memory.dmp

\Users\Admin\AppData\Local\Temp\ABBA.exe

MD5 7349ae0f133292d5e0ef5675b5738ba6
SHA1 dea9b61698cd5775e0fbedab764e8d1b245602e4
SHA256 a09c3f6703053c7a31e3e88767dd5820cc5061f767a0693a042f68ba3fe2f58a
SHA512 0515c15bd6a58c1a6e5e9fb3b54b2a248d81f0cec57b390fcde8f34e14b9efc05614ef67a2558c6428473f0b80320486ced86d399234b9fe41bd7c213fb4d967

\Users\Admin\AppData\Local\Temp\ABBA.exe

MD5 33c2645d3688d445c1ca6425dc322a0a
SHA1 d43b1e42669c7f4f08344055cdd1fe2f79d09868
SHA256 afab69f56e70ea04762f62b9991454b2b33d4d7a2c5f789b413b21cb48fb15d2
SHA512 20897f3c945cd5551bb6af53f1b2f259f599178821e0a7d99712dba6562c5f4e732e769311126773c81918f0867e5e435318e1cc7ded9f21c8a8d18f4c374509

C:\Users\Admin\AppData\Local\Temp\B5B9.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2580-32-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2580-31-0x0000000000130000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

MD5 9df04112ee272246e537077b87e3d35c
SHA1 cc3c7c8324d4e5f63b3ae96b9ed6028c0eb0a948
SHA256 cf88087be3560c201dd207a85ffbe860ad92b2ea8f0e56c725e3b1229a157635
SHA512 52bf711e82cfb1ffbe5cabef3fe060603d1b864e91495ee0fb521c02374cfba87e30205c397b82efbce7d7e9fd2b0290e120effde3a6a2f029591ddfbab80c22

memory/2428-40-0x00000000034C0000-0x0000000003678000-memory.dmp

memory/2428-41-0x00000000034C0000-0x0000000003678000-memory.dmp

memory/2428-42-0x00000000036C0000-0x0000000003877000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

MD5 6e92468a589a118a0e52a69838812d5a
SHA1 f7600765aaf24de6261aceabb2823992d5b7d11a
SHA256 89de3a6e7282355c370058f7b4fe364ec79205602c38013dc5f23196cf7a1f2a
SHA512 f212a536db73fb5a9798cbd472913ca8dfcad06c724b19930098ec3868ca41f2bb825d9824f6f0aaace763f57c589768206f6565461f79d97ae93591f96fd570

memory/2856-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\ABBA.exe

MD5 c5e7c791d25fe5795caf90493a00523e
SHA1 0547e7c55ddb9a0637c560dd345b8a370cfd434a
SHA256 f853a4fd24b2f8f36e789304a651e4cc8b50751db69043f758ba5cbc9d8b9910
SHA512 d3d5bdcadb7ebeba345f2d1337c7ba4831faa3c093f7869dac1aedf80b1c8d2f41d496b4874754acb6612aedd2d2961793e38070800bd28804f51e5f5217bbd0

memory/2856-48-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBD2.exe

MD5 b36162057140c2b4b0f863fc05179286
SHA1 a8391f0aa1c57af300bf6f7aab321587bb18bf09
SHA256 5193bc8abdf519b4a1a5d4e743d761388596a31382fa9918ca623d889b6232e9
SHA512 ea208f87a7b23f39ab9425840c9ac6def918cb5b13bf00218da43d69d2ec5a8053c80cb72b8c7a60ae2a0780fcb36eed3ce470f9443da03ff9ad0a63642dd955

memory/2856-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2856-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2856-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2856-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2856-55-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C93B.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/1876-66-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/2856-67-0x0000000000270000-0x0000000000276000-memory.dmp

memory/1876-68-0x00000000002D0000-0x000000000033B000-memory.dmp

memory/1876-70-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1876-69-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D5D9.exe

MD5 e4a41feae8a0ea34b8318bf3ddafded3
SHA1 1234026e5d8872a8b7022850ea889f55370a3ff5
SHA256 be482bb853fccfef39948f3b2a01773cb2236dc512cf9cd61e7fdfe26687bcb6
SHA512 d825e42389ccfda3e11b30948f44d001710d2ea69b43402f1240f06671621f26499ca4ef1e69d25bea706e5baaf14a8ddfae145d409a9680c413b39f9586c903

memory/1948-76-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FTLPE.tmp\D5D9.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

memory/2540-87-0x00000000010E0000-0x000000000198F000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-98N7V.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-98N7V.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-98N7V.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1632-88-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/2856-107-0x0000000002A70000-0x0000000002B99000-memory.dmp

memory/2856-108-0x0000000002BA0000-0x0000000002CAE000-memory.dmp

memory/2856-109-0x0000000002BA0000-0x0000000002CAE000-memory.dmp

memory/2856-111-0x0000000002BA0000-0x0000000002CAE000-memory.dmp

memory/2580-112-0x0000000002130000-0x0000000002259000-memory.dmp

memory/2580-114-0x0000000002260000-0x000000000236E000-memory.dmp

memory/2856-116-0x0000000002BA0000-0x0000000002CAE000-memory.dmp

memory/2580-117-0x0000000002260000-0x000000000236E000-memory.dmp

memory/2580-124-0x0000000002260000-0x000000000236E000-memory.dmp

memory/2856-123-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2580-122-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1876-125-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1948-126-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2856-127-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1632-128-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1847.exe

MD5 4ea1424b76970488ba83aaa4e6e2579a
SHA1 e2935e0cfa8b02dd81234cb22300bfd2b9ebed3f
SHA256 b7f901a6728c08b91d7bd12fed399c33ec541d377f71339f66ef8cb95c1ea66d
SHA512 0eeb07bab5871075c40d0b95981429200824cd1d7735cce80deb0c1126e3dc692ffa40c3453d3ce8d7cf297d00d33b3782ab2d2105e15bd563add046bc01bbf4

C:\Users\Admin\AppData\Local\Temp\1847.exe

MD5 be9831d080769201174d8ec22cc24a54
SHA1 4e2d9c76414f145b2f95cd3fb55be2276a9af90e
SHA256 7ac394fc1cca4ae7212c41c08ee6ab250f42f22ab82209e10f5df8d16fef5439
SHA512 0c39c1fd44291a7cd2ed650344dcbd6910b87f1be224f0ec52f713371bb72e9ecc5fe4262d922f636bbbe285fee114ef408b5e4d97e3b43d9643bfb559b789f9

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 42ddaf0cf792fc16c908b10d80f341e3
SHA1 5102427b531ea258d7f2f9bd88e8533b2e185ad6
SHA256 cd662b461c3d25b4dc198e00f0b4d8bb2784a000bef7963f26263c74ce10e94c
SHA512 d5126c1e7667db3dd3cba49cd4f945cbaa5902352215cfa4005466c683a1292512cf0b5dc5a1bf51e9bd755cfe9c255ca990830aad9a99e84f7ee34ce6a18a85

memory/2800-143-0x0000000000030000-0x00000000008E6000-memory.dmp

memory/2800-148-0x0000000072C70000-0x000000007335E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2ACE.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/2856-158-0x0000000000400000-0x0000000000848000-memory.dmp

memory/812-160-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/812-159-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/812-161-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 520c370b2823d943a8c4ddc1b1d2a7a7
SHA1 cb794304bcd11299f57384e53cea8c86659d0923
SHA256 ae42921ebd01b9bed60bdae64112eb6567cc0895df6b9cb661a93db997ee3623
SHA512 8aacc0c374cf09c4e886c0ffaafa39d5e99bb17da00aff678d95d23180e1f7d0c092d53346cb20903f1737771bcf84f36d0845b4a94015cbc2fddbcc592d7e71

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 91e399715dd1fe32872e91c707d19ef0
SHA1 714250930cb571392581d816a23c165331fb9483
SHA256 4f672aa2dc2ea5ea57b3876f17e6af686bdd7fdae25a2454d2684a7e3240d07c
SHA512 6a36f8f88cda17d586a860c765be5addcad8d630f9007990f7a0dc5a010b0e1f0161a3ebad17033be1ef5d38cde5f083a24dc486c472138f4ab6f22f2ce06587

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 33b8ba6f4e6cf8d6e5c03d34d23fe31a
SHA1 99d4bec17b62f738c26521dbebce96b1c65bc675
SHA256 b279c9930b44a044278a47405617dfe1a2337fde9196cbd8dbeb9f43c70ed41e
SHA512 9ec1ca744c884bb09ff34cbb235ce5abd12f31c6a640bda29b5bc65c86a723d921f89150789c54ea429b47c618fd2cc35ba27037021c00ab3766739ba5f39131

memory/2152-171-0x0000000002630000-0x0000000002A28000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 89848a95cf00ff11f64f2f17b36cf096
SHA1 0b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA256 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA512 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 10da85ae04da6c225fd4ea9d204378c9
SHA1 d3730e020f9e2a5c217926180d44b65a91cf6a4a
SHA256 d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5
SHA512 1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 02df76a7b45d874395b4274c2e5b7b1f
SHA1 1b8d7060e9fa5204fa74efeb4192a168b778e9ca
SHA256 2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9
SHA512 5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 97c35e714cfcd128c4f85038d9f38534
SHA1 9ca0166482a13cee2dd544fabf0f137063a716ce
SHA256 fa7c9de6502fc4c342987cd2b6fd491a84097d8f7968cfaf8e156d00019e0411
SHA512 76a0c09a85d358b67814a82034508af6f451d28ddb8eafd64abb4ac8f7309e487e5fdaf1cf40525d3a2a68e556a2fb65cf768df3eacaddd2263301011bd8a296

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 5ca7fc407124217ed4ac456d5369e951
SHA1 5defeaea509bafe38005a9232d94282b59525ef3
SHA256 dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120
SHA512 dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 3303bc5c1120a0e3c2c564a7a66078ae
SHA1 b7f57efcdd0e4abb312d199c77057b7baf339235
SHA256 b49a568e976108e10721372a2beb5b5e29e3693021b46dc2edb81659d10f7224
SHA512 e7faa1578c7952a6035e01b3d6c1f6b3c5b52b54eaee19a2f8e32c7aa0ce520580e7f15f6bbfd8d732256f93cbdc764c2f5a7505b664df557bc666a4da676e62

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1ec1291e83f28fdf8fb4e264d8f4348c
SHA1 42ee5f14acbc586461b4a6ed75cc1c527119bc27
SHA256 4099ec6dba9b3cc9682431c9aaa48b88b29efc8000524929018eecd1211d5ca9
SHA512 a2bd83e207e08fc653d3793f5c5db9f37416d31b75fb61020c0f470135301338947ad36ee5318922cd77cceddfe582c1435dbaf0de25d909b635503b42ef79f2

\Users\Admin\AppData\Local\Temp\nsy33DD.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2800-186-0x0000000072C70000-0x000000007335E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a5f70019477726fdf048623738b725ce
SHA1 2432e57e28133351453973cc3c01486966edbac2
SHA256 af07b04729c48194245c4c2920cc84470f830c63715c535b7ab24979923fa032
SHA512 bd882312cf4a2b62b6155620f84493d35418dcaac735b0ecfea22fa89c788bc219974b62175514aaae143aef2a9db7a66d2cb928284def16695171df7f7c5b2f

memory/2856-198-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2856-199-0x0000000000400000-0x0000000000848000-memory.dmp

memory/720-200-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1248-201-0x00000000039B0000-0x00000000039C6000-memory.dmp

memory/812-203-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1876-206-0x0000000002F20000-0x0000000003020000-memory.dmp

memory/1876-207-0x00000000002D0000-0x000000000033B000-memory.dmp

memory/2152-208-0x0000000002630000-0x0000000002A28000-memory.dmp

memory/2152-209-0x0000000002A30000-0x000000000331B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\480F.exe

MD5 10d4c1b8a4e406d74a0581058613e9d4
SHA1 d4cd76f60c734036c5683e1f0ad28e7272289519
SHA256 c5cd90f53229a49c514fe366b4447a7050aeb3c32f3b9beebeed530ab30e8c19
SHA512 2f7c1457d2932d9c87d4907c4f57505cf28c7aa8f1eab6648655268c6dc8a63e0faf8d1b4a45a85a642b9163fb3bd3608ba8606fbc891d7edb6f75c089304467

memory/2152-212-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 9cdcace08deefef7275bd836e6d42f60
SHA1 ffaee6ef9cf27a2e1378065338ea1f677681a6e2
SHA256 abc4f27e5d16bd2d971c26996d60e0f484dcb82043ab755976c1cb82785ce49e
SHA512 28c22e5b8c995bfbc10b29c160091377d33a56ee8576021fe88369a526e6233b11da66f8e38482f5ad018e1e48cb0d916df9dc106efabfa1b06fa435efe3d777

C:\Users\Admin\AppData\Local\Temp\480F.exe

MD5 666a6084c64c5e258312f053748a0b62
SHA1 ea211390ef610dade65ffeed835fa25d4bdeca44
SHA256 6bf83f1c09b46ccbad1a711284815a9b2cd14190013beeb4e1fafc4537cfe40a
SHA512 57bb4678168d1d25efda5d724ee35d3bb50496a9d1c2e95b17e242e8b3d24855039287ec3f8ab4a9a6772693e47fb0ab7968c978b7187b8826f4e2d64400ca57

memory/2284-227-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2284-229-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2284-232-0x00000000001D0000-0x0000000000C7D000-memory.dmp

memory/2284-233-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2284-234-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1632-248-0x00000000003D0000-0x00000000003D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

\Users\Admin\AppData\Local\Temp\nst6E8D.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/2872-276-0x0000000001B60000-0x0000000001C60000-memory.dmp

memory/2872-277-0x0000000000220000-0x0000000000247000-memory.dmp

memory/2872-278-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fc38310973cf92ef5d0eaf23758c5420
SHA1 f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256 b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512 a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a

memory/2152-319-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/864-349-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/864-350-0x0000000000400000-0x0000000000D1C000-memory.dmp

\ProgramData\nss3.dll

MD5 8f2318356b5eb6ba97f7a117f1a4562f
SHA1 be2464cb96b2b83341c9d9fef7393593a0fa6ec5
SHA256 28a5a93b18df96fc42f56176e1363f187e75580a5f197b681c4f71f5e92b10ed
SHA512 a0015f0e1d12d073c98090a9b3d678ad9d8f04872475cf32ed84b163022206391b295c1bb16ff7e85d5bfaae330a19a797dc0aede5bbb2c18185aca65bd721a9

\ProgramData\mozglue.dll

MD5 a47c9a22d04f7a89ffb338ec0d9163f2
SHA1 c779b4e0bd380889d053a5a2e64fac7e5c9f0d85
SHA256 c67b8f01d1b007cf0abea4f89d1272a146116b398d97c0873889e4f3bc1aa2a5
SHA512 64ebbee2f2f0884096e5b0996b30adae289549ba24f19fb3858f638148f358cd9a6f2fb370c0b2a44e821cb00b5a49468f849c97e9aa8ee413bbae11b57d72f4

memory/2872-1532-0x0000000000400000-0x0000000001A2A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 05:35

Reported

2024-02-27 05:37

Platform

win10v2004-20240226-en

Max time kernel

91s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\EFB1.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3364.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\EFB1.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\F2A0.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2660 set thread context of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3EB0.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3EB0.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3EB0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1971 = "Belarus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2371 = "Easter Island Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-931 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2871 = "Magallanes Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2372 = "Easter Island Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2141 = "Transbaikal Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3464 wrote to memory of 1116 N/A N/A C:\Users\Admin\AppData\Local\Temp\E251.exe
PID 3464 wrote to memory of 1116 N/A N/A C:\Users\Admin\AppData\Local\Temp\E251.exe
PID 3464 wrote to memory of 1116 N/A N/A C:\Users\Admin\AppData\Local\Temp\E251.exe
PID 3464 wrote to memory of 2960 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3464 wrote to memory of 2960 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2960 wrote to memory of 3116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2960 wrote to memory of 3116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2960 wrote to memory of 3116 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3464 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 3464 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 3464 wrote to memory of 2660 N/A N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 2660 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\EFB1.exe C:\Users\Admin\AppData\Local\Temp\EFB1.exe
PID 3464 wrote to memory of 3816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A0.exe
PID 3464 wrote to memory of 3816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A0.exe
PID 3464 wrote to memory of 3816 N/A N/A C:\Users\Admin\AppData\Local\Temp\F2A0.exe
PID 3464 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDCD.exe
PID 3464 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDCD.exe
PID 3464 wrote to memory of 2704 N/A N/A C:\Users\Admin\AppData\Local\Temp\FDCD.exe
PID 2704 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\FDCD.exe C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp
PID 2704 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\FDCD.exe C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp
PID 2704 wrote to memory of 616 N/A C:\Users\Admin\AppData\Local\Temp\FDCD.exe C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp
PID 616 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 616 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 616 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 616 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 616 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 616 wrote to memory of 3296 N/A C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 3464 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\Temp\3364.exe
PID 3464 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\Temp\3364.exe
PID 3464 wrote to memory of 3552 N/A N/A C:\Users\Admin\AppData\Local\Temp\3364.exe
PID 3464 wrote to memory of 3720 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EB0.exe
PID 3464 wrote to memory of 3720 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EB0.exe
PID 3464 wrote to memory of 3720 N/A N/A C:\Users\Admin\AppData\Local\Temp\3EB0.exe
PID 3552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3552 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3552 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3552 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3552 wrote to memory of 336 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3552 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\3364.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 336 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 336 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 336 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 336 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp
PID 336 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp
PID 336 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp
PID 1908 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4292 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4292 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4292 wrote to memory of 2496 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4292 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4292 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4292 wrote to memory of 4396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3464 wrote to memory of 3704 N/A N/A C:\Users\Admin\AppData\Local\Temp\6E4C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe

"C:\Users\Admin\AppData\Local\Temp\bb633d7fb28cf6aac4097726c639462bd7a4362d7752ba5c612ea6c0e18e8d11.exe"

C:\Users\Admin\AppData\Local\Temp\E251.exe

C:\Users\Admin\AppData\Local\Temp\E251.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E938.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E938.dll

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

C:\Users\Admin\AppData\Local\Temp\F2A0.exe

C:\Users\Admin\AppData\Local\Temp\F2A0.exe

C:\Users\Admin\AppData\Local\Temp\FDCD.exe

C:\Users\Admin\AppData\Local\Temp\FDCD.exe

C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp

"C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp" /SL5="$6011A,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FDCD.exe"

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s

C:\Users\Admin\AppData\Local\Temp\3364.exe

C:\Users\Admin\AppData\Local\Temp\3364.exe

C:\Users\Admin\AppData\Local\Temp\3EB0.exe

C:\Users\Admin\AppData\Local\Temp\3EB0.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp

C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\6E4C.exe

C:\Users\Admin\AppData\Local\Temp\6E4C.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 2380

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 764 -ip 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
PE 190.187.52.42:80 trmpc.com tcp
US 8.8.8.8:53 42.52.187.190.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
NL 37.139.22.180:9001 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 151.197.240.154:9001 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
AE 62.210.83.207:8080 tcp
US 154.35.175.225:443 tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 associationokeo.shop tcp
N/A 127.0.0.1:59562 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 184.105.220.24:9001 tcp
DE 131.188.40.189:443 tcp
US 147.135.65.134:443 tcp
US 15.204.227.206:9300 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 206.227.204.15.in-addr.arpa udp
US 8.8.8.8:53 134.65.135.147.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 147.135.65.134:443 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
PL 51.68.137.186:14433 xmr-eu2.nanopool.org tcp
US 15.204.227.206:9300 tcp
US 8.8.8.8:53 kamsmad.com udp
US 8.8.8.8:53 186.137.68.51.in-addr.arpa udp
KR 211.168.53.110:80 kamsmad.com tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 110.53.168.211.in-addr.arpa udp
FI 65.108.108.198:9001 tcp
KR 211.168.53.110:80 kamsmad.com tcp
US 8.8.8.8:53 198.108.108.65.in-addr.arpa udp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
US 8.8.8.8:53 5be07e89-9f74-4458-9b0a-a891d990e1e2.uuid.statsexplorer.org udp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ozfesjrbjegoc.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ozfesjrbjegoc.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ozbbex.zej udp
US 8.8.8.8:53 ozbbex.zej udp
US 8.8.8.8:53 ojbzjbbzblyjocs.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ozfesjrbjegoc.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ojbzjbbzblyjocs.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 zsesjbrgbrd.pl udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ozfesjrbjegoc.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ghbrbeob3.mee.edu.eg udp
US 8.8.8.8:53 zsesjbrgbrd.pl udp
US 8.8.8.8:53 ozbbex.zej udp
US 8.8.8.8:53 ghbrbeob3.mee.edu.eg udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 boelbb.je udp
US 8.8.8.8:53 ozfesjrbjegoc.cem udp
US 8.8.8.8:53 ojbzjbbzblyjocs.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 boelbb.je udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 zsesjbrgbrd.pl udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp

Files

memory/808-1-0x0000000002460000-0x0000000002560000-memory.dmp

memory/808-2-0x0000000002440000-0x000000000244B000-memory.dmp

memory/808-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3464-5-0x00000000025A0000-0x00000000025B6000-memory.dmp

memory/808-4-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/808-7-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E251.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/1116-16-0x00000000006F0000-0x0000000000F9F000-memory.dmp

memory/1116-17-0x00000000012E0000-0x00000000012E1000-memory.dmp

memory/1116-18-0x00000000006F0000-0x0000000000F9F000-memory.dmp

memory/1116-22-0x0000000001400000-0x0000000001432000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E938.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/1116-23-0x0000000001400000-0x0000000001432000-memory.dmp

memory/1116-25-0x0000000001400000-0x0000000001432000-memory.dmp

memory/1116-26-0x0000000001400000-0x0000000001432000-memory.dmp

memory/3116-28-0x0000000010000000-0x000000001020A000-memory.dmp

memory/3116-27-0x00000000004F0000-0x00000000004F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

MD5 58a1c371b6dedfc6c718c0bd415f7aaf
SHA1 06f273f7cb141b3d091e86a6bff8d813f4db30a1
SHA256 e1520b464963f32466d07a3cefee4e8f612b3b6d94e1fed6cf4f3056a624ac3f
SHA512 dda61f8a0b4c684e125deba4f9b47ca4ef7f2120935adbb57302e328623117650875f8c072d21a272386d5aa5cf1f8c69d7819b52db4023198348e8aded5bbde

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

MD5 247c285162337aeaf1c8379228ae9114
SHA1 a62bdae9957a18336b87796bc4d4e3c727b02b78
SHA256 9be168947aaec1c15d94192efae0f4cdad7999672797bf2039b7e6135f32b1bd
SHA512 36f3bb027747f68b3005a91fdc95af325bece872326759d350692581424bdb368ab7d8e69f2ed3fe10ff3a1e522e6c042f9e41c414db5a7606d1af81b6ab3f6e

memory/2660-35-0x00000000038A0000-0x0000000003A64000-memory.dmp

memory/2660-36-0x0000000003A70000-0x0000000003C27000-memory.dmp

memory/4564-37-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

MD5 b36162057140c2b4b0f863fc05179286
SHA1 a8391f0aa1c57af300bf6f7aab321587bb18bf09
SHA256 5193bc8abdf519b4a1a5d4e743d761388596a31382fa9918ca623d889b6232e9
SHA512 ea208f87a7b23f39ab9425840c9ac6def918cb5b13bf00218da43d69d2ec5a8053c80cb72b8c7a60ae2a0780fcb36eed3ce470f9443da03ff9ad0a63642dd955

memory/4564-40-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4564-41-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4564-44-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F2A0.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/4564-49-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3816-50-0x0000000002F20000-0x0000000002F8B000-memory.dmp

memory/4564-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3816-48-0x0000000002FA0000-0x00000000030A0000-memory.dmp

memory/3816-53-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FDCD.exe

MD5 b467afaa58c8c394c60dd3a003da5aa5
SHA1 25811c8408d7b9bc604605a1131e06f533ff1b10
SHA256 a188394902bfe0393b7869912c003cea33b3de114f5f7508ebca1c5ed262a13b
SHA512 6409ca5404793238cb5479cecc44f5f8696908a6dfae6a553ef7d41dfeb48eb23e881014151e3013561383d61690b4fe2b12fb7a607a67475253e3da18f95dcc

C:\Users\Admin\AppData\Local\Temp\FDCD.exe

MD5 eff97d84ecbc5f1e23a251bb96273275
SHA1 58410a2c1019875fc578b28f0d5eb8fa808a7a72
SHA256 5f97a514565f941ec222ad93fdf882849c9c656abfea7b840ffb8d78e695a8ed
SHA512 0caa30823aaf59a63e9d51b18c8e4320b4af8907756d069e7ce28919ee920c5fb94668f9953422af2bc5f9cd7f9f83cbc95f2f3cbb921814d8db03d0d90de61f

memory/2704-59-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-S2LL4.tmp\FDCD.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

C:\Users\Admin\AppData\Local\Temp\is-EPUPU.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/616-81-0x0000000000720000-0x0000000000721000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EPUPU.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1116-77-0x00000000006F0000-0x0000000000F9F000-memory.dmp

memory/3640-112-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 698461fb8169c7e28e7613f6aa808925
SHA1 49fa69af0d950224e5781d8a5ef7ef963980abc4
SHA256 3343d7eb38cc6bab11cfcc998128b9bbd14429c4537ecc24e05cc9d2ce2e4f56
SHA512 f086072268de5a320be7d28cd21794e23c09dc6601597cbe387b4a0c2df36b35c8b8f97fdd0155fd1305487ba8e4af4edf53c6b3e8a1631f5549a93c3a7954e9

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 f70575e7d334992b81561ac39d07b0db
SHA1 81bc6baf4356129956dda1faedcadf64d42ce2a4
SHA256 594e2b1e876c4032c9ccff06000b297c1c823744b82207a7453bc03b8d4fc6a6
SHA512 de21b59057b1a5c0166b7d65eb39b91973317c84f3c48542ef312d2106cbf524e18ace007c85438819b2ffa36037e971d78203c278bcccc2a9fca3fa3b6c4e31

memory/3640-117-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1116-116-0x00000000006F0000-0x0000000000F9F000-memory.dmp

memory/3640-115-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1116-118-0x0000000001400000-0x0000000001432000-memory.dmp

memory/3640-111-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 fc9adc3be6d2f7b25cca4796edd030b6
SHA1 f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42
SHA256 880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f
SHA512 c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd

memory/3296-121-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E938.dll

MD5 febff8f232378a41c400e715db46372c
SHA1 977af19ec31d3bbea1b9d7a8e1c93e95f2ef3b62
SHA256 ff746003d36aba2a14e761394a46993ac925a6faac05ed854ec428b87d088178
SHA512 59bea6564e50197cdae98adb278a4d6af3aa3bd49a5e660bdc480ceb0ac603ff26b981341b10f1a97bba834712e53388db86fd91e7e8e33735bd0b78964ff36f

memory/4564-124-0x0000000000D60000-0x0000000000D66000-memory.dmp

memory/3116-126-0x0000000002210000-0x0000000002339000-memory.dmp

memory/3116-127-0x0000000002350000-0x000000000245E000-memory.dmp

memory/3116-128-0x0000000002350000-0x000000000245E000-memory.dmp

memory/3116-130-0x0000000002350000-0x000000000245E000-memory.dmp

memory/3116-131-0x0000000002350000-0x000000000245E000-memory.dmp

memory/3816-134-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/616-136-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2704-135-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3364.exe

MD5 da89c3cbe8d74701840af90ca40c4830
SHA1 71b49ccad555b981b3e38dd5d0f6e8b77fd5f5c0
SHA256 34229e674b42cb380b109cd98a152e283aa0ce7d05e36f35f80253ffa0aedf6d
SHA512 0bcd4bd85fdd582f18272909c0831a46ed4a9d175bd5f64da9a6ec386626427a07c1eac2a4c69baf24ecb670418f7029807c60f1a1587a3242f57d9ad22d7d4e

C:\Users\Admin\AppData\Local\Temp\3364.exe

MD5 7f34877b284236a571c85a777d05128c
SHA1 5cfb8628ad088c6379c870a42a09d4caedb9fdcf
SHA256 abc759fb57214026dcf429413f54b13e76a7bcf06e0d0c8f10a03a8372175d3c
SHA512 bd7278f820e8d83c734b4b0c537591ebfda734ef5cc7b0c0dafd22de0e88054b09d157c3d56b2c12fcac80dbd14689a0398364b67fb3075d2fa118c94cd74d53

memory/3296-141-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/3552-142-0x0000000000FF0000-0x00000000018A6000-memory.dmp

memory/3552-143-0x0000000072760000-0x0000000072F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3EB0.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/3816-149-0x0000000002FA0000-0x00000000030A0000-memory.dmp

memory/4564-152-0x0000000010000000-0x000000001020A000-memory.dmp

memory/4564-153-0x0000000002DA0000-0x0000000002EC9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 76b128828f81877a5adfad5eb220a4fd
SHA1 ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA256 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA512 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746

memory/3720-162-0x0000000001C10000-0x0000000001D10000-memory.dmp

memory/3720-163-0x0000000001B80000-0x0000000001B8B000-memory.dmp

memory/3720-169-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fc38310973cf92ef5d0eaf23758c5420
SHA1 f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256 b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512 a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 d1595c627b387677b1fdc35f8ce881d0
SHA1 177df5ff81f11a747db10917414d10e7bcb216d0
SHA256 85475b69029793ad8d37db633331707e47409f0d8536349d8ce07510eac62cf6
SHA512 10011f5215fbfb594695c537fe6794a4dc794fe392019f4e2f93f943b0cca6ffde34a9a3274440f4df63c9debaa031103882b4b6ed6be77534115df086ca9f51

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 2070026b7db06b39dd6476c97afa194c
SHA1 a642b95f2c4ea50b3da347a008b3a06daf06a5ee
SHA256 c2a79a1de75bb7e6b9b67aed334a19914a99c235ac0ea8505825105f90d3e1a2
SHA512 bf5d149ae468bba39f44cf2269ff424e9afcdd7a2952a6cd59a6c6c7992c146ce23aea83c607e5059bb94f550512421dd7bdf741ac99b928fab32599dedfa8f6

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d847dbfee9bfc8426168aad888ede9bd
SHA1 f8b60258c711d19ea1d5413a3aee21262d8b8db7
SHA256 fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07
SHA512 4c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 93df53829d7ff15b36cca0997bdf9523
SHA1 85961b7b321c9492e276ada800debaa55c9c1d59
SHA256 107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c
SHA512 37edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28158c533348f213e23e5bdac3b09369
SHA1 ce453cdc9510ea68131ba32f86430e98920ab21c
SHA256 c46f3259eabc8a4e47b562d0bbfaabf0599a2cefb6483020b3cb4b0ba37a61b4
SHA512 974e4feeb50ce21ffe784e65df6e2e816fcdfdfc484d3f1a044d58184246b2b247f87c4cee245dc0e20df7a49a3fa0dae73838ddc28922db90e21a4358015eba

memory/3552-191-0x0000000072760000-0x0000000072F10000-memory.dmp

memory/4564-190-0x0000000002ED0000-0x0000000002FDE000-memory.dmp

memory/4564-194-0x0000000002ED0000-0x0000000002FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 39e3485dba00d4aa641a5007a0a5664a
SHA1 281ea5d054b2653f23514709f27b36e3a1695de7
SHA256 41a4d7a4873b018e4cc9e17943d74e3288abd4863bc6aa38133dd9dab5151fdd
SHA512 9297fc7a875667854523095e277c408af30a9b4f1f26ff878d0ed2db88d2dddda273f743399e1db0e3876ef5b10928ca9156eec14e869fd1e68213b6570a8397

C:\Users\Admin\AppData\Local\Temp\nsh4B1E.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 2ca32a64d491385b9191b77cd9e1245e
SHA1 3689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256 eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512 a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f

memory/4564-202-0x0000000002ED0000-0x0000000002FDE000-memory.dmp

memory/1908-206-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

memory/3464-209-0x0000000002A80000-0x0000000002A96000-memory.dmp

memory/3720-210-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsr54B5.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/3296-223-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4232-224-0x0000000001BA0000-0x0000000001CA0000-memory.dmp

memory/4232-225-0x0000000001B70000-0x0000000001B97000-memory.dmp

memory/2388-228-0x0000000002810000-0x0000000002C0E000-memory.dmp

memory/4232-229-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/2388-230-0x0000000002D50000-0x000000000363B000-memory.dmp

memory/2388-231-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4232-233-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6E4C.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

memory/3704-294-0x0000000000440000-0x0000000000EED000-memory.dmp

memory/3704-299-0x0000000002C70000-0x0000000002CA2000-memory.dmp

memory/3704-298-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/3704-300-0x0000000002C70000-0x0000000002CA2000-memory.dmp

memory/3704-301-0x0000000002C70000-0x0000000002CA2000-memory.dmp

memory/3704-302-0x0000000002C70000-0x0000000002CA2000-memory.dmp

memory/3296-303-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/3704-304-0x0000000002DF0000-0x0000000002E30000-memory.dmp

memory/1216-310-0x00000000023A0000-0x00000000023D6000-memory.dmp

memory/1216-314-0x0000000004EF0000-0x0000000005518000-memory.dmp

memory/1216-316-0x0000000071C30000-0x00000000723E0000-memory.dmp

memory/3704-315-0x0000000000440000-0x0000000000EED000-memory.dmp

memory/1216-317-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/1216-318-0x00000000048B0000-0x00000000048C0000-memory.dmp

C:\ProgramData\nss3.dll

MD5 c41847dcc72b803b411a5d522123af22
SHA1 c535fdc369c3ce40b2cd01ea73f935fbc30f6471
SHA256 ab5b64fc346d6aff16d4ed1889247068f99729361511f1e9ff4fa91422219b16
SHA512 8757a7d965a2f25356e46668d7c4e9dce0ee3603219f886152d00adcbd9821864c1eece49b3d85f88bfed82d56774f79cecbf7a3cda7218f87a510620510d3a2

C:\ProgramData\mozglue.dll

MD5 3034aefffccf930e8cb12578cbd21d63
SHA1 59005a981ad09abf45a6b0445d1cf6bd3d68b07d
SHA256 e479913f262e8f78c3cc2d681fc5572ec618e864c1c12859c5b481dd4c8600c9
SHA512 97dbac6b284851241e0b12f502b4c7b164b91cc2485cb51549d2d7022cc4c9079bcac6452568d5c70e1bfe5ac650558c49231308e74209b443673778d756458d

memory/1216-330-0x0000000004D20000-0x0000000004D42000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 fef383de063d9a06313fef7706559216
SHA1 ae4bc1e98fd31ef81be55445e68fadb1e12b9d2e
SHA256 a07223dcca324c67db2503a62e049839577f5bdacf3ded6bd2454aafbb7fe649
SHA512 f3c3816940245957764a17f708cef9822188669407dfee4faf967fa6831391d2c3a5041054b6238c986c802b391c45089502598d46d558988c16f4c0f271107f

memory/1216-337-0x0000000005520000-0x0000000005586000-memory.dmp

memory/1216-338-0x0000000005590000-0x00000000055F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hhmyrih.yzm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1216-348-0x00000000059A0000-0x0000000005CF4000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/1216-357-0x0000000005D70000-0x0000000005D8E000-memory.dmp

memory/1216-358-0x0000000005E40000-0x0000000005E8C000-memory.dmp

memory/1216-359-0x0000000006290000-0x00000000062D4000-memory.dmp

memory/1216-364-0x00000000048B0000-0x00000000048C0000-memory.dmp

memory/1216-365-0x0000000007050000-0x00000000070C6000-memory.dmp

memory/4232-366-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1216-372-0x0000000007750000-0x0000000007DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 b0ca41b249e5621a4033dc3c024af9f0
SHA1 de5ffceae5a0aee20d080096792eac80d1866e1c
SHA256 09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA512 9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 f14064f9e30af9d49cdfba1004219432
SHA1 97a4b8e91e0b49d45dfa19031ef7fbd9ad0740b5
SHA256 117d1a10799ff42a8f0eea79a152aefc25abc7cf7c984cb30b88ff6e4bb51658
SHA512 21408bcadd833800a0217fa43d934b0d55081bfe43ce724f30b4785c679248fdd0ab423e87ec52f6a2586dac68f75d1090d5d328318dd4fdfa612881dd7ed3a7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2aba90aafc8306316c5452241bd134cc
SHA1 9c30cd879ed7de82e3206ead4f7e7672381459ac
SHA256 6db4173e3b5982adbd6be8ee021998a5d558c528fb1980d82287b4fc86b9ed08
SHA512 85d2879cce51d2b3bc28d4fb93b0a1d5c63e7102c804823ebdd0688a38fb0dd7094ba42ca23b3de8af0ab676fe1553abb976c1152228d57f41616d8d013150f1

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 34f76a841ed0bd82883761dd19d487b5
SHA1 de9e8b9965e1a9bdefc0f3ccc133277435465639
SHA256 f488dd2fb174cb09bd25dae779fd6c478fe738c5872edaeeab38578f58c8d710
SHA512 1e0d6d79ead7fe82291b20a4b8d5ed93131a53d74f742238f07b8609dc26a02651dea74193d0bb86d02964be48d91565cca82b292460b54d3e8c993a1c410970

C:\Windows\rss\csrss.exe

MD5 653b3840686c3a4ca9aabeaab7c7dab6
SHA1 374ccbaa38c9ff31928401f498fb00825882dedf
SHA256 7b7d9e629088c0e46cb6ada93287a9bb93ce1e2b8599c3e1839590e8a9bd481b
SHA512 dbf7e42777544a42a8160f0d9245220ecc151a4dfe0a341640ea6961f9d1f66861a004cd89980c0024b504de54e393337af50cde252e92702ddcd7c5bb0abe80

C:\Windows\rss\csrss.exe

MD5 b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1 074958a02f3c65261dfe5d4c349b7af4849ee707
SHA256 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA512 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 78d83f53eba30d5e038b012fff23ac61
SHA1 569e17ffafc8604e270bd863990ba046f117c010
SHA256 76b36391a414fb593af45bd305e99e91553d3bc3fce5454de11cd4950d921d0d
SHA512 187eeaac713448e904b836956b542d53d21b4909b15e411335bdb9273cfb6d765cc9dcba7711e2c351dfa17ea4fcfdfb13db97cd703cc4173c19bb77521ae0ae

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3c7a3749a76fd55317e8e339e17130a1
SHA1 b7bb194de0ac132e056022efd4f784fef7c9b451
SHA256 3dcc6488922494427f05c0c26fccac3cba307c530b3b3369596ef9312d39f314
SHA512 2e83d22a7a61f7027c308fa2e5e2012b18ad60d81af383eae12190738504786e73c0cf617a608c554bb91a458fc79c5081283b21684a3b121ecd0cf3c6ee9838

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 47ed0dc8d2abb65c55ca4867d82159e9
SHA1 64fca409524b03cd3a0b1f24e984c4634ce95c2f
SHA256 433f4ad1c526c2bb1ba22d551ee27072385bc4ffef9df0feb2402fc13e5d26b5
SHA512 b1bc448df383785b1bf3171b5927216579b7fd00b6b8b6fb17d4afad8970afccaabb6e6f4891c8869239b3af473703051aece5d98e7e6adf1c3f3f8a9559e73c