Malware Analysis Report

2024-11-13 14:08

Sample ID 240227-ffzd9agf28
Target 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c
SHA256 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c
Tags
glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma discovery infostealer rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c

Threat Level: Known bad

The file 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor bootkit dropper evasion loader persistence trojan upx dcrat lumma discovery infostealer rat spyware stealer

Glupteba payload

DcRat

Pitou

Lumma Stealer

SmokeLoader

Glupteba

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

UPX packed file

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 04:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 04:49

Reported

2024-02-27 04:54

Platform

win7-20240221-en

Max time kernel

42s

Max time network

299s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\9022.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1892 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\7B09.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\crvafvr N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\crvafvr N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\crvafvr N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\crvafvr N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2536 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\crvafvr
PID 2536 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\crvafvr
PID 2536 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\crvafvr
PID 2536 wrote to memory of 2572 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Roaming\crvafvr
PID 1088 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1088 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1088 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 1088 wrote to memory of 2512 N/A N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe
PID 2512 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Windows\SysWOW64\WerFault.exe
PID 2512 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Windows\SysWOW64\WerFault.exe
PID 2512 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Windows\SysWOW64\WerFault.exe
PID 2512 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\7B09.exe C:\Windows\SysWOW64\WerFault.exe
PID 1088 wrote to memory of 2348 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1088 wrote to memory of 2348 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1088 wrote to memory of 2348 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1088 wrote to memory of 2348 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1088 wrote to memory of 2348 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2348 wrote to memory of 2580 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1088 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1088 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1088 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1088 wrote to memory of 1892 N/A N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1892 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\8A28.exe C:\Users\Admin\AppData\Local\Temp\8A28.exe
PID 1088 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9022.exe
PID 1088 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9022.exe
PID 1088 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9022.exe
PID 1088 wrote to memory of 1520 N/A N/A C:\Users\Admin\AppData\Local\Temp\9022.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1088 wrote to memory of 1576 N/A N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1576 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\A01A.exe C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp
PID 1088 wrote to memory of 2960 N/A N/A C:\Windows\system32\wusa.exe
PID 1088 wrote to memory of 2960 N/A N/A C:\Windows\system32\wusa.exe
PID 1088 wrote to memory of 2960 N/A N/A C:\Windows\system32\wusa.exe
PID 1088 wrote to memory of 2960 N/A N/A C:\Windows\system32\wusa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe

"C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {CE7A2586-72ED-4F55-B8B9-6DC682F480F4} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\crvafvr

C:\Users\Admin\AppData\Roaming\crvafvr

C:\Users\Admin\AppData\Local\Temp\7B09.exe

C:\Users\Admin\AppData\Local\Temp\7B09.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8306.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8306.dll

C:\Users\Admin\AppData\Local\Temp\8A28.exe

C:\Users\Admin\AppData\Local\Temp\8A28.exe

C:\Users\Admin\AppData\Local\Temp\8A28.exe

C:\Users\Admin\AppData\Local\Temp\8A28.exe

C:\Users\Admin\AppData\Local\Temp\9022.exe

C:\Users\Admin\AppData\Local\Temp\9022.exe

C:\Users\Admin\AppData\Local\Temp\A01A.exe

C:\Users\Admin\AppData\Local\Temp\A01A.exe

C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp" /SL5="$4016E,2349102,54272,C:\Users\Admin\AppData\Local\Temp\A01A.exe"

C:\Users\Admin\AppData\Local\Temp\BAAD.exe

C:\Users\Admin\AppData\Local\Temp\BAAD.exe

C:\Users\Admin\AppData\Local\Temp\D427.exe

C:\Users\Admin\AppData\Local\Temp\D427.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\37.exe

C:\Users\Admin\AppData\Local\Temp\37.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsy3390.tmp

C:\Users\Admin\AppData\Local\Temp\nsy3390.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227045247.log C:\Windows\Logs\CBS\CbsPersist_20240227045247.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
ET 196.188.169.138:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
FR 51.210.150.92:14433 xmr-eu2.nanopool.org tcp
LU 107.189.31.181:9001 tcp
MD 178.17.170.13:9001 tcp
UA 134.249.185.176:9001 tcp
GB 82.145.59.127:9001 tcp
US 204.13.164.118:443 tcp
DE 144.76.86.5:8080 tcp
US 23.82.136.14:443 tcp
DE 144.76.86.5:8080 tcp
US 23.82.136.14:443 tcp
US 8.8.8.8:53 cerevorjublmbll.cem udp
US 8.8.8.8:53 hejmbol.ce.uk udp
DE 192.108.48.150:443 tcp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybzdex.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 cerevorjublmbll.cem udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 prejegomusprejecjoez.cem udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybzdex.cem udp
US 8.8.8.8:53 mail.ce.uk udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 yepmbol.cem udp
US 8.8.8.8:53 prejegomusprejecjoez.cem udp
US 8.8.8.8:53 hejmbol.ce.jh udp
US 8.8.8.8:53 yepmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.ce.jh udp
US 8.8.8.8:53 hejmbol.ce.jh udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 bujegrbf.pl udp
US 8.8.8.8:53 smz.cem.pk udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 smz.cem.pk udp
US 8.8.8.8:53 dbze.gev.ce udp
US 8.8.8.8:53 bujegrbf.pl udp
US 8.8.8.8:53 dbze.gev.ce udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 updf.ge.ug udp
US 8.8.8.8:53 smz.cem.pk udp
US 8.8.8.8:53 bujegrbf.pl udp
US 8.8.8.8:53 ybzdex.cem udp
US 8.8.8.8:53 updf.ge.ug udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 educbcoez.edu.de udp
US 8.8.8.8:53 ybzdex.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 mail.cerevorjublmbll.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 updf.ge.ug udp
GB 35.176.106.252:995 mail.ce.uk tcp
US 8.8.8.8:53 ybhee.cem.br udp
GB 35.176.106.252:80 mail.ce.uk tcp
US 8.8.8.8:53 ybhee.de udp
US 8.8.8.8:53 ybhee.cem.br udp
GB 35.176.106.252:80 mail.ce.uk tcp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 educbcoez.edu.de udp
US 8.8.8.8:53 gmbo.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ced.ucb.mb udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ezej.pl udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 prejezmbol.cem udp
US 8.8.8.8:53 gmbol.cemcem udp
US 8.8.8.8:53 crebjovesbsk.cb udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gmbo.cem udp
US 8.8.8.8:53 ced.ucb.mb udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.jr udp
US 8.8.8.8:53 bsors.erg udp
US 8.8.8.8:53 ezej.pl udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.jz udp
US 8.8.8.8:53 prejezmbol.cem udp
US 8.8.8.8:53 love.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ce.uk udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 gmbol.cemcem udp
US 8.8.8.8:53 hejmbol.cem.jr udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 crebjovesbsk.cb udp
US 8.8.8.8:53 bsors.erg udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
GB 35.176.106.252:80 ce.uk tcp
GB 35.176.106.252:443 ce.uk tcp
GB 35.176.106.252:443 ce.uk tcp
US 8.8.8.8:53 dbombru.ozfe udp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 eujleek.cem udp
GB 35.176.106.252:443 ce.uk tcp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 mail.prejegomusprejecjoez.cem udp
US 8.8.8.8:53 dbombru.ozfe udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 ftp.ybhee.cem.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ftp.cerevorjublmbll.cem udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 dbombru.ozfe udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ftp.prejegomusprejecjoez.cem udp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.yepmbol.cem udp
US 8.8.8.8:53 hyperlofe.cem.cy udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mail.ybzdex.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ftp.ybhee.cem.br udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 mail.ybhee.cem.jw udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 pop.cerevorjublmbll.cem udp
US 8.8.8.8:53 uejjbwb.cb udp
US 8.8.8.8:53 hyperlofe.cem.cy udp
US 8.8.8.8:53 hyperlofe.cem.cy udp
US 8.8.8.8:53 ftp.smz.cem.pk udp
US 8.8.8.8:53 ftp.dbze.gev.ce udp
GB 35.176.106.252:80 ce.uk tcp
GB 35.176.106.252:443 ce.uk tcp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 uejjbwb.cb udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.ybzdex.cem udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ssh.cerevorjublmbll.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ftp.hejmbol.ce.jh udp
US 8.8.8.8:53 dovoze-loghj.ru udp
US 8.8.8.8:53 hejmbol.cem.br udp

Files

memory/2992-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2992-2-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/2992-3-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/1088-4-0x0000000002490000-0x00000000024A6000-memory.dmp

memory/2992-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\crvafvr

MD5 c7e909d16fbebfbaf79cfb035ca2a39e
SHA1 2a532e5373cf513995ca3062b6ce110be8785f64
SHA256 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c
SHA512 db5c922281a8827438fa05606dc1944e03638656fc7fff2ffdbbf7642acc0fe2387df7488c1be739aacd58096b7a0f22cefa894b28d5a7eb885772d8edcd5f35

C:\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 7f7d42c7648264515e5f367f89b610b3
SHA1 695b578ab84a55d7fc0a1b6081feb427fd94589d
SHA256 27d5bc54e0c3607b7eee147bf65dd28430aa244375f29e517b51bea5f5d32656
SHA512 9a77d9f0afbce3ee04c86afef726dbbf4b462ec833e9630b7103cbd275385846e4e678096248d0e642a93f16ef37b94c7ccffa3c6f9ac9dd97b73510adee1ac4

C:\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 1c6593911d43343e6fe80509de398157
SHA1 a87e0f159cf98b102ed6c9e81753205436cd9fab
SHA256 828e01ed47ba6870c1c1f47b37d3d8eb13b745a4cac49910d51d9a7133751f4d
SHA512 4a80a5927cf280d4d0a0599e3648e1fde4a37ae20a6948345b9b908263c50b398257f2cf10a837de4b5626d633c0e54f0a7825e74e94003b3fc10dda678debdd

memory/2512-18-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2512-20-0x00000000003C0000-0x0000000000C6F000-memory.dmp

memory/2512-21-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2512-23-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2512-24-0x00000000003C0000-0x0000000000C6F000-memory.dmp

memory/2512-26-0x0000000077AD0000-0x0000000077AD1000-memory.dmp

memory/2512-27-0x0000000000100000-0x0000000000101000-memory.dmp

\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 21dc04327028ad817fb935d739393097
SHA1 b6af956b258c11a52c541d8e283240b9022bfb54
SHA256 ee5a9d1426188b18b3ecd96288caf5812300559a17c59586f6b9f48fccb73296
SHA512 35373cbd3c21cbdf5a3b586c4e84ec3f35fc9e6dd3478e4c91d2c2169b7e6b73d554b2341b1ce8d1349d0fa98fb71a636fbb24fd7a33ce749da62ae413e7dcbe

\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 fbeb0cfd3ccf5c8f3214358b776e9ea6
SHA1 8e5799711383effee96b6a109b213614251a2388
SHA256 cc27fa061d24f288e595942e1e2a67e6a7560c6de50bbd096bf15b568a34bb6e
SHA512 7de06fcfc4360e3f9dcb2ca291eab04155fdea931e57ea6b599142e58911e07c575965927b2de2467c842a565b0a8fee0027e06fce3240f4ca664651f4df61be

\Users\Admin\AppData\Local\Temp\7B09.exe

MD5 ef7aece0eb632d723a2ceaace5e71e63
SHA1 12b4331963d2636aee54821258a3b01edafe7c72
SHA256 8531b4e224049cfbd94d338053e380efdb5a7bc832e9e420bd8763a227c051f6
SHA512 4b51ee5b26c113a0539e096e0461ba9d33e5fb23c835045a32e72dbcd5d13e9f0344ed6ad3ecc4356554d1c922729a6192ba89262f9368547dde598ac1330d49

memory/2572-32-0x0000000002490000-0x0000000002590000-memory.dmp

memory/2572-33-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8306.dll

MD5 6db93d04088ee9829170f298903be33f
SHA1 2d1e2d96e2ceac25476035b63f292c050760705e
SHA256 91621349ea97cdfc91a5e9500e259a5a9e50888ca00969621074df57cbfdc6f5
SHA512 c172d1373acc2bb6229eb0568599c6fd3a9bf8e814d7cf215ccfbb8174398437cfb4daa54941b0f55f0ea8000963c9dbfe1bce57b6df6eede1abaed01eebbfec

\Users\Admin\AppData\Local\Temp\8306.dll

MD5 f9f5a31e38f345a84baacc5334946ad2
SHA1 28ede3f046a88ab4cc1145a74b698d22d4fdf53a
SHA256 16221ee100bab1077832284cb263fd34e4f30dd307210155f6cec5d58db66553
SHA512 3e1ea484b1c493e398059341e28d84b37ca570719c50421275eb254f2ac61469378643223eb4b6ba2d04d73519380c68e909c0c782b17fef4cd35dfb23740d17

memory/2580-37-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2580-39-0x00000000001B0000-0x00000000001B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A28.exe

MD5 06620e1e8b5b6665eb3c9d987bf9cba8
SHA1 cd82c8a12e801e1b34a1f453184b4c504e4a4712
SHA256 1abdbd2b97ea85dadd5f5f7b22b607f0edf5367d89cee2bf241fed13c90392f0
SHA512 0a4186b306d067307de18d97837a4dd6a90a26b3a9f555eb4b9aedd759cc7bf4bad067e2efa341d7e2fc0946699965fa7ded8cb62874fe6d834f88b25d3cfbc5

memory/1892-46-0x0000000003680000-0x0000000003838000-memory.dmp

memory/1892-55-0x0000000003840000-0x00000000039F7000-memory.dmp

memory/2632-57-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2632-58-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1892-54-0x0000000003680000-0x0000000003838000-memory.dmp

memory/2632-59-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2632-53-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A28.exe

MD5 c8b8659000d725bd2997323bc697fdce
SHA1 ce51a8dca1adf94b4f3052148797ad2af11befa0
SHA256 a9a9ff3d8ede62171ccb327c3302d346be9169ba6ef04020da19a9b7fca5b3dd
SHA512 a2bbee32f225205165ee26b95be5e2dbcaa037391ece48aa899050595102c687ece466b4ff45d7dd04629093048b03e6a75277dc8ba53226e951c34357e9c793

memory/2632-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2632-60-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2632-63-0x00000000001C0000-0x00000000001C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\8306.dll

MD5 0cb81e1b36ad20e76e59367bb3065595
SHA1 68351e743f188888aae7975f7821a63212101f5c
SHA256 b549434a26e5be8017539a58afc260e2b3e9ecb936b73280480bd0f0d5cf3ccd
SHA512 7928de3ba79e595526f52cda95b4d670d38a3dca47651169da80486c28b233ab9a8fb0b6974db174deca5efc9fa00061854088860a9260c1709285c3dcd56416

memory/2632-49-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8A28.exe

MD5 11d6e54a4a624c43b0ec26a3184b9f7b
SHA1 56757e86d2643284e63cdaaa260c273ef52c67da
SHA256 2fa5600d1bb520c190d2e5e3a738675b420f239682364a099f97ffd05d6c8b98
SHA512 c961d30ec174b57c8ec1c66432c5d0accc3f3f77efc67999e4ffbca1a314504cc5528d25fc302670175f0c7b87a7fba74fa15ef7834589ff664a60457440b24f

\Users\Admin\AppData\Local\Temp\8A28.exe

MD5 f34d57e839f954a6062fa465f48c8b53
SHA1 16d12f864749aff5c406e94e537039f3e50a3d88
SHA256 503121be42e600ec0c2b4c5a2d89d458dc952d08155591e28517d4816353b0fb
SHA512 486f9a109962b918e8d359f22608eed147a72b3e4918303ff849331915a02a1df7faedd7f4f31520123ae0c0b9b6adcee0b54cb7d412a0556935833bfcdd0bfc

C:\Users\Admin\AppData\Local\Temp\8A28.exe

MD5 e45588bd1b23ca835a43804eed6e30e5
SHA1 7b648cf10e3ee373fb7876093c681a64aff085a8
SHA256 4c8c4b981ef762fc5efd7695532af3d8c6b179a9d2b1e1193a03268c2968b282
SHA512 449e471686898b3add78a7b3d68af564b243e67d067bff7f6ad4293d81280a1aafa2aa846008ed8240c610f470f40c32631ffb7d6c761f8a19343caa35b2fb2c

C:\Users\Admin\AppData\Local\Temp\9022.exe

MD5 33869f9732902b05af08bb0b946fd412
SHA1 63d704e712cb52c25c75f2ddc373803bd12a9958
SHA256 d83dc045526027eb15ffe9b6db6dbb8abff0fff50b7a17201711c43370547a74
SHA512 4eee0793ee7324953a0e6c6c53315c1b971dc5491d2849d78f5cbccee3ad16f8f4178a6f7478597f640cd907c422dfde6a9e9d6d2afea8d144c5f394a4c12b85

C:\Users\Admin\AppData\Local\Temp\9022.exe

MD5 71f612d3cea167f8bae6da08fb27e74e
SHA1 5f559c363e9e8f33dadecbcf83ffb492b26e186b
SHA256 2a9a766fdd5137aa2ac119b3328bd22e9d37c531a248fad11980e43e77b22443
SHA512 64681a9d43cad34a08dd7c869834fc0aa3229e147b2225284904c5f2dadbac8e52c46bf7d79f8ba7cb185e688291004bfb2f533e1a21e12d92cf9c89c0b05fc7

memory/1520-72-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/1520-73-0x0000000000320000-0x000000000038B000-memory.dmp

memory/1520-74-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1520-75-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1576-80-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A01A.exe

MD5 7d864f020c680694aa5cab974472cdd3
SHA1 c995bda1fc6f558658f4bc696d58f0fc21b76b5b
SHA256 f0c42d13dcff46db19116111f86c10909e45d5a7009f49443dfd09a649bf3157
SHA512 be3524d03ac2e6310153b3c46bc394e3a25396d0ceef705696a87e4225fcfdfac6d37d633f7851fa6bce3a3a108e0602af131be1408aaaf97eab1b44175ebbe1

C:\Users\Admin\AppData\Local\Temp\A01A.exe

MD5 4eb65362b7842708ce7d8a7558269406
SHA1 0f75a61b8c6da2e7ecab78356ff7c8127741095c
SHA256 89302309cc5e6b8670f8b052827967c5d389afddda167be5fb3a043097daa125
SHA512 342507f00cbc6d8613e34197d721826e4953510698cd86885a64c425aa48ad876e9e0aad81eeac9b69af3ebdf75ef1b9753a25ac1944c81c8dd6c2a678eb1c68

memory/2512-85-0x00000000003C0000-0x0000000000C6F000-memory.dmp

memory/1576-86-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp

MD5 a07e72034cf0538acb41f90cdff41053
SHA1 753f718b497f2caad4bd77c151b93586880625f6
SHA256 a148cfe8e394f444ccb76372293d15ec86cb6cc63ee6d59eafe4122f8501418a
SHA512 5f3c78cc8574705009cb6103ef2e3b98b017eec897c89e49b14d2af9fff7bb8d0783683e89ddb1a7ba397adffe98596c096a0654f64fb56421c3e9df83a8201b

C:\Users\Admin\AppData\Local\Temp\is-GRCMT.tmp\A01A.tmp

MD5 cd7fb5b1325102f925f1fbd3fbb94138
SHA1 ef8d6f6c4fbeaf661ddbe302521ca9767a0a08dc
SHA256 b2c0ad2178b5cd5fb9da8e544ebfd2dcaccf640f909fc934a0a32cd12b28edc1
SHA512 1b81f0028a39cb9d1397ab47c29bde0a52e1cae18a7f34d27ba456860f46422662f2520db286c973f01ba4fa6100e9b2c7b023eaadb27050a6dcabff510e274a

memory/2580-91-0x0000000002610000-0x0000000002739000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-51TC2.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1804-105-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-51TC2.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/2632-114-0x0000000002920000-0x0000000002A49000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-51TC2.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\??\c:\users\admin\appdata\local\temp\is-grcmt.tmp\a01a.tmp

MD5 f1367ebbf0351b30f55e0bec504bb8a7
SHA1 64fa78565c0e3c641885646cda317e37c5f7d09a
SHA256 a6ac1ef6ce2553ed1fb1d1bd31a4e37bf073b8ba7437229282f3adec560ceddc
SHA512 8de9f923f4ca170cf19a1c2f0a6a19d70167e7d11ef0571da2a265a70af10d97ceedc4241917e3e910c7fb2fbb9d5d7a0403107e7825bf382806e3811317abb3

memory/2580-115-0x0000000002740000-0x000000000284E000-memory.dmp

memory/2580-116-0x0000000002740000-0x000000000284E000-memory.dmp

memory/2580-118-0x0000000002740000-0x000000000284E000-memory.dmp

memory/1088-119-0x0000000002E70000-0x0000000002E86000-memory.dmp

memory/2632-121-0x0000000002A50000-0x0000000002B5E000-memory.dmp

memory/2632-123-0x0000000002A50000-0x0000000002B5E000-memory.dmp

memory/2580-129-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2960-130-0x0000000000940000-0x00000000011F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BAAD.exe

MD5 8deb6b2a43e4aa3536cde29cb36c3a2c
SHA1 1e814d6b6016297efacb75764beb4c555478ad1a
SHA256 f9ad0a2f07e1a86f16917297fd2390b6dbf51d35192e977cfd6463f3d78eca2d
SHA512 80a95e28159082fe5ae7ef833957341d4620d1560f51924d5791e8cec87fc4c45e8c78d3fcc6ba9dd6ef6943a13328afb1c18556fef42415c24f36f004d3d999

C:\Users\Admin\AppData\Local\Temp\BAAD.exe

MD5 3e84105065ca314a6deacc91c3cc381e
SHA1 6cd878769b26066aaa099876a90c20729f17a73e
SHA256 6edafd042f89f024c3674ee078a4c68acd1f40e7224e0809bdb13543dc122161
SHA512 fdbb988f0ed0deed9e6e01a656d6151758d2a434068f932d860c33d8f76e6773a3e025b7483505377cab940e994c9d78a8e7b328a01e7cf881941c55338c1999

memory/1520-133-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D427.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

memory/2244-142-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/2244-143-0x00000000002B3000-0x00000000002C1000-memory.dmp

memory/2244-144-0x00000000001B0000-0x00000000001BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 76b128828f81877a5adfad5eb220a4fd
SHA1 ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA256 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA512 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fc38310973cf92ef5d0eaf23758c5420
SHA1 f67e38d66151d77eb528dd37e9c492dfeb913011
SHA256 b2ae25d2170d4ddc0ca6f24766a5a11a82d92c48b33e3f7ddc39f5252cf7f73b
SHA512 a041e229870805a1128582fd32fa83b1fccb8c750535ff29a903a1adf8962a412b0719f260033d9bf5b9e9c389a28b148837687441919f226b324ff69d98c77a

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 05289f5848a855ff3d7a78b862498e26
SHA1 1021a66f15e425f33047d76a247680e916e736b0
SHA256 9c6d6f161b0253f9a78cd099ed0aa225b6ac00d3801859ff7405abd08b501407
SHA512 46265b61d4bdaeaf8af057fe5d49062f69b5ba7ca28198724c0767750af9705bf2f203183b7d33713ba45a9a02009539c5a2253ba567e7b4a4c0a79e85c200a7

memory/848-153-0x00000000028F0000-0x0000000002CE8000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 16d91bd51af2045b1900302ccb982b21
SHA1 ba128cb9ba8f737544826d59c0f745513f4ec025
SHA256 aff9e45d9038b5fef40e0366d5f6c76831f00d5292fb588b4d3b96809e358f5e
SHA512 3fc1b0e0ed54ea59a693b1143e2ecd5ea8350a28f4a3c10930fa9fe8929cf3ebc63dc409a4d98f199e4aa920d3de6fd643235b86df5967a3ed0f83d978d1992f

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 7a2d1943277194ca6b5e6cae80596595
SHA1 29ce7090adacb2e29b7ced5504a359ad9e497ecb
SHA256 5e96c1e7fbc4037ad64a01274c28a967709ee2c6d9f075a05078fe6e92f01cc7
SHA512 a0f6cc4e879dcae446642c21fc6293e6abef1aafa9888244237cef345b29effb4494051c4add899a03df3394c98de850e4099c60c310cac9ce75d61d0a3f0ba0

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 3cc7874e9ff2607460f01b5c05f89486
SHA1 3e220dcda21c3613b84ff36bca9e6a69a05270ee
SHA256 55d9b6391e5ebbdd95c965ceb193f7de4801ebcfce47805214c3316f29cc7692
SHA512 ef787b1b9947712f1973b06299e3d97199ae7f904d900e16e1ce84bdbc80349293c8f1cd86083536702668b368a9087fa9472406ec6578bb561576a1168eb7b7

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b17be9c9cd31a7c69c5dccc4222f3241
SHA1 0c4f24a70c3f555d8ebee3397a850a08f68051d1
SHA256 45c0c53b6d1c5d7694e381ae14a6cd19e44d54dddb7c4aac00fe5fba9483b9ea
SHA512 ff0884a00096e018008b5b50876ef6345959eaea8f5a0945a748070df87824ffb47566c50fc1474bf7f988801ffbc8a5c04e273483ee93615de027890efc3787

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 be6df3d38e61bcc99c41c4f80aa3ef48
SHA1 02de2f7ef9d2f9e83b19f37b67fd0bdd1825832f
SHA256 ab3ab0bac897a52314b6239cdf59973c80ccd15d54750ceb5a6b8a0212483b76
SHA512 796fbf4c2bdce2ba8f16f7206d4c9fbbf59832fb93d98b99e476bb587db95348b6f77b368cf29bc6c763c245fbce7866bb711e0f7304a0dfed3ebfb4ce702494

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

memory/2960-170-0x00000000737D0000-0x0000000073EBE000-memory.dmp

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

memory/2572-171-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\37.exe

MD5 95c73c3b60befd4421a556dc8d482e2c
SHA1 0e2336a7e5f33534081c8bd2b2e45525fc550d58
SHA256 31a176e929b2224dd01d35954e6ffca594070f7bef1af424fbc69bd043cff180
SHA512 6684600748b8a159e529d63d74e9fefd2cb1e4def1079f9283dabc7e99060052461645f5a2760c798b1161262f6ce5a90e34ddf2f3b8b7e7c3fbf6b78ff039de

\Users\Admin\AppData\Local\Temp\nst178.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 112a36b50cd748f7bcad42f4357fd73e
SHA1 f5327753b177b41f28f300894df8e20afb10e5dd
SHA256 36f3eb4e9fddba136b624586c9492fe638d40f12b4df41a23aa4974f4c40d96f
SHA512 51dfa73ab99ed3277d7e7ce2c388fa2fdf708a20d39d03d656ae60678e7dc8319d3bb1ea8c377aaa0aab39e751acd5897336d2c12d4d1d2080bf84a8a93ae79c

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 b971531d2617bccff68690359b922d3e
SHA1 061671cfa657a9e96a0d3570b30a07bb1c32571d
SHA256 11beb8fe4ede4a87435d558de2aa1fe4f15c5f1ac8a57cb6d439c9e83c1c7502
SHA512 7c472a9b87e79d1176e2ac726a51bee1cb2d965cd3d1bd9741dd1129e51ab9bbe81a1516f5916ad43e30977f0e08af124589084c76568142ae8ef05daa9b905d

C:\Users\Admin\AppData\Local\Temp\37.exe

MD5 0df5a7dfe70377a12ff756cc94d58f74
SHA1 b3a7875a676bdff82c90df9c0387083b981d817b
SHA256 2ef4171ff38cbc98e2a6641d949d88704fddb1a05402ff262fc64f91e9654e39
SHA512 f2dafef94ad9ed81e0e8078512b4ab961546baf32d4c95b19a6e25715392cf03c5ebf4926a75fcdd0a220d1e8ede888ed6eeda355c5afdc35f0db3103fdae523

memory/1576-190-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1804-191-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/1496-193-0x0000000000230000-0x0000000000231000-memory.dmp

memory/848-192-0x0000000002CF0000-0x00000000035DB000-memory.dmp

memory/2960-195-0x00000000737D0000-0x0000000073EBE000-memory.dmp

memory/1496-198-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1496-203-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1496-204-0x0000000000240000-0x0000000000241000-memory.dmp

memory/848-208-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1556-209-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2572-210-0x0000000002490000-0x0000000002590000-memory.dmp

memory/848-211-0x00000000028F0000-0x0000000002CE8000-memory.dmp

memory/1496-213-0x0000000000900000-0x00000000013AD000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy3390.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2492-262-0x0000000002430000-0x0000000002530000-memory.dmp

memory/2492-263-0x0000000000220000-0x0000000000247000-memory.dmp

memory/2492-264-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/1520-274-0x0000000002E80000-0x0000000002F80000-memory.dmp

memory/1520-278-0x0000000000320000-0x000000000038B000-memory.dmp

memory/1696-287-0x000000001B580000-0x000000001B862000-memory.dmp

memory/1696-288-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/1696-294-0x0000000002ABB000-0x0000000002B22000-memory.dmp

memory/1696-295-0x000007FEF5D80000-0x000007FEF671D000-memory.dmp

memory/1696-299-0x0000000002AB0000-0x0000000002B30000-memory.dmp

memory/1696-300-0x0000000002AB0000-0x0000000002B30000-memory.dmp

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 cf71d723e6a3a2abdb69313657a0862f
SHA1 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256 ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512 b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 716b6e79efee22fe3f3503a241a5eb8c
SHA1 94ddf83d37704bccf33929fb1c9cb9972375dfb6
SHA256 9a9e270e138b57ce4cac1c2d159ad093f200076721548f144a9c241dd3189b2c
SHA512 d7b2a61c3f964ac49bf09a91fb2a50ef8bcb242af1b3541e8f0af808936ac828780dfaf93329b3d38a165ce223579fdfe909c56f786e76d737a80f0d5925131a

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 f26249769d27c4988588974f0afc5ad0
SHA1 e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd

memory/1716-308-0x0000000019D60000-0x000000001A042000-memory.dmp

memory/1716-309-0x0000000000D20000-0x0000000000D28000-memory.dmp

memory/1716-311-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

memory/1716-313-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

memory/1716-312-0x00000000008E0000-0x0000000000960000-memory.dmp

memory/1556-315-0x0000000000240000-0x0000000000241000-memory.dmp

memory/848-314-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1716-319-0x00000000008E0000-0x0000000000960000-memory.dmp

memory/1716-322-0x000007FEF5DB0000-0x000007FEF674D000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 03cba695cb947c2a4bce01e454744abb
SHA1 ad5f55ede43e7ee9eb7521b72d1e61f9b782adb6
SHA256 35c52b1030b5f89daa39175ef6e31350ea2844eb263de25b53bf3803d0453892
SHA512 619d83221ce3fad744c686ccb8764475d3cb9e7d7892e3f1c0a1e87eccdff5f796e3ab1bdb94ba8c00d2707bf60c66b2fd178c3030cf18b4b3a7f4da6b47bec4

\ProgramData\mozglue.dll

MD5 a47c9a22d04f7a89ffb338ec0d9163f2
SHA1 c779b4e0bd380889d053a5a2e64fac7e5c9f0d85
SHA256 c67b8f01d1b007cf0abea4f89d1272a146116b398d97c0873889e4f3bc1aa2a5
SHA512 64ebbee2f2f0884096e5b0996b30adae289549ba24f19fb3858f638148f358cd9a6f2fb370c0b2a44e821cb00b5a49468f849c97e9aa8ee413bbae11b57d72f4

\ProgramData\nss3.dll

MD5 34772db675889069f256a8ad143554c2
SHA1 2e6ceda2c0267e8fe1d4f24860d46b26fdb63117
SHA256 e4eafcf079025ec65956c46c5294a5122fa18a3836569784507dd9e9b5a5afde
SHA512 e97495dbf030e37f52eb61ce9850d919ad09d0d8fa4200b88c213927b1f29fb7d29393d698943b68987a37c9d896b6d61eb6c7e631013b5c22566248f40480fd

memory/2492-419-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/1724-437-0x0000000000860000-0x0000000000880000-memory.dmp

memory/1696-447-0x0000000002AB0000-0x0000000002B30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 be4e08adb67b58113b8ffe1893c6f321
SHA1 fd32e0a3ccf052472630ce59ea134b03aecb0f58
SHA256 dfade7a38e519c11f4b001bfab3f4c9eeb6f7f077a0533c35a2c2f6820695421
SHA512 8bce21d8995e6f8d7a3e0632bfd891206c91be1d77c3db0eff61a15b07f7a58ebfb997b9a6bd9306b5722922136175e7b38d8382766ecc56fc77444c443d393b

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 c6e5cb38be8dfa080eac631cc5c7db27
SHA1 8146e541e3f6bfb270f177d7dc70e444647d647e
SHA256 94ed3ed56b3394a3415b9dc4318212262345461d117016360a6e7ec816b007ac
SHA512 a8534f067bb3c1f279b8af37faf7be0140b458dbcb8a697ee21f3abcd902b3c1e1ee5d60105830e0a6e8df0e268052cc7df072eb46af4812f01c67ff8bb32a9f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 eab2fcd5ec933106a83b15fac38a8694
SHA1 13fa5c0464e1be041adb926aa61e90636463863d
SHA256 652e0d8953899a43735e3a819818674d9f4c1215b7c55d12424273102058698c
SHA512 e1e2cc108211d8efab0060aba41acc105b84f0ccf0fc88ae4214027e2b3d1e305d48371a352b3e168a1cc208ba5e31106cc7bdb6ed2c0d243ae093337d52e523

memory/848-584-0x0000000000400000-0x0000000000D1C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 04:49

Reported

2024-02-27 04:54

Platform

win10-20240221-en

Max time kernel

98s

Max time network

164s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\EB7C.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4556 set thread context of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\aedraaa N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\aedraaa N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\aedraaa N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6255.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6255.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\6255.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3128 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\D830.exe
PID 3128 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\D830.exe
PID 3128 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\D830.exe
PID 3128 wrote to memory of 4692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3128 wrote to memory of 4692 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4692 wrote to memory of 3192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4692 wrote to memory of 3192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4692 wrote to memory of 3192 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3128 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 3128 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 3128 wrote to memory of 4556 N/A N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 4556 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\E6F7.exe C:\Users\Admin\AppData\Local\Temp\E6F7.exe
PID 3128 wrote to memory of 3636 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB7C.exe
PID 3128 wrote to memory of 3636 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB7C.exe
PID 3128 wrote to memory of 3636 N/A N/A C:\Users\Admin\AppData\Local\Temp\EB7C.exe
PID 3128 wrote to memory of 1348 N/A N/A C:\Users\Admin\AppData\Local\Temp\F447.exe
PID 3128 wrote to memory of 1348 N/A N/A C:\Users\Admin\AppData\Local\Temp\F447.exe
PID 3128 wrote to memory of 1348 N/A N/A C:\Users\Admin\AppData\Local\Temp\F447.exe
PID 1348 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\F447.exe C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp
PID 1348 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\F447.exe C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp
PID 1348 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\F447.exe C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp
PID 3128 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe
PID 3128 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe
PID 3128 wrote to memory of 584 N/A N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe
PID 584 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 584 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 584 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 584 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 584 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 584 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 584 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 584 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\2F0F.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4672 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4672 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4672 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4956 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp
PID 4672 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp
PID 4672 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp
PID 820 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 820 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 820 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3128 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\6255.exe
PID 3128 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\6255.exe
PID 3128 wrote to memory of 5000 N/A N/A C:\Users\Admin\AppData\Local\Temp\6255.exe
PID 820 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 820 wrote to memory of 4232 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3128 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\9741.exe
PID 3128 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\9741.exe
PID 3128 wrote to memory of 1644 N/A N/A C:\Users\Admin\AppData\Local\Temp\9741.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe

"C:\Users\Admin\AppData\Local\Temp\8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c.exe"

C:\Users\Admin\AppData\Roaming\aedraaa

C:\Users\Admin\AppData\Roaming\aedraaa

C:\Users\Admin\AppData\Local\Temp\D830.exe

C:\Users\Admin\AppData\Local\Temp\D830.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\DF84.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\DF84.dll

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

C:\Users\Admin\AppData\Local\Temp\EB7C.exe

C:\Users\Admin\AppData\Local\Temp\EB7C.exe

C:\Users\Admin\AppData\Local\Temp\F447.exe

C:\Users\Admin\AppData\Local\Temp\F447.exe

C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp" /SL5="$601FA,2349102,54272,C:\Users\Admin\AppData\Local\Temp\F447.exe"

C:\Users\Admin\AppData\Local\Temp\2F0F.exe

C:\Users\Admin\AppData\Local\Temp\2F0F.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp

C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\6255.exe

C:\Users\Admin\AppData\Local\Temp\6255.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\9741.exe

C:\Users\Admin\AppData\Local\Temp\9741.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
ET 196.188.169.138:80 trmpc.com tcp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 172.67.202.191:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 associationokeo.shop tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 198.98.51.189:9001 tcp
US 8.8.8.8:53 189.51.98.198.in-addr.arpa udp
NL 103.214.5.96:9001 tcp
FR 178.32.139.118:9001 tcp
US 8.8.8.8:53 96.5.214.103.in-addr.arpa udp
US 8.8.8.8:53 118.139.32.178.in-addr.arpa udp

Files

memory/212-1-0x0000000002370000-0x0000000002470000-memory.dmp

memory/212-2-0x00000000001E0000-0x00000000001EB000-memory.dmp

memory/212-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3128-4-0x00000000011D0000-0x00000000011E6000-memory.dmp

memory/212-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\aedraaa

MD5 c7e909d16fbebfbaf79cfb035ca2a39e
SHA1 2a532e5373cf513995ca3062b6ce110be8785f64
SHA256 8b8e12ac5250ba8223fe60dfc7ebee3d22d024c3559668b86ed003335b196c1c
SHA512 db5c922281a8827438fa05606dc1944e03638656fc7fff2ffdbbf7642acc0fe2387df7488c1be739aacd58096b7a0f22cefa894b28d5a7eb885772d8edcd5f35

memory/4948-14-0x0000000002460000-0x0000000002560000-memory.dmp

memory/4948-15-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D830.exe

MD5 a4f5f9847a2832716cd5d277e0e5a7c6
SHA1 4eb056c5d2f7c5d5446aabf3923d851e6e79bbb7
SHA256 a27ca48051ef259e682baf3e819b82b40caaa19f1d749469335000155dfde548
SHA512 13945c10c1b1d43fa276cb5f38607b160787f7a2f834f055250c2cb81b194e7ddc935affb8981ea1e6792aea92c9c349a6642c8e5b28e59a3c4a01d731f499d3

C:\Users\Admin\AppData\Local\Temp\D830.exe

MD5 9ed08c5738d2181288a020b8cc63e452
SHA1 059faa5b9f454d481cc59c51c39cfd2711eb2cde
SHA256 b6d6a0971e9da925f7be123080c2396cae83f2dd195f6324a6c76fb99eb13620
SHA512 f213e46e04f2a4b080ddf71fe394a06fcc9f1a42ec81b4abaf470d15755fc230095c20d12d15d1147f33632ca7efed56b3630b823e950ddcfccab4b8a229ff7e

memory/2912-20-0x00000000011D0000-0x00000000011D1000-memory.dmp

memory/2912-22-0x00000000003E0000-0x0000000000C8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DF84.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

\Users\Admin\AppData\Local\Temp\DF84.dll

MD5 e365002c794423e4072d83b42330a97b
SHA1 7213e658f511e9ba1951dcbda807bf0272a21663
SHA256 77c709fa16ffc095898d3f7a7c0d2fb1232f7d3e487b69a5f654321224a0fcdd
SHA512 3e94791eff16f4ec2c618b24020f8f8843a2805ea762d801d7f2d4116a8bcb8b3ed508c7d2634fe578ca092eaa847073d12faf4aae68a9541e34888514fec8ec

memory/3192-27-0x0000000002CC0000-0x0000000002CC6000-memory.dmp

memory/3192-28-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2912-30-0x00000000003E0000-0x0000000000C8F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

MD5 4edeff5dde798f98e3350ee909a34c2e
SHA1 8a5bed7a25016e6241399dc39b6247a42f483439
SHA256 6e1c29596ca0552e3610c1db4ed31aaa9b293762661a855a201da588341f3b7e
SHA512 ba0829b325a37119915649cf78e1fd7d44cd9331f2119ffaed9abfabc23b4665e78ea5d0f24445ba97bbd3c554e75e2eda8174395af11fc0c6bf6de148940ee3

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

MD5 ae2581d517391e8b5e0efc9f5f6ec926
SHA1 7a111027e39d14e8ca1389550e1c557df6b833fb
SHA256 f211956e306c81c84fba75d3e82adcd854a19303258906aeb320e047b86f8ebf
SHA512 dca94b622c86f6c6d62978f809aa0991f0f8a7ab0f84cd945633c828d1d05408bead142ecddde7b92ce91391864b6bcefe2cd1e46ad85c942784b58ec348efc1

memory/4556-36-0x0000000003880000-0x0000000003A43000-memory.dmp

memory/4556-37-0x0000000003A50000-0x0000000003C07000-memory.dmp

memory/64-38-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E6F7.exe

MD5 b24cf0af7c58489dfed22d6cd814effe
SHA1 ebbb344fa52d05e4104eb9389f80860a0d4ff039
SHA256 391b77cd29d1b20f3bd7a8a08f5ce0027146ee909f061914209d23875684ebf6
SHA512 219695f483adf09b38212e51f4f7b75250b2d07bf714e1d753fedf7e840832607a39fc32d992843c0480b0ec6fcbfe675c1fa5b28bbc2d30bde68758bd65bfe2

memory/64-40-0x0000000000400000-0x0000000000848000-memory.dmp

memory/64-41-0x0000000000400000-0x0000000000848000-memory.dmp

memory/64-42-0x0000000000400000-0x0000000000848000-memory.dmp

memory/64-43-0x0000000000400000-0x0000000000848000-memory.dmp

memory/64-44-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\DF84.dll

MD5 3214eb9a7085b54ed45ef107f5d23af3
SHA1 cbeaf79f126fc8ce0f0d4e6625638cfe3013c357
SHA256 142b169237563aa871dd5078ac3bc6ebe583c57c89a898f8e422eeda8c8211fb
SHA512 bef57689faed8e3a2a8b5a1aef0aef682ff4280ab9dea9db0f66790da01492151e3f95d516afac3a01c7bc70fe66bd0844259fe16c6e377180e8ecacb3ae0d8c

memory/64-48-0x0000000000B00000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EB7C.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/4948-54-0x0000000002460000-0x0000000002560000-memory.dmp

memory/3636-57-0x00000000049A0000-0x0000000004A0B000-memory.dmp

memory/3636-55-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/3636-56-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/3192-59-0x0000000004840000-0x0000000004969000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F447.exe

MD5 27b1a15e825dd98b117614fa3aafc2e3
SHA1 4b8d5230ba222426bdf4c1920c6847ce1f0266bc
SHA256 bea4d7f93ca1d9716e4f3d7ef99e583a197d3f8d9b8f358b048bbcee50d4927b
SHA512 3ed2c6213ef2380c3d6db6241c4fb0ed786327c4bca9a2e5078f54c072788564f2778166b32206b830375ea21fdb8f285be313020807d14e65ec3611eb64f1a8

memory/1348-63-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F447.exe

MD5 3418def18982652c437fb29bc9dd371c
SHA1 70f81689cda69c536e08a891ecd41eb246a0ec3c
SHA256 2f12308d4525544d5c18e8d836d12ff38e6899409e0efad9c332b082cd2c03a1
SHA512 9feb4bab4148e59bd87a99d1f9d99ede760f4746a7de639d8653010ddee855239f4d6360b2c80507187c15334b3a75bbfb9a432e923c287f68ade4b51bdfb508

memory/1348-67-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp

MD5 3340d143662cfbfb99273ce0ac9e1a34
SHA1 11ae91048f408c11e93b0e7cb439e416ba57b1ce
SHA256 941c79b5170d94a5d91a3c5a5326002c9dd770e343559bd6e055260ab23a1381
SHA512 4683b85b4a097052f48167e415978dfcd63ddec366b53a12013863fe29b7384d3a94aea25411aa7769d9dbbca5514b232b96cb9723ca48fca41831b5272d29ac

C:\Users\Admin\AppData\Local\Temp\is-D8OM8.tmp\F447.tmp

MD5 58deb1f2f6abb82f16cc4d089e4309ce
SHA1 4951d4cf23936670af1faea7e9aff3bf4a976f70
SHA256 95e67eb0fce00ca4cd021ce8dedb61326881f30b908f36adae7ded7ea9d4f7ce
SHA512 01c9e1e6a4d2b3812db75c962a883f366ba7e42c28a37f8dd67d824d71aeed87ea8873bc1d1e4e4b9149326256778b761f299f360d07ec61ba145eb25a8cc682

\Users\Admin\AppData\Local\Temp\is-JDDNS.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-JDDNS.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/5016-86-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/3192-95-0x0000000004970000-0x0000000004A7E000-memory.dmp

memory/3192-96-0x0000000004970000-0x0000000004A7E000-memory.dmp

memory/3192-98-0x0000000004970000-0x0000000004A7E000-memory.dmp

memory/3128-99-0x0000000002B00000-0x0000000002B16000-memory.dmp

memory/64-100-0x0000000002CD0000-0x0000000002DF9000-memory.dmp

memory/64-102-0x0000000002E00000-0x0000000002F0E000-memory.dmp

memory/64-104-0x0000000002E00000-0x0000000002F0E000-memory.dmp

memory/4948-107-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3192-108-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1348-113-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3636-112-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/5016-114-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2F0F.exe

MD5 aeaefbc7191137e1e86080b4bb17345b
SHA1 64076073e426b71f9ff087708dab60a5daa9ef27
SHA256 dc1be7461d1d69d41070ee4dc78aa0cc93518c408ca78f2c57eff05d45d9032c
SHA512 f7bfa845d5730993bad78699c8d348621c785c4a9a8d58bbf9be58c1562cf7ff75fc42e42dcc512a1f312e9d34081e41218f0555b1817948b865faf442e0315e

C:\Users\Admin\AppData\Local\Temp\2F0F.exe

MD5 09daace6074ca06ea3737d622083d5dd
SHA1 eb5e13591e3e86cfd51c0f284ca323aace0d1501
SHA256 bb7d28c3a4d3efc1b473a7b07c4d4af8ce775d1461eae61f6913c81b745997b2
SHA512 b5eff759b219614869d18b50fe80490a75a76db474f5f55d783b991f7fb5ecbc7b904a956a42badb6e6b9b08921b9dc00e567ff786b7ea315a9222c6944cc541

memory/584-120-0x0000000000B80000-0x0000000001436000-memory.dmp

memory/584-121-0x0000000072E50000-0x000000007353E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8c9607a8c8359d15ec05a327be0b80a8
SHA1 645ef703da82d57f169789d42c5c88625548bcc1
SHA256 924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA512 60880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 f30b31cd985bb3b4c2dced17df5ed9fb
SHA1 94a2218267ddd03b538636ace0593e38f52c9b5a
SHA256 b650d35b4c45c0ae9ff9a10df74e5d3c724a8e693a05706e61e798805a731645
SHA512 648ae868eaf7473a7922796d1e1572df192a81dc7ee38c6ca17b3ca8c81dc6af7b3539564fce58ba8c220a3154618e45dfb79640a96a14c56a51123a339b2213

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 c0a62641779a00a6ee4c01686de53107
SHA1 1cb45213ea856f778f2dd76983420139e64d17ab
SHA256 2312e31bb06e52e177d4a7ff2bc2d508c44ee1959dfc85ba99c0c5b5f80b7fdb
SHA512 7a1cdf556bce31591885812c48f013f3d5250ed4f0e2eacd239bc9366b42a48508cc92434138cc31703a28add32a9ce3efc11a289db1b5848a75ac5c33c39303

\Users\Admin\AppData\Local\Temp\nsg3A27.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 95bf71504e0b7d40a0b230128eda2910
SHA1 d544e844f5bdbe1ddc3df0bdc5dd47fbc89c0aca
SHA256 f5bc93a03932e8dae0bf721685ac6bcc7052662ed709013617806cb6294fc373
SHA512 c008a5ef865a50dfe40e8a8c7c64200265a8ed41987651b0e0915294f4d43019ad8aaf53c49881596dc0088a589f45e223ced97c12de6dab36b7284620f3babd

memory/584-145-0x0000000072E50000-0x000000007353E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 62fb6e9c5d9d7542af9c141a0f860992
SHA1 ee0836d9c9c259d1e75cc8a9a8ebdd88ea1b01db
SHA256 69a2e13a0b31019893de9fee03eefd52ae3aef1a37c9ab4f21f9dc0155f16ef5
SHA512 e3c9e2dd1da1a19ffd1cf5edfec1dcf7d287505fc2951264e6ddb27c96f4857ebed60640ece133120091806523af06004a5fb0f0ce7a68e98027298eb304707a

memory/4956-151-0x0000000002420000-0x0000000002421000-memory.dmp

memory/4964-160-0x00000000028E0000-0x0000000002CDC000-memory.dmp

memory/4964-161-0x0000000002DE0000-0x00000000036CB000-memory.dmp

memory/4964-162-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp44A7.tmp

MD5 9089c5ddf54262d275ab0ea6ceaebcba
SHA1 4796313ad8d780936e549ea509c1932deb41e02a
SHA256 96766ea71dc59a5b1734aba76c1ab1cbc8459a9ee023e9875359667dbf51ea4a
SHA512 ec71801feccd0c900132425d6bc601bcae6e78702b708df80783a752d08c8bdc49f0b0c8e7c37b15a02b381369b8a3c1114d7385796316b834738045f7dc053c

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\6255.exe

MD5 0ca68f13f3db569984dbcc9c0be6144a
SHA1 8c53b9026e3c34bcf20f35af15fc6545cb337936
SHA256 9cd86fa59ea2d10f9b9f3293c132f158fcb7dd993fdb706944f9fe9fa409504a
SHA512 4c3a3be5fda0f9060a08b95383b5260e4079dbcff73849d2fac88520ae625c33a73c5858b25b717fcccebf03c3ad9b19807de8bcfa7ea22be6648cc965072b7d

memory/4956-180-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4964-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4380-182-0x0000000002510000-0x0000000002610000-memory.dmp

memory/4380-183-0x0000000002340000-0x0000000002367000-memory.dmp

memory/4380-184-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/4380-186-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/5000-213-0x0000000002590000-0x0000000002690000-memory.dmp

memory/5000-214-0x0000000002520000-0x000000000252B000-memory.dmp

memory/5000-225-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9741.exe

MD5 abdb0fc1589c9e4b85abd90c4aeaadd8
SHA1 c34042fc0a4ca9a0c85c2d97b3b38adcf3dcb1fb
SHA256 6354a8d08b1cfd002a89ee919f9561adae52d886aeb506d6ade6600b492b01d4
SHA512 3d8351d6ba9945301c189dab8bda2218fd60db25a28a5bdf6e519b28b64d51bd9fbc83504e9da5d59b26deb34ea7c91b88a23e5fe93f8a8e076ed17b240162c8

C:\Users\Admin\AppData\Local\Temp\9741.exe

MD5 56fddd1d25dfd8671136909069c15266
SHA1 479e9718829a0bfaf79899b025149a8cda8b0495
SHA256 c2a643e819ffd588bfe282efe5a24727bdd0af0558bdef6a57575cfb5cfaa70f
SHA512 fa7a8b747ad3e53097e8df901df283408621ca491a1c06c62a721a72794e6ce11e185829bf11cd6314717f50ff0dd31d5cb7b693bcb7eac6c4b755685351ff10

memory/5000-246-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1644-272-0x0000000000E30000-0x00000000018DD000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\ProgramData\nss3.dll

MD5 c8fd377288d30e53e199d46090b8f1f4
SHA1 d7cccc2ccdcbbbd031677e8cd7545e6e96c3fd56
SHA256 dce78b0f4368655b8ad514467967c543035e6dee01c57177e94d063a2ae85233
SHA512 2977586f207fc663ef1d885cf57e3ed478311680cf80e2e1de521d13c073c840283426c57037ed00af02a8efa4ac8602c36c5964b4ec8888fb5a44fbb9ae641f

memory/3636-274-0x0000000002EC0000-0x0000000002FC0000-memory.dmp

memory/1644-277-0x0000000003660000-0x0000000003661000-memory.dmp

memory/1644-278-0x0000000003670000-0x00000000036B0000-memory.dmp

memory/1644-280-0x0000000003670000-0x00000000036B0000-memory.dmp

memory/1644-279-0x0000000003670000-0x00000000036B0000-memory.dmp

memory/1644-285-0x0000000003670000-0x00000000036B0000-memory.dmp

memory/1644-281-0x0000000003670000-0x00000000036B0000-memory.dmp

memory/1644-286-0x0000000003670000-0x00000000036B0000-memory.dmp

memory/1644-298-0x0000000000E30000-0x00000000018DD000-memory.dmp

memory/3860-300-0x000001A9C3510000-0x000001A9C3520000-memory.dmp

memory/3860-299-0x00007FF8BAB70000-0x00007FF8BB55C000-memory.dmp

memory/3860-301-0x000001A9C3510000-0x000001A9C3520000-memory.dmp

memory/3860-302-0x000001A9C3520000-0x000001A9C3542000-memory.dmp

memory/3860-313-0x000001A9C36D0000-0x000001A9C3746000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdnkoref.ees.ps1

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3860-342-0x000001A9C3510000-0x000001A9C3520000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4380-365-0x0000000000400000-0x00000000022D9000-memory.dmp

memory/4964-370-0x00000000028E0000-0x0000000002CDC000-memory.dmp

memory/4964-371-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3860-372-0x000001A9C3510000-0x000001A9C3520000-memory.dmp

memory/1900-380-0x0000000006710000-0x0000000006746000-memory.dmp

memory/1900-381-0x0000000006E70000-0x0000000007498000-memory.dmp

memory/1900-384-0x0000000072870000-0x0000000072F5E000-memory.dmp

memory/1900-386-0x0000000006830000-0x0000000006840000-memory.dmp

memory/1900-385-0x0000000006830000-0x0000000006840000-memory.dmp

memory/1900-387-0x0000000006E40000-0x0000000006E62000-memory.dmp

memory/1900-388-0x0000000007770000-0x00000000077D6000-memory.dmp

memory/1900-389-0x0000000007690000-0x00000000076F6000-memory.dmp

memory/1900-390-0x00000000077E0000-0x0000000007B30000-memory.dmp

memory/1900-391-0x0000000007BF0000-0x0000000007C0C000-memory.dmp

memory/1900-392-0x0000000007C10000-0x0000000007C5B000-memory.dmp

memory/1900-411-0x0000000008C10000-0x0000000008C4C000-memory.dmp

memory/1900-444-0x0000000008D50000-0x0000000008DC6000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 deeef20437d3b23eed705a961dcce21d
SHA1 075ee46aba44d13b4d5fa3ff12e1705af364614d
SHA256 62215ffb49f0951a20df86cd9a097626c0aaa8e75510cd3975d6081ec915eb32
SHA512 aed654d16310ec353a99f1264b3fdf91ea738bf2954599d9133971f4e24511d73ddb01e6d0c723b6ee6590f31fcb0ac68256cb61b6cc000fed1948c0320ece5a

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 be4e08adb67b58113b8ffe1893c6f321
SHA1 fd32e0a3ccf052472630ce59ea134b03aecb0f58
SHA256 dfade7a38e519c11f4b001bfab3f4c9eeb6f7f077a0533c35a2c2f6820695421
SHA512 8bce21d8995e6f8d7a3e0632bfd891206c91be1d77c3db0eff61a15b07f7a58ebfb997b9a6bd9306b5722922136175e7b38d8382766ecc56fc77444c443d393b

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 5a127694986cf7ccd6fcc0a7478b68d9
SHA1 1a7d70af0600f30e9c735a8cac63bbd3273d048b
SHA256 bc4af5a1e8110a25cac8490e8c67b86cd40f5a48801ce282e8a0918490245888
SHA512 395aeb4ed64aad79a4aac5c4cc92a221902e91f5ee98b3132082992c23e544ea7f3757032ea85672f4e159356c753179f25fa73034334bd47ac71544b35cae66