Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-gbmqbsaa9x
Target c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
SHA256 c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
Tags
dcrat glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd

Threat Level: Known bad

The file c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx lumma

Lumma Stealer

Glupteba

DcRat

Glupteba payload

Windows security bypass

SmokeLoader

Detects executables containing URLs to raw contents of a Github gist

Modifies boot configuration data using bcdedit

Detects Windows executables referencing non-Windows User-Agents

Detects executables packed with VMProtect.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables containing artifacts associated with disabling Widnows Defender

UPX dump on OEP (original entry point)

Detects executables Discord URL observed in first stage droppers

Stops running service(s)

Drops file in Drivers directory

Modifies Windows Firewall

Creates new service(s)

Downloads MZ/PE file

Possible attempt to disable PatchGuard

Windows security modification

Checks computer location settings

Loads dropped DLL

Deletes itself

UPX packed file

Reads data files stored by FTP clients

Executes dropped EXE

Reads user/profile data of web browsers

Writes to the Master Boot Record (MBR)

Manipulates WinMon driver.

Manipulates WinMonFS driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Modifies data under HKEY_USERS

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of SendNotifyMessage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 05:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 05:37

Reported

2024-02-27 05:40

Platform

win7-20240221-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\C8CD.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\Winmon.sys C:\Windows\rss\csrss.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\C8CD.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMon driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMon C:\Windows\rss\csrss.exe N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\D607.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2912 set thread context of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 616 set thread context of 856 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\system32\conhost.exe
PID 616 set thread context of 1560 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\wusa.lock C:\Windows\system32\wusa.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Logs\CBS\CbsPersist_20240227053914.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1C6C.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hwgsarg N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hwgsarg N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1C6C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1C6C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\hwgsarg N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 409c415d3f69da01 C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B396.exe
PID 1288 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B396.exe
PID 1288 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B396.exe
PID 1288 wrote to memory of 2132 N/A N/A C:\Users\Admin\AppData\Local\Temp\B396.exe
PID 2132 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\B396.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\B396.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\B396.exe C:\Windows\SysWOW64\WerFault.exe
PID 2132 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\B396.exe C:\Windows\SysWOW64\WerFault.exe
PID 1288 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1288 wrote to memory of 2440 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2440 wrote to memory of 2496 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1288 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 1288 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 1288 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 1288 wrote to memory of 2912 N/A N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 2912 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\C8CD.exe C:\Users\Admin\AppData\Local\Temp\C8CD.exe
PID 1288 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D607.exe
PID 1288 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D607.exe
PID 1288 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D607.exe
PID 1288 wrote to memory of 2460 N/A N/A C:\Users\Admin\AppData\Local\Temp\D607.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1288 wrote to memory of 1636 N/A N/A C:\Users\Admin\AppData\Local\Temp\E564.exe
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1636 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\E564.exe C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
PID 1288 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe
PID 1288 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe
PID 1288 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe
PID 1288 wrote to memory of 2260 N/A N/A C:\Users\Admin\AppData\Local\Temp\43A.exe
PID 1288 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6C.exe
PID 1288 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6C.exe
PID 1288 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6C.exe
PID 1288 wrote to memory of 2780 N/A N/A C:\Users\Admin\AppData\Local\Temp\1C6C.exe
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\43A.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\43A.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\43A.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2260 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\43A.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2260 wrote to memory of 1376 N/A C:\Users\Admin\AppData\Local\Temp\43A.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe

"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"

C:\Users\Admin\AppData\Local\Temp\B396.exe

C:\Users\Admin\AppData\Local\Temp\B396.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 124

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C063.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C063.dll

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

C:\Users\Admin\AppData\Local\Temp\D607.exe

C:\Users\Admin\AppData\Local\Temp\D607.exe

C:\Users\Admin\AppData\Local\Temp\E564.exe

C:\Users\Admin\AppData\Local\Temp\E564.exe

C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp" /SL5="$201E0,2349102,54272,C:\Users\Admin\AppData\Local\Temp\E564.exe"

C:\Users\Admin\AppData\Local\Temp\43A.exe

C:\Users\Admin\AppData\Local\Temp\43A.exe

C:\Users\Admin\AppData\Local\Temp\1C6C.exe

C:\Users\Admin\AppData\Local\Temp\1C6C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\4580.exe

C:\Users\Admin\AppData\Local\Temp\4580.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 124

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227053914.log C:\Windows\Logs\CBS\CbsPersist_20240227053914.cab

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp

C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {621DC570-99A2-4D0A-8EFA-FC0F51821EDB} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\hwgsarg

C:\Users\Admin\AppData\Roaming\hwgsarg

C:\Users\Admin\AppData\Roaming\rdgsarg

C:\Users\Admin\AppData\Roaming\rdgsarg

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
KR 210.182.29.70:80 trmpc.com tcp
GB 176.67.170.192:9001 tcp
CA 198.245.61.196:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
NL 37.139.22.180:9001 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
UA 134.249.185.176:9001 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
N/A 127.0.0.1:49391 tcp
US 8.8.8.8:53 kamsmad.com udp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
KR 211.168.53.110:80 kamsmad.com tcp
CH 85.195.208.154:9001 tcp
AT 86.59.21.38:443 tcp
FR 163.172.13.237:9003 tcp
NL 84.54.51.152:443 tcp
US 8.8.8.8:53 kamsmad.com udp
PE 190.12.87.61:80 kamsmad.com tcp
PE 190.12.87.61:80 kamsmad.com tcp
US 8.8.8.8:53 dc72fdac-b61a-4257-ba1f-858aa56c46f3.uuid.statsexplorer.org udp
PE 190.12.87.61:80 kamsmad.com tcp
PE 190.12.87.61:80 kamsmad.com tcp
PE 190.12.87.61:80 kamsmad.com tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
PE 190.12.87.61:80 kamsmad.com tcp
PE 190.12.87.61:80 kamsmad.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
FR 51.15.193.130:14433 xmr-eu1.nanopool.org tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 server9.statsexplorer.org udp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
CH 172.217.210.127:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server9.statsexplorer.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server9.statsexplorer.org tcp

Files

memory/2192-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2192-2-0x00000000001C0000-0x00000000001CB000-memory.dmp

memory/2192-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1288-4-0x0000000002C00000-0x0000000002C16000-memory.dmp

memory/2192-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B396.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2132-18-0x0000000000C70000-0x000000000151F000-memory.dmp

memory/2132-19-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2132-16-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2132-22-0x00000000772E0000-0x00000000772E1000-memory.dmp

memory/2132-21-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2132-23-0x0000000000C70000-0x000000000151F000-memory.dmp

memory/2132-25-0x0000000000090000-0x0000000000091000-memory.dmp

\Users\Admin\AppData\Local\Temp\B396.exe

MD5 82cc23acab8443167922843513004d09
SHA1 947f45d5ad6bae5fc2c26a87e40f9ee2d4fff46f
SHA256 d38813e16cfc5d1446c25e181aea0244663543d77d95ae6897860006bfe77d4e
SHA512 1934fc6008060ab341029adbd81116499755d48bb74c8ff341813a33f7390903c9ac29b97dd770f8e6cc838b0283e032d3e166617be2c1fb6df6600ad834f4ab

\Users\Admin\AppData\Local\Temp\B396.exe

MD5 c2e793eade61c168412f8f2427721fe2
SHA1 4473667cf6f5d77c9af242202b09774273951b7b
SHA256 9694672695c4168ad97cc476ec7e44fd75d8e4d0546c6f970945e342efe5eea0
SHA512 1ce6b3d299f67def8e302226cbcba12183c2d7c3b46686d0c8cd45414de2fe71bde8457be12067fa7301495e0f318ed5a0f8ced9666e7e270d56296fc6f7af46

C:\Users\Admin\AppData\Local\Temp\C063.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2496-32-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2496-33-0x00000000001C0000-0x00000000001C6000-memory.dmp

memory/2912-41-0x00000000033E0000-0x0000000003598000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

MD5 14aa601b5ddbeab4253fa3893dc3a059
SHA1 6924d2ba25c8a153b79a0c77723c37e5c3adbaca
SHA256 8449ec5969a1628c6589bef831a45de067a26db1223cb44ffa57799e12fef1dd
SHA512 dec08a56664deb921e65e60f012378a96612e0da1311bdc18f4d3ba15abf9810e97cfb0588ca27e3c334478cbc911043c3ee5c07fd1b8eb63150919cb6556a05

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

MD5 5c3765edd21ea3b006a127b52585a4ef
SHA1 7f2251e3543b3d5d3764821b9dc92cb5f86c9cfc
SHA256 cc5debd91470b8c71131805276ee0463822f1e80d06938d0c8033668077b648a
SHA512 fcb8739ef14cb52080a8d365901ee6fc8187763f7353b7c6cf7c63dcdab0208b1d1916410ed7fd94db42325fdb61d40e63fa25bce49db8aa5ea53e6ce918eede

memory/2912-42-0x00000000033E0000-0x0000000003598000-memory.dmp

memory/2912-43-0x00000000035A0000-0x0000000003757000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2352-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C8CD.exe

MD5 34c292f7112a9db3194e6c78ab2fe7b1
SHA1 150dd5ac6efd93b95d167897a2c870c5125df0ab
SHA256 c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01
SHA512 f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be

memory/2352-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-48-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-52-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-55-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-58-0x0000000000230000-0x0000000000236000-memory.dmp

memory/2460-67-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/2460-68-0x0000000000260000-0x00000000002CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D607.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2132-70-0x0000000000C70000-0x000000000151F000-memory.dmp

memory/2460-69-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1636-75-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E564.exe

MD5 b467afaa58c8c394c60dd3a003da5aa5
SHA1 25811c8408d7b9bc604605a1131e06f533ff1b10
SHA256 a188394902bfe0393b7869912c003cea33b3de114f5f7508ebca1c5ed262a13b
SHA512 6409ca5404793238cb5479cecc44f5f8696908a6dfae6a553ef7d41dfeb48eb23e881014151e3013561383d61690b4fe2b12fb7a607a67475253e3da18f95dcc

C:\Users\Admin\AppData\Local\Temp\E564.exe

MD5 943c6189a9578da1aacaeb312b20aca1
SHA1 9d83cadf8e2ead38da5084342f069e79167abc7e
SHA256 f5a26cae0d7eb46d7f40ed57efe86daf2eb9723c2ae483bfb44bd99b78c52318
SHA512 c7d4ee04ec2e80b18ee39420bfd23bd24fd4ab99db8007c8c50ff4eab9984fb1f3a8ebfc2c42bf79a82732bdc834905cf5ba3aa0e12fc20d419da53e02a765e2

\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

\Users\Admin\AppData\Local\Temp\is-BIQT5.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-BIQT5.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

\Users\Admin\AppData\Local\Temp\is-BIQT5.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2176-97-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2496-106-0x00000000022C0000-0x00000000023E9000-memory.dmp

memory/2496-107-0x00000000023F0000-0x00000000024FE000-memory.dmp

memory/2496-110-0x00000000023F0000-0x00000000024FE000-memory.dmp

memory/2496-108-0x00000000023F0000-0x00000000024FE000-memory.dmp

memory/2496-111-0x00000000023F0000-0x00000000024FE000-memory.dmp

memory/2352-112-0x0000000002930000-0x0000000002A59000-memory.dmp

memory/2352-114-0x0000000002A60000-0x0000000002B6E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\43A.exe

MD5 cc02fd7fb9b7f2f2f202326167278716
SHA1 c323c60a845105132c9aae0597f1768b82321899
SHA256 41232a0a507e7e0b680b3a353853dcd5818e4a80a89845d3d54facbaf9e5b0b2
SHA512 dd933fc269b2bfe7cdc6eca80b3ff3cfa8c5f65bca624e3ef8e5b0a5f9b5d09ee08100d2fa83f19d096b24f88ba226a005bb415d81b3290206fffe40ef8efca6

C:\Users\Admin\AppData\Local\Temp\43A.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

memory/2352-122-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1636-124-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2460-123-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2260-125-0x00000000013B0000-0x0000000001C66000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1C6C.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/2260-133-0x0000000072FE0000-0x00000000736CE000-memory.dmp

memory/2176-136-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2780-137-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2780-138-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/2780-139-0x0000000001B10000-0x0000000001C10000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8ad403ae8cf15c720dc1689b03c0b14e
SHA1 613000bf380626170aecd8c41a4f5f24e38c81d0
SHA256 fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f
SHA512 20ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fd26cab6c96936e2099e81ca9b288e56
SHA1 f7b705cfc487f8bf805b8f9a57287eba9174cb1b
SHA256 469e51bf5af4cf24653e928e70bb568c663de74669f44bf79bf2289ba0ded64b
SHA512 6e269eab404858b4428c3a935cb70a854d5c3aeeb9cef23d6b7f86ff82ca7439c058af6165c595bb82a2449375725d9cf004af224f1055f16ff53224117691a1

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 34666eafe0fffb6a73e31c1e09ecac4f
SHA1 ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256 d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

memory/1280-149-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/1288-150-0x0000000003E20000-0x0000000003E36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/2780-151-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 062cf6182ab293727f24f0f5a3989e4e
SHA1 532b2e198ea35cc84b892eefbcb2c6b3ad0a8d0c
SHA256 74382527cd10b02f18582e81c376a854c586f16b77f4c09f93ce304dabfebff1
SHA512 7b3e2efad8907e1d2d20ce428c3994ea661348a83e521684756ce95c79159cb4affe543fe56892cf4e7bb2068434eb6c43b029356a1632748ff5c9694aa34949

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 029a5147d2f0d080800b095d06298a55
SHA1 6d53b0c00f128318d23de9db082989e30369baad
SHA256 cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512 b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 82ae17e8d2ea6295d5c56ae69c03329c
SHA1 c8817bcd252819bb10c200f4dbaa1d8ce21d9d2e
SHA256 2643a468aca491db32f083c13d58fd5c8267efd3ccd22bcf4751ae9f0e0396ba
SHA512 e75d47066cbca69f8ba8f4aa5b98f472f46af2f25acda24aa75f7ce50da4a79072cf11f7d31ab311fdd4d57cc96972c2db2731731e085af8807c81ac2bbcd602

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 8acd77d9746daed81c2d6301971bf946
SHA1 a956f80dbb0d9c4fb6c68336bab7dbc026bcc223
SHA256 aa30509be8ed34c69ef8abb399d5f8fb415420adcb6861f6b423e16ce0104343
SHA512 8482544c7f2291d261b733314404bb22cf9f127f63a9f5806c2f77a1b6aed4856a34dab77b518e177fbe7f21d599b153c655067a96409d362ca8b7cf1d28d664

\Users\Admin\AppData\Local\Temp\nse37F3.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 a23d50d9a350614e308ecdad5b4a1625
SHA1 e7274bbffa89e784935f776c30095410510402dd
SHA256 76daf81875dae24ad6f12d582ad914e328c64dcabd72b73cc626aa4481672b55
SHA512 e0ebefc2792e6e4cf57e10e7ba9d5b46b77ae792a1aa2dbb26835eeef8d4b4129e071260ede0a9a9ab9aadca14b4a42d8c513aba17adb1f3ce9bbb8adce52475

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 39e3485dba00d4aa641a5007a0a5664a
SHA1 281ea5d054b2653f23514709f27b36e3a1695de7
SHA256 41a4d7a4873b018e4cc9e17943d74e3288abd4863bc6aa38133dd9dab5151fdd
SHA512 9297fc7a875667854523095e277c408af30a9b4f1f26ff878d0ed2db88d2dddda273f743399e1db0e3876ef5b10928ca9156eec14e869fd1e68213b6570a8397

memory/1764-183-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/2260-189-0x0000000072FE0000-0x00000000736CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4580.exe

MD5 bce1c01f905c27d62218ee3740ec3007
SHA1 24594b533ec5ebcbbe71affece79823d885da6b8
SHA256 99fdad0b6ae0b9efed09f7b8d0f12e1b620e0b91a9b928a943c1a07cbee74ccb
SHA512 3aad4a5676bd7f07746ea69cb2811006a9479728b27aee799008d56e72eb13fbc99329a9d10f7a9e1849788b883ea6a10334798f8d16936f9afd50b6f01a7596

C:\Users\Admin\AppData\Local\Temp\4580.exe

MD5 abdb0fc1589c9e4b85abd90c4aeaadd8
SHA1 c34042fc0a4ca9a0c85c2d97b3b38adcf3dcb1fb
SHA256 6354a8d08b1cfd002a89ee919f9561adae52d886aeb506d6ade6600b492b01d4
SHA512 3d8351d6ba9945301c189dab8bda2218fd60db25a28a5bdf6e519b28b64d51bd9fbc83504e9da5d59b26deb34ea7c91b88a23e5fe93f8a8e076ed17b240162c8

memory/2352-191-0x0000000002A60000-0x0000000002B6E000-memory.dmp

memory/2352-193-0x0000000002A60000-0x0000000002B6E000-memory.dmp

memory/1280-196-0x0000000002670000-0x0000000002A68000-memory.dmp

memory/1280-197-0x0000000002A70000-0x000000000335B000-memory.dmp

memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2352-202-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1380-201-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1380-205-0x0000000000EA0000-0x000000000194D000-memory.dmp

memory/1380-204-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1380-209-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1380-208-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2460-241-0x0000000002EF0000-0x0000000002FF0000-memory.dmp

memory/2460-242-0x0000000000260000-0x00000000002CB000-memory.dmp

memory/1380-245-0x00000000772E0000-0x00000000772E1000-memory.dmp

memory/1380-246-0x00000000001A0000-0x00000000001A1000-memory.dmp

\Users\Admin\AppData\Local\Temp\4580.exe

MD5 8c07afa756bfdd5993894690ae17c2b9
SHA1 b612a123b274881ed6ae14c27cfdf292e5f44bcf
SHA256 38fbe61690cec7a87a91b1b9b70b37ad92b8bdd330af4d79c1a28afd091bdafc
SHA512 da35cb2db78278b957b3792fa4fb3f02c87690d8547e98918baae5a02cd92c4392f906845048a0d5111c5100b5b90688768b39ddeee605c6985df437c400bcef

\Users\Admin\AppData\Local\Temp\4580.exe

MD5 17ac33687892ee22321d82bc84231087
SHA1 ed49b2452a29883fedf5e4fec183b20227e981b2
SHA256 2da06e79a370ba7f16cca2c952fb8c776d22b9190a29d92d7f9ffa65b8aca213
SHA512 6ad49c1d8a382f1528777d3ebe0d1faa5afb59c64c5592a418992d96a43f33cb2e3c70849edf260418bbbc47034a72203f25036fab86718dbc8c74dd9d16872e

\Users\Admin\AppData\Local\Temp\4580.exe

MD5 6669371ff96389b0ec050b86918a98ac
SHA1 28d2c7360e3f10fa6aff0b2b0bbd384371407cba
SHA256 88147009a4746cf66d54f5be049d7c36781f2a84c0fc21e9249424fc19ae4803
SHA512 d7c6ff78e7e215a67c87f78d1c143cfdfc6c8e0dc6a6339b74f0853c184535f1563fdebd1e58bd1fa1833f5c5a84853d40c79232d20e5a54139bf3c4592cce25

\Users\Admin\AppData\Local\Temp\4580.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1380-252-0x00000000001B0000-0x00000000001B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\4580.exe

MD5 540e886ceda4024a5e88f092e8a319e9
SHA1 93e348bc5866518b4ecc3ab851d17b7d767916fa
SHA256 71ba09da1c16fa522855a673dadf2ce9d85c532229317e3de2a62dad2ba39703
SHA512 9d343574b59d39beaec2a484abf314d91fc805acaf3f9b33b099958a535751d290986532a7f86d7f18cdfbea3774104eb62ab7756f0dfb8f98684f9daa046184

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 76b128828f81877a5adfad5eb220a4fd
SHA1 ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4
SHA256 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5
SHA512 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746

\Users\Admin\AppData\Local\Temp\nst66EF.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/1172-279-0x00000000001B0000-0x00000000001D7000-memory.dmp

memory/1172-278-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/1172-280-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 37bd3380e2dc5ed47b453915f177ab15
SHA1 3d10f3ebc6df0df7c17a559c6b199be8f33aed7b
SHA256 f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62
SHA512 6e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f

memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1968-293-0x0000000002640000-0x0000000002A38000-memory.dmp

memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 d847dbfee9bfc8426168aad888ede9bd
SHA1 f8b60258c711d19ea1d5413a3aee21262d8b8db7
SHA256 fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07
SHA512 4c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1

\Windows\rss\csrss.exe

MD5 d3c015d761ac4697c31779ebd67685fe
SHA1 6eda243187265592a404feca52bf612ddc66e396
SHA256 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea
SHA512 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab

memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 b0ca41b249e5621a4033dc3c024af9f0
SHA1 de5ffceae5a0aee20d080096792eac80d1866e1c
SHA256 09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA512 9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87

memory/1764-366-0x00000000003C0000-0x00000000003C1000-memory.dmp

memory/1548-367-0x0000000002790000-0x0000000002B88000-memory.dmp

memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 8218955e1527e6b1c3f0450706a3f058
SHA1 3d35e8471e5edfff1c837216b874361b944184f8
SHA256 d8851f3fc28b29f5e2eb99bb46322ea06ec9bd66859032b33c544eaa32339e0f
SHA512 22a5d40a395bb4e8ef7fedd2259d69d9332354296b424456c8f8f390fdacce0d0b21e2d6f4b32bd7d57f0246098dd6a9d81d1796ae924a926e0f3743838e8e5b

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 7e7459420aa37d4cba69726dcb00b6e0
SHA1 74ef97ae662cc823483f23604cc07519e7ac6573
SHA256 90155b1f79e2407b0276efb089a62635b579cbed473cfaa25ad6af6a9095d4a6
SHA512 c9fc66fd4f060549b46a4940fea16f00e048b66f6dd1ab7dfd5ebd7e3d7c1d475a4fc05f3cefdf1652b1361f0806af05a0c80182b3cccd3513d02e249e672ddd

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

memory/2956-398-0x0000000140000000-0x00000001405E8000-memory.dmp

\ProgramData\nss3.dll

MD5 3e0c5d0dfe8abc71d8609b02dba39169
SHA1 038e1207a7dd0c13f64204d9466fbafa8fbc08cb
SHA256 7fd2d86e40a224c67a783dfc6353ce20c559fe4cb6a899b2875c0ec8d97d0f41
SHA512 cb58530108a7fd9b0e4db1814c3e1cd775daa3251aa3f6cf4015f3cdcfba09768273b3fae6f64b0ee6719d8fd17122910d3821aa938b161a5954371ecc1c625b

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 a57e9359f059b26e297acff00e9a73b0
SHA1 7c1e1e406acbcb68ff4cf86ce704a17fc7c5553b
SHA256 19c67eaeb25353a4b8355df153af99324945a14c2423fed2fe6e1591cfb257a8
SHA512 d9173c5303421f1a778ccf4b38544dff2f110771faad2ffccf88cbf4c523b1a56199353651e8d8b75a00a9f5c7f974c6d0019c1b510d83f1bfc8ad39b15ce6bb

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 8edab51831038d0f864172f0597a2d25
SHA1 6f58f86f7a0915ec32d24d66d1c559a0e9802357
SHA256 b016ff01136266c532dd701b150acdc5007b633171b3604fd1d6f75395890c5b
SHA512 53f1d08f7bc2511fb230d26ca2829be6fda0a0d134f249a9f26a415c9ab6c48c3099efbae513cf614aff95acbc699bbc47e8070d31ab1d612adc878e64c043e6

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 a0031c1af251a107fdefd92248c0109f
SHA1 718c473f19a657338ad1fa16d430101bd3754e8b
SHA256 d2442336068a7c1f01aef92380bb953fabbba9d5e7f77d5c66402408fe366d40
SHA512 83e9e68c5baa0e6996731131edda17e682bf72305deb7be959b5b9a42a98d2f7048e86c6983ed7e9d7c8e2e5cbfe00aac106e6e5b073d3372bb6169ed4fac601

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 b082c374b69c223e433a58e7c7f71d10
SHA1 5ad4b0774a575b2843a1f58ea01b3e54bb4afff7
SHA256 e5a2bce4afce10d13fb63931b4dbf9ce53c80b9a6820af7058cf55243e9c5929
SHA512 c1cdfb6fd2c218328146c9f52aa5bd4bbb35237c73f307a9f021d05a045b61746406644c548244fc6ca2104e2bc35f1ab9d29449167c8245e1b618361abb8ec0

memory/1380-421-0x0000000000EA0000-0x000000000194D000-memory.dmp

memory/2956-427-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/1136-431-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/1136-442-0x000000001B180000-0x000000001B462000-memory.dmp

memory/1136-444-0x00000000022A0000-0x00000000022A8000-memory.dmp

memory/1136-450-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

memory/1136-460-0x00000000026E0000-0x0000000002760000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC93A.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1136-461-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/1136-463-0x00000000026E0000-0x0000000002760000-memory.dmp

memory/1136-462-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

memory/1136-471-0x000007FEF4980000-0x000007FEF531D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarD11A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2976-501-0x0000000019C90000-0x0000000019F72000-memory.dmp

memory/2976-503-0x0000000000D60000-0x0000000000D68000-memory.dmp

memory/2976-515-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp

memory/2976-516-0x0000000001200000-0x0000000001280000-memory.dmp

memory/2976-517-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp

memory/2976-518-0x0000000001200000-0x0000000001280000-memory.dmp

memory/2976-519-0x0000000001200000-0x0000000001280000-memory.dmp

memory/2976-520-0x0000000001200000-0x0000000001280000-memory.dmp

memory/2976-522-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 fd2727132edd0b59fa33733daa11d9ef
SHA1 63e36198d90c4c2b9b09dd6786b82aba5f03d29a
SHA256 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e
SHA512 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 05:37

Reported

2024-02-27 05:40

Platform

win10v2004-20240226-en

Max time kernel

76s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\40A3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\F128.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\F3D9.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2176 set thread context of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5555.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5555.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\5555.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3448 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDFC.exe
PID 3448 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDFC.exe
PID 3448 wrote to memory of 1152 N/A N/A C:\Users\Admin\AppData\Local\Temp\DDFC.exe
PID 3448 wrote to memory of 456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3448 wrote to memory of 456 N/A N/A C:\Windows\system32\regsvr32.exe
PID 456 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 456 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 456 wrote to memory of 2136 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3448 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 3448 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 3448 wrote to memory of 2176 N/A N/A C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 2176 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\F128.exe C:\Users\Admin\AppData\Local\Temp\F128.exe
PID 3448 wrote to memory of 4072 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3D9.exe
PID 3448 wrote to memory of 4072 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3D9.exe
PID 3448 wrote to memory of 4072 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3D9.exe
PID 3448 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe
PID 3448 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe
PID 3448 wrote to memory of 1208 N/A N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe
PID 1208 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp
PID 1208 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp
PID 1208 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\FB7B.exe C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp
PID 4724 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4724 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4724 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4724 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4724 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4724 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 3448 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe
PID 3448 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe
PID 3448 wrote to memory of 3956 N/A N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe
PID 3956 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3956 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3956 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3956 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3956 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3956 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3956 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3956 wrote to memory of 576 N/A C:\Users\Admin\AppData\Local\Temp\40A3.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3448 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\Temp\5555.exe
PID 3448 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\Temp\5555.exe
PID 3448 wrote to memory of 2908 N/A N/A C:\Users\Admin\AppData\Local\Temp\5555.exe
PID 60 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 60 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 60 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 60 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp
PID 60 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp
PID 60 wrote to memory of 1852 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp
PID 2844 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2844 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4956 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4956 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4956 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4956 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4956 wrote to memory of 3432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3448 wrote to memory of 4360 N/A N/A C:\Users\Admin\AppData\Local\Temp\7820.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe

"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"

C:\Users\Admin\AppData\Local\Temp\DDFC.exe

C:\Users\Admin\AppData\Local\Temp\DDFC.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E9A5.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E9A5.dll

C:\Users\Admin\AppData\Local\Temp\F128.exe

C:\Users\Admin\AppData\Local\Temp\F128.exe

C:\Users\Admin\AppData\Local\Temp\F128.exe

C:\Users\Admin\AppData\Local\Temp\F128.exe

C:\Users\Admin\AppData\Local\Temp\F3D9.exe

C:\Users\Admin\AppData\Local\Temp\F3D9.exe

C:\Users\Admin\AppData\Local\Temp\FB7B.exe

C:\Users\Admin\AppData\Local\Temp\FB7B.exe

C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp" /SL5="$601EA,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FB7B.exe"

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s

C:\Users\Admin\AppData\Local\Temp\40A3.exe

C:\Users\Admin\AppData\Local\Temp\40A3.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\5555.exe

C:\Users\Admin\AppData\Local\Temp\5555.exe

C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp

C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\7820.exe

C:\Users\Admin\AppData\Local\Temp\7820.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 2444

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Roaming\vdgddsd

C:\Users\Admin\AppData\Roaming\vdgddsd

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 198.58.107.53:9001 tcp
US 8.8.8.8:53 53.107.58.198.in-addr.arpa udp
CA 142.44.227.24:9001 tcp
FI 95.216.33.30:443 tcp
US 8.8.8.8:53 30.33.216.95.in-addr.arpa udp
US 8.8.8.8:53 24.227.44.142.in-addr.arpa udp
N/A 127.0.0.1:49453 tcp
US 8.8.8.8:53 trmpc.com udp
MX 189.232.56.10:80 trmpc.com tcp
US 8.8.8.8:53 10.56.232.189.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
FI 95.216.33.30:443 tcp
CA 142.44.227.24:9001 tcp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
NL 77.162.229.73:443 tcp
US 8.8.8.8:53 73.229.162.77.in-addr.arpa udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 172.67.147.18:443 associationokeo.shop tcp
N/A 127.0.0.1:23862 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 bferreefege.cem.br udp
US 8.8.8.8:53 bferreefege.cem.br udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 bferreefege.cem.br udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 ftp.gmbol.cez udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 ftp.hejmbol.es udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bferreefege.cem.br udp
US 8.8.8.8:53 ftp.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 cuz.edu.ce udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 ftp.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 ftp.gmbol.cez udp
US 8.8.8.8:53 cuz.edu.ce udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 mail.gmbol.cez udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mojrbvelkoj.cem udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 ftp.vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 mojrbvelkoj.cem udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 mail.hejmbol.es udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 ftp.hejmbol.es udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bferreefege.cem.br udp
US 8.8.8.8:53 ssh.gmbol.cez udp
US 8.8.8.8:53 ftp.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 cuz.edu.ce udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 ftp.mosezb.edu.ce udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 ftp.bbdbgezcob.cem udp
US 8.8.8.8:53 mail.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 ftp.gmbol.cez udp
US 8.8.8.8:53 mojrbvelkoj.cem udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 ssh.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 mail.gmbol.cez udp
US 8.8.8.8:53 cuz.edu.ce udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 mail.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 ftp.cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 ftp.vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 mojrbvelkoj.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ssh.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 mail.hejmbol.es udp
US 8.8.8.8:53 ftp.hejmbol.es udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 ssh.hejmbol.es udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 bferreefege.cem.br udp
US 8.8.8.8:53 vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 ftp.bferreefege.cem.br udp
US 8.8.8.8:53 ssh.gmbol.cez udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mojrbvelkoj.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 mail.gmbol.cez udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 cuz.edu.ce udp
US 8.8.8.8:53 ftp.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 ssh.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 mail.bbdbgezcob.cem udp
US 8.8.8.8:53 ftp.bbdbgezcob.cem udp
US 8.8.8.8:53 ftp.mosezb.edu.ce udp
US 8.8.8.8:53 gmbol.cez udp
US 8.8.8.8:53 cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 mail.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 ftp.gmbol.cez udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 ssh.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 ftp.cbzbverde.cem.br udp
US 8.8.8.8:53 mail.vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 gmbol.ce udp
US 8.8.8.8:53 ftp.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 cbzbverde.cem.br udp
US 8.8.8.8:53 ftp.cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 bgezcobwe.cem udp
US 8.8.8.8:53 mail.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 mail.gmbol.cez udp
US 8.8.8.8:53 sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 ssh.vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 mail.mosezb.edu.ce udp
US 8.8.8.8:53 gmbol.cemj udp
US 8.8.8.8:53 sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 bbdbgezcob.cem udp
US 8.8.8.8:53 mojrbvelkoj.cem udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 ftp.bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 ftp.vlcezsjrujerb.cem.br udp
US 8.8.8.8:53 cuz.edu.ce udp
US 8.8.8.8:53 bluze.uzobsselvo.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mosezb.edu.ce udp
US 8.8.8.8:53 mail.cerreeuzovblle.edu.ce udp
US 8.8.8.8:53 ftp.hejmbol.es udp
US 8.8.8.8:53 mail.sjudezjs.hudsezosd.erg udp
US 8.8.8.8:53 mbplruz.erg udp
US 8.8.8.8:53 ssh.sjrebmozg.bbdbgezcob.cem udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 mail.hejmbol.es udp
US 8.8.8.8:53 ssh.mosezb.edu.ce udp
US 8.8.8.8:53 ssh.hejmbol.es udp

Files

memory/464-1-0x0000000002640000-0x0000000002740000-memory.dmp

memory/464-2-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/464-3-0x0000000002430000-0x000000000243B000-memory.dmp

memory/3448-4-0x0000000000D00000-0x0000000000D16000-memory.dmp

memory/464-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDFC.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/1152-16-0x0000000001220000-0x0000000001221000-memory.dmp

memory/1152-17-0x0000000000410000-0x0000000000CBF000-memory.dmp

memory/1152-18-0x0000000000410000-0x0000000000CBF000-memory.dmp

memory/1152-20-0x0000000001230000-0x0000000001231000-memory.dmp

memory/1152-21-0x0000000001230000-0x0000000001262000-memory.dmp

memory/1152-22-0x0000000001230000-0x0000000001262000-memory.dmp

memory/1152-24-0x0000000001230000-0x0000000001262000-memory.dmp

memory/1152-23-0x0000000001230000-0x0000000001262000-memory.dmp

memory/1152-25-0x0000000001230000-0x0000000001262000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9A5.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2136-29-0x0000000001080000-0x0000000001086000-memory.dmp

memory/2136-30-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1152-32-0x0000000000410000-0x0000000000CBF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F128.exe

MD5 34c292f7112a9db3194e6c78ab2fe7b1
SHA1 150dd5ac6efd93b95d167897a2c870c5125df0ab
SHA256 c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01
SHA512 f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be

C:\Users\Admin\AppData\Local\Temp\F128.exe

MD5 358f99ebd079aa6e78769e5cff5d3e46
SHA1 3d39c422633fc9cc7a01eac78b08333be32b5477
SHA256 322043f6f8a01961ffccffc1b9291eb449b3a75c640842512d77e51438b76b1f
SHA512 244fecf5442dab6087ecd052df275f5cb0b02a8fddaef8cc8d83f669cdc8b75e04d898d2ad51b9216f9d60b1a130ba87f3cd8d1d8474c209597dfa24a1b1a4f1

memory/2176-38-0x00000000038B0000-0x0000000003A6F000-memory.dmp

memory/2176-39-0x0000000003A70000-0x0000000003C27000-memory.dmp

memory/4308-43-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F128.exe

MD5 987421f9217166a36da6186bb4f6af33
SHA1 28c4673b54e9df462b2e884c841ac83287d577d5
SHA256 de4f8f970a60c8087aabe2b2ef3092221965d22ba5ae424c9502143bdb66979f
SHA512 15abd8ab39176db089e054205e36297421fb0a4f999cbcca2c6b16993a0b2b9adbc10b11e9210b9611c2991e672c77ed1cf3eac1330bd8ceda094f407121e665

memory/4308-45-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F3D9.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/4308-50-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4072-51-0x0000000002FF0000-0x00000000030F0000-memory.dmp

memory/4072-53-0x0000000002F30000-0x0000000002F9B000-memory.dmp

memory/4308-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4308-40-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4072-52-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E9A5.dll

MD5 c63893c98236d8df8e0dd6363b504ebe
SHA1 876082f00af9318877dbd19ad499b268e144ddc2
SHA256 41c42d40dd28ef8db44ed6a04d058e6082016bba29cda362c38f98d4eebd9b17
SHA512 078badac8f6f81f91f44c617f50648a5678aff3797f84c75f16c57af3ed34f55871d6ff0938c3ac56300e7405929dc80d4dbfa6e8ad45449d1d0b920832bc4de

memory/4308-55-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4308-61-0x0000000000910000-0x0000000000916000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FB7B.exe

MD5 77a5e9efa3995c196674c746fb575cc1
SHA1 db4b08a0f7299f69c053bc06685e2c66c639ad4b
SHA256 00bcc13982d971952278aca7196e3b527e4364c949f9b318d8d037c657b66cb8
SHA512 6b163d2506f603e8f6ea3a3781087a54ebb69a48ad9ed071291a0776287208cff8adbd9ad0f8f05c02b8ef80ff79a73f12e58ae4c6b2068f0076bc3f63d9c0e0

C:\Users\Admin\AppData\Local\Temp\FB7B.exe

MD5 06a12cfd82d77ade49961ab5d7f38d74
SHA1 25cba6cc18b436fc6d66f9f034594a09c1d59060
SHA256 417b78b02783b07671924839526cc29ab5bac23dbae4a574204cd5e7ad2cb6aa
SHA512 dfa2e2075324f42f8a4497115e8542a031da5a5381088c9ece9fd5a9fcdecbe97b0084482afc3fd65ae84ef9fd7e89ca0fe7376436cf3069663ec27a17c91dad

memory/1208-65-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp

MD5 1756d6fc7bf4213c8f0a521cd42d0ac6
SHA1 871962e45061751468d940000ee536794c269532
SHA256 c4b71ffb200f4b41f95b23aa3a2b90e6f87e5cd7ca4a9234e33ed441dcde7594
SHA512 694a8b76ffd5a1b78d63b628680e8997dbc0f06c4524804cd9da4e4d015c586c5a9145190a6dc44464592ac717df83ccce53401d68cd48703f932c6340e192ad

C:\Users\Admin\AppData\Local\Temp\is-EG3M3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-EG3M3.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4724-72-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 bd0af730b5aa6bb4ed361cdf57ca5e02
SHA1 4e2aad9d062125117ec45b264efb922f4aa7c767
SHA256 1d025c2042b4aea56ae53595c8ef990cc5878d276139f38129d2f9019dba8337
SHA512 01b38ffc3f5145b89756398b8469764e19ccec64f887324f4ea9ff93f76060cf378e430b57974d7751f65405a31650e848f88ed098789f6b578cde0d8ba51d0e

memory/3272-117-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/3272-116-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\ProgramData\WBICreatorService 6.5\WBICreatorService 6.5.exe

MD5 fc9adc3be6d2f7b25cca4796edd030b6
SHA1 f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42
SHA256 880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f
SHA512 c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd

memory/3272-121-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 5c5f370c61a6a5983503033353777995
SHA1 13d63a5c9c5130883d03352e2d50048299a737ce
SHA256 57d2fbd1da84559a9dedd903b9dfacbc3e7807df7855703055b807e71aae64ce
SHA512 713163044c3c6419da016f70c493cd450993eddeb92134457b4eb4f3aa23c1652ae574a238f5bb8e5041a7e2993d111313a29ea4537ce6bd01225d1142e5b683

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 3fa073ec19cd4f54f6bae08997c4eb42
SHA1 e85d64a440bb0b3d7aee8453377be3a72e8a37d4
SHA256 7ea83bdcfaef69652a88b9968b72b1136f69464861a1d4249a61f91d511a021c
SHA512 64e47d8e39a32df79f4dd1d04c5be642ce94afc28a4240bd20a33783125ca3a12f430754ea7b70de15b9ad3b4817479ce26a5207f687b5c6eda6feb219929a56

memory/5092-123-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/5092-125-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2136-126-0x0000000002E30000-0x0000000002F59000-memory.dmp

memory/2136-127-0x0000000002F60000-0x000000000306E000-memory.dmp

memory/2136-128-0x0000000002F60000-0x000000000306E000-memory.dmp

memory/2136-130-0x0000000002F60000-0x000000000306E000-memory.dmp

memory/4308-131-0x0000000002D80000-0x0000000002EA9000-memory.dmp

memory/2136-132-0x0000000002F60000-0x000000000306E000-memory.dmp

memory/4308-134-0x0000000002EB0000-0x0000000002FBE000-memory.dmp

memory/4308-136-0x0000000002EB0000-0x0000000002FBE000-memory.dmp

memory/4308-137-0x0000000002EB0000-0x0000000002FBE000-memory.dmp

memory/4308-142-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4072-143-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/1208-144-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4724-145-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 b0ca41b249e5621a4033dc3c024af9f0
SHA1 de5ffceae5a0aee20d080096792eac80d1866e1c
SHA256 09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA512 9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87

memory/5092-155-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4308-156-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40A3.exe

MD5 6e823d0939a45b0898acd98d9199e2ac
SHA1 d5cefac791796cacd8a5e584c33260fb13f6ce21
SHA256 10337b67728d93fa4b79e6dcf029a1ee1a4680c098c87e8fe1425e5788d1b1b0
SHA512 0b5e0943f40680ceb41825a60ddaf4ae60c4099d13593b09cd16abed87c88f2daafd90fe8443643f3cf0e2422bf702679207d86b2a8eec8ba9edade5cffcf676

memory/4308-162-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\40A3.exe

MD5 0866b1a679c5089c802afca72bb3a57f
SHA1 2a2810c95ebebfb258947574c3eb1089a606a118
SHA256 50a8268fd89cba268a210c6f96ac6f342dbcd7b988ab6498c2df9e608097b02a
SHA512 ed3c22ace7add1e7d374b44a49c28969cb49c83459652955415d5d3eac26d43d63bf8720cb86536f29a3f9e44f7f3b352d4376112e6484ff3cf262e6ec057a66

memory/3956-166-0x0000000000250000-0x0000000000B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 02a68215f77ef263c158f621d09beff4
SHA1 ddc8ed5f58de8c18abd15f1bd987e31ff65b7f50
SHA256 f5e8c81a5359189a8ba8d7a38f994b73b2d56d5d62269cfa29ef9144ef51771f
SHA512 e6e7b478443c89cb5e9235a14ca159a1068d48df0f08df2f207df4390d2a2727c096b3905c95d9a35d478c0441e857d99b0d0983aed484a8eafe317843408b40

memory/3956-168-0x0000000073090000-0x0000000073840000-memory.dmp

memory/4072-170-0x0000000002FF0000-0x00000000030F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 a112d52e38281dd98a9257d14cd61869
SHA1 8897dfcb3b7d8e8dc4afae85b8467596237f2479
SHA256 b7e63792be942d46cc141691d71308fcde132cd63a788922f63dee30065313d8
SHA512 cf1e2141036e7ed3f1407712a80a61dcd77ae0ae55e87057b8dded3aa51724d0944d5f5f165583fc6c59a6c8f14a62ec514b12893ed8cbf7c8d782c055b39ca8

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 b8bbbebf6a96db29f8a6c2c3e2726b72
SHA1 074958a02f3c65261dfe5d4c349b7af4849ee707
SHA256 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39
SHA512 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 7ce260e2a94335863c529cd646dfd240
SHA1 30be5706d4307cb9c494f5bb4c6ef5f6dbc1184d
SHA256 977fe08d953af92974b34964f1015b77634e782ccfafbf778374b65e49cdcd60
SHA512 adbd00a1d88012136333e60272ce1256a21f74fe97299fd4a7c153d00422201c7387ee9b0cd6939b5d83e2c73cdcfee23905ee3cd5322da98e318f822db93375

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 c3f0460a60fb14edf70f84e635349d81
SHA1 6cdeee2227100b06b43d27a5f9df9769fcb29adb
SHA256 d0db9fd6f1adbdc15620d6ea5daeda8cca07e59b94fc5ed83eadc11ce8bb227e
SHA512 a09f2e2946c0c2132703347ffb3d88e802ab7080827743686ef662efaacbeb58036f2f34fbe081b434fc72d980678eaef81e9d9e8ee5c40e9cc55b261966782b

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 cf71d723e6a3a2abdb69313657a0862f
SHA1 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256 ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512 b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e

C:\Users\Admin\AppData\Local\Temp\5555.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/3956-209-0x0000000073090000-0x0000000073840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 493aaadcde8cc6b5c52ac667397b90f7
SHA1 2e00ab93263174991fdf98db28f513a50e43ea0c
SHA256 67b68339c2c694cf43321c5f039a5a23fbfa015fe5ef221d5e4260f1bc0e4d7c
SHA512 f9289fc0734b29060d8fe3b5c0060c79cf9831d56642f09810231d01363a9e4c82522385ec6078cd7b4fda30f436e7acb50636add20c4385b83142727c832716

memory/5092-218-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2908-219-0x0000000001C20000-0x0000000001D20000-memory.dmp

memory/2908-220-0x0000000001B90000-0x0000000001B9B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsc56C7.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2908-221-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d36d5fcf6f7e6c67304fed7123a7f816
SHA1 e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA256 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA512 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 f26249769d27c4988588974f0afc5ad0
SHA1 e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 0e1985f3d4f4c70a8750ff5cf4114471
SHA1 17aface74c6982fc5547a5aad3b5b2fa4655088a
SHA256 3658d1f63f8a33bf32f2aae9461d6371fa009e0ccc2339c960dced55ff354edd
SHA512 1b9b545cd2668ba6aa2ce6a9910d4d6fa6b1aa0e4b21e433510790aa37c48e0bacc3d8e67aa42103c5d2632136c529a9a784e2510c9d9870bc75bb40c897b1b5

memory/2844-222-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/4724-233-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/1852-235-0x0000000001CA0000-0x0000000001CC7000-memory.dmp

memory/1852-234-0x0000000001D60000-0x0000000001E60000-memory.dmp

memory/1852-236-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/4308-245-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1160-247-0x0000000002870000-0x0000000002C74000-memory.dmp

memory/3448-250-0x0000000000D60000-0x0000000000D76000-memory.dmp

memory/1160-255-0x0000000002D80000-0x000000000366B000-memory.dmp

memory/2908-254-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1852-258-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7820.exe

MD5 b0bea351be866ef906b3833c4895098b
SHA1 c45fdd52e15ed7fe23b403256bf6a5c2fe5544f1
SHA256 87ca94756569c50ea27472db9ac4e7744c9b073977e2ef24d7cb9018beb19dc1
SHA512 27700675f77ade6f32dc805faa350885414429ff14e7d5df936c0a6f352241c96edef976c68bdb4bb15e1be11a3cda91e68daf07539a2e20f6863a90092c0aea

C:\Users\Admin\AppData\Local\Temp\7820.exe

MD5 e05338227a83124f557ed756094a6ff4
SHA1 e759c022e482be13c8650b20832eebfb7f97f850
SHA256 c38e43aa8cd2dc76fda3afbd06a7762beb58ad9e971a09a299a82ab670486fe6
SHA512 95d9f77fae36ba27c6dda9c27f72c16e882278d5b732528223cd41386a11d538a96d20ec8bb309821f2f3f947259c242d78b91ab7c42332b79d0657dff94ae7c

memory/5092-312-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4360-315-0x0000000000120000-0x0000000000BCD000-memory.dmp

memory/4360-316-0x00000000011B0000-0x00000000011B1000-memory.dmp

memory/5092-318-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4360-322-0x00000000011C0000-0x00000000011F2000-memory.dmp

memory/4360-323-0x00000000011C0000-0x00000000011F2000-memory.dmp

memory/4360-324-0x00000000011C0000-0x00000000011F2000-memory.dmp

memory/4360-326-0x00000000011C0000-0x00000000011F2000-memory.dmp

memory/4360-325-0x00000000011C0000-0x00000000011F2000-memory.dmp

memory/3420-337-0x0000000004780000-0x00000000047B6000-memory.dmp

memory/3420-341-0x0000000004F00000-0x0000000005528000-memory.dmp

memory/3420-342-0x0000000072890000-0x0000000073040000-memory.dmp

memory/3420-343-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3420-345-0x00000000048C0000-0x00000000048D0000-memory.dmp

memory/3420-346-0x0000000004CA0000-0x0000000004CC2000-memory.dmp

memory/3420-347-0x00000000056A0000-0x0000000005706000-memory.dmp

memory/3420-351-0x0000000005710000-0x0000000005776000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_320upk4x.qsu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3420-366-0x0000000005960000-0x0000000005CB4000-memory.dmp

memory/4360-372-0x0000000000120000-0x0000000000BCD000-memory.dmp

memory/3420-374-0x0000000005D80000-0x0000000005D9E000-memory.dmp

memory/3420-375-0x0000000005DC0000-0x0000000005E0C000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/3420-391-0x00000000062D0000-0x0000000006314000-memory.dmp

memory/3420-396-0x00000000048C0000-0x00000000048D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\vdgddsd

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e