Analysis Overview
SHA256
c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd
Threat Level: Known bad
The file c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Glupteba
DcRat
Glupteba payload
Windows security bypass
SmokeLoader
Detects executables containing URLs to raw contents of a Github gist
Modifies boot configuration data using bcdedit
Detects Windows executables referencing non-Windows User-Agents
Detects executables packed with VMProtect.
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables referencing many varying, potentially fake Windows User-Agents
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Detects executables containing artifacts associated with disabling Widnows Defender
UPX dump on OEP (original entry point)
Detects executables Discord URL observed in first stage droppers
Stops running service(s)
Drops file in Drivers directory
Modifies Windows Firewall
Creates new service(s)
Downloads MZ/PE file
Possible attempt to disable PatchGuard
Windows security modification
Checks computer location settings
Loads dropped DLL
Deletes itself
UPX packed file
Reads data files stored by FTP clients
Executes dropped EXE
Reads user/profile data of web browsers
Writes to the Master Boot Record (MBR)
Manipulates WinMon driver.
Manipulates WinMonFS driver.
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Modifies data under HKEY_USERS
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies system certificate store
Suspicious behavior: LoadsDriver
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 05:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 05:37
Reported
2024-02-27 05:40
Platform
win7-20240221-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\C8CD.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\drivers\Winmon.sys | C:\Windows\rss\csrss.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\C8CD.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMon driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMon | C:\Windows\rss\csrss.exe | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\D607.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2912 set thread context of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\C8CD.exe | C:\Users\Admin\AppData\Local\Temp\C8CD.exe |
| PID 616 set thread context of 856 | N/A | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | C:\Windows\system32\conhost.exe |
| PID 616 set thread context of 1560 | N/A | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\wusa.lock | C:\Windows\system32\wusa.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240227053914.cab | C:\Windows\system32\makecab.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\B396.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4580.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1C6C.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hwgsarg | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hwgsarg | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1C6C.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1C6C.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\hwgsarg | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-382 = "South Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\explorer.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-731 = "Fiji Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 409c415d3f69da01 | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-471 = "Ekaterinburg Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1C6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\hwgsarg | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\rss\csrss.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"
C:\Users\Admin\AppData\Local\Temp\B396.exe
C:\Users\Admin\AppData\Local\Temp\B396.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 124
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C063.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C063.dll
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
C:\Users\Admin\AppData\Local\Temp\D607.exe
C:\Users\Admin\AppData\Local\Temp\D607.exe
C:\Users\Admin\AppData\Local\Temp\E564.exe
C:\Users\Admin\AppData\Local\Temp\E564.exe
C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp" /SL5="$201E0,2349102,54272,C:\Users\Admin\AppData\Local\Temp\E564.exe"
C:\Users\Admin\AppData\Local\Temp\43A.exe
C:\Users\Admin\AppData\Local\Temp\43A.exe
C:\Users\Admin\AppData\Local\Temp\1C6C.exe
C:\Users\Admin\AppData\Local\Temp\1C6C.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\4580.exe
C:\Users\Admin\AppData\Local\Temp\4580.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1380 -s 124
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227053914.log C:\Windows\Logs\CBS\CbsPersist_20240227053914.cab
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp
C:\Users\Admin\AppData\Local\Temp\nst66EF.tmp
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {621DC570-99A2-4D0A-8EFA-FC0F51821EDB} S-1-5-21-406356229-2805545415-1236085040-1000:IKJSPGIM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\hwgsarg
C:\Users\Admin\AppData\Roaming\hwgsarg
C:\Users\Admin\AppData\Roaming\rdgsarg
C:\Users\Admin\AppData\Roaming\rdgsarg
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| KR | 210.182.29.70:80 | trmpc.com | tcp |
| GB | 176.67.170.192:9001 | tcp | |
| CA | 198.245.61.196:443 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| NL | 37.139.22.180:9001 | tcp | |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| UA | 134.249.185.176:9001 | tcp | |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| N/A | 127.0.0.1:49391 | tcp | |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| KR | 211.168.53.110:80 | kamsmad.com | tcp |
| KR | 211.168.53.110:80 | kamsmad.com | tcp |
| KR | 211.168.53.110:80 | kamsmad.com | tcp |
| CH | 85.195.208.154:9001 | tcp | |
| AT | 86.59.21.38:443 | tcp | |
| FR | 163.172.13.237:9003 | tcp | |
| NL | 84.54.51.152:443 | tcp | |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | dc72fdac-b61a-4257-ba1f-858aa56c46f3.uuid.statsexplorer.org | udp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| PE | 190.12.87.61:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| FR | 51.15.193.130:14433 | xmr-eu1.nanopool.org | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | server9.statsexplorer.org | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| BG | 185.82.216.108:443 | server9.statsexplorer.org | tcp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.108:443 | server9.statsexplorer.org | tcp |
Files
memory/2192-1-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2192-2-0x00000000001C0000-0x00000000001CB000-memory.dmp
memory/2192-3-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/1288-4-0x0000000002C00000-0x0000000002C16000-memory.dmp
memory/2192-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B396.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/2132-18-0x0000000000C70000-0x000000000151F000-memory.dmp
memory/2132-19-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2132-16-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2132-22-0x00000000772E0000-0x00000000772E1000-memory.dmp
memory/2132-21-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2132-23-0x0000000000C70000-0x000000000151F000-memory.dmp
memory/2132-25-0x0000000000090000-0x0000000000091000-memory.dmp
\Users\Admin\AppData\Local\Temp\B396.exe
| MD5 | 82cc23acab8443167922843513004d09 |
| SHA1 | 947f45d5ad6bae5fc2c26a87e40f9ee2d4fff46f |
| SHA256 | d38813e16cfc5d1446c25e181aea0244663543d77d95ae6897860006bfe77d4e |
| SHA512 | 1934fc6008060ab341029adbd81116499755d48bb74c8ff341813a33f7390903c9ac29b97dd770f8e6cc838b0283e032d3e166617be2c1fb6df6600ad834f4ab |
\Users\Admin\AppData\Local\Temp\B396.exe
| MD5 | c2e793eade61c168412f8f2427721fe2 |
| SHA1 | 4473667cf6f5d77c9af242202b09774273951b7b |
| SHA256 | 9694672695c4168ad97cc476ec7e44fd75d8e4d0546c6f970945e342efe5eea0 |
| SHA512 | 1ce6b3d299f67def8e302226cbcba12183c2d7c3b46686d0c8cd45414de2fe71bde8457be12067fa7301495e0f318ed5a0f8ced9666e7e270d56296fc6f7af46 |
C:\Users\Admin\AppData\Local\Temp\C063.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/2496-32-0x0000000010000000-0x000000001020A000-memory.dmp
memory/2496-33-0x00000000001C0000-0x00000000001C6000-memory.dmp
memory/2912-41-0x00000000033E0000-0x0000000003598000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
| MD5 | 14aa601b5ddbeab4253fa3893dc3a059 |
| SHA1 | 6924d2ba25c8a153b79a0c77723c37e5c3adbaca |
| SHA256 | 8449ec5969a1628c6589bef831a45de067a26db1223cb44ffa57799e12fef1dd |
| SHA512 | dec08a56664deb921e65e60f012378a96612e0da1311bdc18f4d3ba15abf9810e97cfb0588ca27e3c334478cbc911043c3ee5c07fd1b8eb63150919cb6556a05 |
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
| MD5 | 5c3765edd21ea3b006a127b52585a4ef |
| SHA1 | 7f2251e3543b3d5d3764821b9dc92cb5f86c9cfc |
| SHA256 | cc5debd91470b8c71131805276ee0463822f1e80d06938d0c8033668077b648a |
| SHA512 | fcb8739ef14cb52080a8d365901ee6fc8187763f7353b7c6cf7c63dcdab0208b1d1916410ed7fd94db42325fdb61d40e63fa25bce49db8aa5ea53e6ce918eede |
memory/2912-42-0x00000000033E0000-0x0000000003598000-memory.dmp
memory/2912-43-0x00000000035A0000-0x0000000003757000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/2352-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C8CD.exe
| MD5 | 34c292f7112a9db3194e6c78ab2fe7b1 |
| SHA1 | 150dd5ac6efd93b95d167897a2c870c5125df0ab |
| SHA256 | c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01 |
| SHA512 | f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be |
memory/2352-51-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2352-48-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2352-52-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2352-53-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2352-54-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2352-55-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2352-58-0x0000000000230000-0x0000000000236000-memory.dmp
memory/2460-67-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/2460-68-0x0000000000260000-0x00000000002CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\D607.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/2132-70-0x0000000000C70000-0x000000000151F000-memory.dmp
memory/2460-69-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/1636-75-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E564.exe
| MD5 | b467afaa58c8c394c60dd3a003da5aa5 |
| SHA1 | 25811c8408d7b9bc604605a1131e06f533ff1b10 |
| SHA256 | a188394902bfe0393b7869912c003cea33b3de114f5f7508ebca1c5ed262a13b |
| SHA512 | 6409ca5404793238cb5479cecc44f5f8696908a6dfae6a553ef7d41dfeb48eb23e881014151e3013561383d61690b4fe2b12fb7a607a67475253e3da18f95dcc |
C:\Users\Admin\AppData\Local\Temp\E564.exe
| MD5 | 943c6189a9578da1aacaeb312b20aca1 |
| SHA1 | 9d83cadf8e2ead38da5084342f069e79167abc7e |
| SHA256 | f5a26cae0d7eb46d7f40ed57efe86daf2eb9723c2ae483bfb44bd99b78c52318 |
| SHA512 | c7d4ee04ec2e80b18ee39420bfd23bd24fd4ab99db8007c8c50ff4eab9984fb1f3a8ebfc2c42bf79a82732bdc834905cf5ba3aa0e12fc20d419da53e02a765e2 |
\Users\Admin\AppData\Local\Temp\is-D4PLC.tmp\E564.tmp
| MD5 | 14db4253fd181e84e26eebc8f4150402 |
| SHA1 | 79e77f75b5b8b1386c1bb76324790caaa908ca8d |
| SHA256 | 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28 |
| SHA512 | 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e |
\Users\Admin\AppData\Local\Temp\is-BIQT5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-BIQT5.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-BIQT5.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/2176-97-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2496-106-0x00000000022C0000-0x00000000023E9000-memory.dmp
memory/2496-107-0x00000000023F0000-0x00000000024FE000-memory.dmp
memory/2496-110-0x00000000023F0000-0x00000000024FE000-memory.dmp
memory/2496-108-0x00000000023F0000-0x00000000024FE000-memory.dmp
memory/2496-111-0x00000000023F0000-0x00000000024FE000-memory.dmp
memory/2352-112-0x0000000002930000-0x0000000002A59000-memory.dmp
memory/2352-114-0x0000000002A60000-0x0000000002B6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\43A.exe
| MD5 | cc02fd7fb9b7f2f2f202326167278716 |
| SHA1 | c323c60a845105132c9aae0597f1768b82321899 |
| SHA256 | 41232a0a507e7e0b680b3a353853dcd5818e4a80a89845d3d54facbaf9e5b0b2 |
| SHA512 | dd933fc269b2bfe7cdc6eca80b3ff3cfa8c5f65bca624e3ef8e5b0a5f9b5d09ee08100d2fa83f19d096b24f88ba226a005bb415d81b3290206fffe40ef8efca6 |
C:\Users\Admin\AppData\Local\Temp\43A.exe
| MD5 | ceae65ee17ff158877706edfe2171501 |
| SHA1 | b1f807080da9c25393c85f5d57105090f5629500 |
| SHA256 | 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49 |
| SHA512 | 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b |
memory/2352-122-0x0000000010000000-0x000000001020A000-memory.dmp
memory/1636-124-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2460-123-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/2260-125-0x00000000013B0000-0x0000000001C66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1C6C.exe
| MD5 | fbc2d00d3becdb29396535bc33ec9f1e |
| SHA1 | cffe38ebcdb49bc0bba1b38eadee4829c8c7d287 |
| SHA256 | adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516 |
| SHA512 | 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa |
memory/2260-133-0x0000000072FE0000-0x00000000736CE000-memory.dmp
memory/2176-136-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2780-137-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2780-138-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/2780-139-0x0000000001B10000-0x0000000001C10000-memory.dmp
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 8ad403ae8cf15c720dc1689b03c0b14e |
| SHA1 | 613000bf380626170aecd8c41a4f5f24e38c81d0 |
| SHA256 | fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f |
| SHA512 | 20ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | fd26cab6c96936e2099e81ca9b288e56 |
| SHA1 | f7b705cfc487f8bf805b8f9a57287eba9174cb1b |
| SHA256 | 469e51bf5af4cf24653e928e70bb568c663de74669f44bf79bf2289ba0ded64b |
| SHA512 | 6e269eab404858b4428c3a935cb70a854d5c3aeeb9cef23d6b7f86ff82ca7439c058af6165c595bb82a2449375725d9cf004af224f1055f16ff53224117691a1 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 34666eafe0fffb6a73e31c1e09ecac4f |
| SHA1 | ffd5c92070e4a8fab8f8095316d73ccd485f6294 |
| SHA256 | d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232 |
| SHA512 | 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966 |
memory/1280-149-0x0000000002670000-0x0000000002A68000-memory.dmp
memory/1288-150-0x0000000003E20000-0x0000000003E36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
memory/2780-151-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 062cf6182ab293727f24f0f5a3989e4e |
| SHA1 | 532b2e198ea35cc84b892eefbcb2c6b3ad0a8d0c |
| SHA256 | 74382527cd10b02f18582e81c376a854c586f16b77f4c09f93ce304dabfebff1 |
| SHA512 | 7b3e2efad8907e1d2d20ce428c3994ea661348a83e521684756ce95c79159cb4affe543fe56892cf4e7bb2068434eb6c43b029356a1632748ff5c9694aa34949 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 029a5147d2f0d080800b095d06298a55 |
| SHA1 | 6d53b0c00f128318d23de9db082989e30369baad |
| SHA256 | cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566 |
| SHA512 | b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 82ae17e8d2ea6295d5c56ae69c03329c |
| SHA1 | c8817bcd252819bb10c200f4dbaa1d8ce21d9d2e |
| SHA256 | 2643a468aca491db32f083c13d58fd5c8267efd3ccd22bcf4751ae9f0e0396ba |
| SHA512 | e75d47066cbca69f8ba8f4aa5b98f472f46af2f25acda24aa75f7ce50da4a79072cf11f7d31ab311fdd4d57cc96972c2db2731731e085af8807c81ac2bbcd602 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 8acd77d9746daed81c2d6301971bf946 |
| SHA1 | a956f80dbb0d9c4fb6c68336bab7dbc026bcc223 |
| SHA256 | aa30509be8ed34c69ef8abb399d5f8fb415420adcb6861f6b423e16ce0104343 |
| SHA512 | 8482544c7f2291d261b733314404bb22cf9f127f63a9f5806c2f77a1b6aed4856a34dab77b518e177fbe7f21d599b153c655067a96409d362ca8b7cf1d28d664 |
\Users\Admin\AppData\Local\Temp\nse37F3.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | a23d50d9a350614e308ecdad5b4a1625 |
| SHA1 | e7274bbffa89e784935f776c30095410510402dd |
| SHA256 | 76daf81875dae24ad6f12d582ad914e328c64dcabd72b73cc626aa4481672b55 |
| SHA512 | e0ebefc2792e6e4cf57e10e7ba9d5b46b77ae792a1aa2dbb26835eeef8d4b4129e071260ede0a9a9ab9aadca14b4a42d8c513aba17adb1f3ce9bbb8adce52475 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 39e3485dba00d4aa641a5007a0a5664a |
| SHA1 | 281ea5d054b2653f23514709f27b36e3a1695de7 |
| SHA256 | 41a4d7a4873b018e4cc9e17943d74e3288abd4863bc6aa38133dd9dab5151fdd |
| SHA512 | 9297fc7a875667854523095e277c408af30a9b4f1f26ff878d0ed2db88d2dddda273f743399e1db0e3876ef5b10928ca9156eec14e869fd1e68213b6570a8397 |
memory/1764-183-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/2260-189-0x0000000072FE0000-0x00000000736CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | bce1c01f905c27d62218ee3740ec3007 |
| SHA1 | 24594b533ec5ebcbbe71affece79823d885da6b8 |
| SHA256 | 99fdad0b6ae0b9efed09f7b8d0f12e1b620e0b91a9b928a943c1a07cbee74ccb |
| SHA512 | 3aad4a5676bd7f07746ea69cb2811006a9479728b27aee799008d56e72eb13fbc99329a9d10f7a9e1849788b883ea6a10334798f8d16936f9afd50b6f01a7596 |
C:\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | abdb0fc1589c9e4b85abd90c4aeaadd8 |
| SHA1 | c34042fc0a4ca9a0c85c2d97b3b38adcf3dcb1fb |
| SHA256 | 6354a8d08b1cfd002a89ee919f9561adae52d886aeb506d6ade6600b492b01d4 |
| SHA512 | 3d8351d6ba9945301c189dab8bda2218fd60db25a28a5bdf6e519b28b64d51bd9fbc83504e9da5d59b26deb34ea7c91b88a23e5fe93f8a8e076ed17b240162c8 |
memory/2352-191-0x0000000002A60000-0x0000000002B6E000-memory.dmp
memory/2352-193-0x0000000002A60000-0x0000000002B6E000-memory.dmp
memory/1280-196-0x0000000002670000-0x0000000002A68000-memory.dmp
memory/1280-197-0x0000000002A70000-0x000000000335B000-memory.dmp
memory/1280-200-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2352-202-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1380-201-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1380-205-0x0000000000EA0000-0x000000000194D000-memory.dmp
memory/1380-204-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1280-207-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1380-209-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1380-208-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2460-241-0x0000000002EF0000-0x0000000002FF0000-memory.dmp
memory/2460-242-0x0000000000260000-0x00000000002CB000-memory.dmp
memory/1380-245-0x00000000772E0000-0x00000000772E1000-memory.dmp
memory/1380-246-0x00000000001A0000-0x00000000001A1000-memory.dmp
\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | 8c07afa756bfdd5993894690ae17c2b9 |
| SHA1 | b612a123b274881ed6ae14c27cfdf292e5f44bcf |
| SHA256 | 38fbe61690cec7a87a91b1b9b70b37ad92b8bdd330af4d79c1a28afd091bdafc |
| SHA512 | da35cb2db78278b957b3792fa4fb3f02c87690d8547e98918baae5a02cd92c4392f906845048a0d5111c5100b5b90688768b39ddeee605c6985df437c400bcef |
\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | 17ac33687892ee22321d82bc84231087 |
| SHA1 | ed49b2452a29883fedf5e4fec183b20227e981b2 |
| SHA256 | 2da06e79a370ba7f16cca2c952fb8c776d22b9190a29d92d7f9ffa65b8aca213 |
| SHA512 | 6ad49c1d8a382f1528777d3ebe0d1faa5afb59c64c5592a418992d96a43f33cb2e3c70849edf260418bbbc47034a72203f25036fab86718dbc8c74dd9d16872e |
\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | 6669371ff96389b0ec050b86918a98ac |
| SHA1 | 28d2c7360e3f10fa6aff0b2b0bbd384371407cba |
| SHA256 | 88147009a4746cf66d54f5be049d7c36781f2a84c0fc21e9249424fc19ae4803 |
| SHA512 | d7c6ff78e7e215a67c87f78d1c143cfdfc6c8e0dc6a6339b74f0853c184535f1563fdebd1e58bd1fa1833f5c5a84853d40c79232d20e5a54139bf3c4592cce25 |
\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1380-252-0x00000000001B0000-0x00000000001B1000-memory.dmp
\Users\Admin\AppData\Local\Temp\4580.exe
| MD5 | 540e886ceda4024a5e88f092e8a319e9 |
| SHA1 | 93e348bc5866518b4ecc3ab851d17b7d767916fa |
| SHA256 | 71ba09da1c16fa522855a673dadf2ce9d85c532229317e3de2a62dad2ba39703 |
| SHA512 | 9d343574b59d39beaec2a484abf314d91fc805acaf3f9b33b099958a535751d290986532a7f86d7f18cdfbea3774104eb62ab7756f0dfb8f98684f9daa046184 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 76b128828f81877a5adfad5eb220a4fd |
| SHA1 | ea048c8f4c2e8c585ddf0e8f45597186b6bbaaa4 |
| SHA256 | 1ac611ae91a2b51544cd72ede52d8357b95ab618efc8a000acebf5803c2ed2b5 |
| SHA512 | 6a3b7f032aa40d119415adb87aa14ca9f6fc816fc84cb8f9f8e981420d33510129d9b5651d8af9cdc00c55cf94afdfdddd2246c3b505ac9c8276e1f725aa2746 |
\Users\Admin\AppData\Local\Temp\nst66EF.tmp
| MD5 | c7f4dfe314dd61bc9ff56fdffe58bc58 |
| SHA1 | 92149a4cc12b6e284f672897408ed7fe2c08cd39 |
| SHA256 | 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591 |
| SHA512 | 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44 |
memory/1172-279-0x00000000001B0000-0x00000000001D7000-memory.dmp
memory/1172-278-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/1172-280-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 37bd3380e2dc5ed47b453915f177ab15 |
| SHA1 | 3d10f3ebc6df0df7c17a559c6b199be8f33aed7b |
| SHA256 | f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62 |
| SHA512 | 6e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f |
memory/1280-291-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1968-293-0x0000000002640000-0x0000000002A38000-memory.dmp
memory/1968-294-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | d847dbfee9bfc8426168aad888ede9bd |
| SHA1 | f8b60258c711d19ea1d5413a3aee21262d8b8db7 |
| SHA256 | fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07 |
| SHA512 | 4c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1 |
\Windows\rss\csrss.exe
| MD5 | d3c015d761ac4697c31779ebd67685fe |
| SHA1 | 6eda243187265592a404feca52bf612ddc66e396 |
| SHA256 | 689272ab8ec16e67eb0c14f37e0928b21b3cf38e467216ed1240177d82e5d7ea |
| SHA512 | 680b8009fc1392d7269a58821b9a0f71bf93ae4b7a46f8f3c9900ab501a48fa7c882c214377d0b33b6310d6d92259dada20db8b3e6939446b013b2d668a7d7ab |
memory/1968-328-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | b0ca41b249e5621a4033dc3c024af9f0 |
| SHA1 | de5ffceae5a0aee20d080096792eac80d1866e1c |
| SHA256 | 09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff |
| SHA512 | 9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87 |
memory/1764-366-0x00000000003C0000-0x00000000003C1000-memory.dmp
memory/1548-367-0x0000000002790000-0x0000000002B88000-memory.dmp
memory/1548-368-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 8218955e1527e6b1c3f0450706a3f058 |
| SHA1 | 3d35e8471e5edfff1c837216b874361b944184f8 |
| SHA256 | d8851f3fc28b29f5e2eb99bb46322ea06ec9bd66859032b33c544eaa32339e0f |
| SHA512 | 22a5d40a395bb4e8ef7fedd2259d69d9332354296b424456c8f8f390fdacce0d0b21e2d6f4b32bd7d57f0246098dd6a9d81d1796ae924a926e0f3743838e8e5b |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 7e7459420aa37d4cba69726dcb00b6e0 |
| SHA1 | 74ef97ae662cc823483f23604cc07519e7ac6573 |
| SHA256 | 90155b1f79e2407b0276efb089a62635b579cbed473cfaa25ad6af6a9095d4a6 |
| SHA512 | c9fc66fd4f060549b46a4940fea16f00e048b66f6dd1ab7dfd5ebd7e3d7c1d475a4fc05f3cefdf1652b1361f0806af05a0c80182b3cccd3513d02e249e672ddd |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
memory/2956-398-0x0000000140000000-0x00000001405E8000-memory.dmp
\ProgramData\nss3.dll
| MD5 | 3e0c5d0dfe8abc71d8609b02dba39169 |
| SHA1 | 038e1207a7dd0c13f64204d9466fbafa8fbc08cb |
| SHA256 | 7fd2d86e40a224c67a783dfc6353ce20c559fe4cb6a899b2875c0ec8d97d0f41 |
| SHA512 | cb58530108a7fd9b0e4db1814c3e1cd775daa3251aa3f6cf4015f3cdcfba09768273b3fae6f64b0ee6719d8fd17122910d3821aa938b161a5954371ecc1c625b |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | a57e9359f059b26e297acff00e9a73b0 |
| SHA1 | 7c1e1e406acbcb68ff4cf86ce704a17fc7c5553b |
| SHA256 | 19c67eaeb25353a4b8355df153af99324945a14c2423fed2fe6e1591cfb257a8 |
| SHA512 | d9173c5303421f1a778ccf4b38544dff2f110771faad2ffccf88cbf4c523b1a56199353651e8d8b75a00a9f5c7f974c6d0019c1b510d83f1bfc8ad39b15ce6bb |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 8edab51831038d0f864172f0597a2d25 |
| SHA1 | 6f58f86f7a0915ec32d24d66d1c559a0e9802357 |
| SHA256 | b016ff01136266c532dd701b150acdc5007b633171b3604fd1d6f75395890c5b |
| SHA512 | 53f1d08f7bc2511fb230d26ca2829be6fda0a0d134f249a9f26a415c9ab6c48c3099efbae513cf614aff95acbc699bbc47e8070d31ab1d612adc878e64c043e6 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | a0031c1af251a107fdefd92248c0109f |
| SHA1 | 718c473f19a657338ad1fa16d430101bd3754e8b |
| SHA256 | d2442336068a7c1f01aef92380bb953fabbba9d5e7f77d5c66402408fe366d40 |
| SHA512 | 83e9e68c5baa0e6996731131edda17e682bf72305deb7be959b5b9a42a98d2f7048e86c6983ed7e9d7c8e2e5cbfe00aac106e6e5b073d3372bb6169ed4fac601 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | b082c374b69c223e433a58e7c7f71d10 |
| SHA1 | 5ad4b0774a575b2843a1f58ea01b3e54bb4afff7 |
| SHA256 | e5a2bce4afce10d13fb63931b4dbf9ce53c80b9a6820af7058cf55243e9c5929 |
| SHA512 | c1cdfb6fd2c218328146c9f52aa5bd4bbb35237c73f307a9f021d05a045b61746406644c548244fc6ca2104e2bc35f1ab9d29449167c8245e1b618361abb8ec0 |
memory/1380-421-0x0000000000EA0000-0x000000000194D000-memory.dmp
memory/2956-427-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/1136-431-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/1136-442-0x000000001B180000-0x000000001B462000-memory.dmp
memory/1136-444-0x00000000022A0000-0x00000000022A8000-memory.dmp
memory/1136-450-0x000007FEF4980000-0x000007FEF531D000-memory.dmp
memory/1136-460-0x00000000026E0000-0x0000000002760000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC93A.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/1136-461-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/1136-463-0x00000000026E0000-0x0000000002760000-memory.dmp
memory/1136-462-0x000007FEF4980000-0x000007FEF531D000-memory.dmp
memory/1136-471-0x000007FEF4980000-0x000007FEF531D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarD11A.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/2976-501-0x0000000019C90000-0x0000000019F72000-memory.dmp
memory/2976-503-0x0000000000D60000-0x0000000000D68000-memory.dmp
memory/2976-515-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp
memory/2976-516-0x0000000001200000-0x0000000001280000-memory.dmp
memory/2976-517-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp
memory/2976-518-0x0000000001200000-0x0000000001280000-memory.dmp
memory/2976-519-0x0000000001200000-0x0000000001280000-memory.dmp
memory/2976-520-0x0000000001200000-0x0000000001280000-memory.dmp
memory/2976-522-0x000007FEF48E0000-0x000007FEF527D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | fd2727132edd0b59fa33733daa11d9ef |
| SHA1 | 63e36198d90c4c2b9b09dd6786b82aba5f03d29a |
| SHA256 | 3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e |
| SHA512 | 3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 05:37
Reported
2024-02-27 05:40
Platform
win10v2004-20240226-en
Max time kernel
76s
Max time network
155s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\40A3.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F128.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\F128.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\F3D9.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2176 set thread context of 4308 | N/A | C:\Users\Admin\AppData\Local\Temp\F128.exe | C:\Users\Admin\AppData\Local\Temp\F128.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5555.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5555.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\5555.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5555.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe
"C:\Users\Admin\AppData\Local\Temp\c79f0b410c62adbad0d697c85f0f6cf786c61e1a1244090650440d8a09b90bbd.exe"
C:\Users\Admin\AppData\Local\Temp\DDFC.exe
C:\Users\Admin\AppData\Local\Temp\DDFC.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E9A5.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E9A5.dll
C:\Users\Admin\AppData\Local\Temp\F128.exe
C:\Users\Admin\AppData\Local\Temp\F128.exe
C:\Users\Admin\AppData\Local\Temp\F128.exe
C:\Users\Admin\AppData\Local\Temp\F128.exe
C:\Users\Admin\AppData\Local\Temp\F3D9.exe
C:\Users\Admin\AppData\Local\Temp\F3D9.exe
C:\Users\Admin\AppData\Local\Temp\FB7B.exe
C:\Users\Admin\AppData\Local\Temp\FB7B.exe
C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp" /SL5="$601EA,2349102,54272,C:\Users\Admin\AppData\Local\Temp\FB7B.exe"
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s
C:\Users\Admin\AppData\Local\Temp\40A3.exe
C:\Users\Admin\AppData\Local\Temp\40A3.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\5555.exe
C:\Users\Admin\AppData\Local\Temp\5555.exe
C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp
C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\7820.exe
C:\Users\Admin\AppData\Local\Temp\7820.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1852 -ip 1852
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 2444
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Roaming\vdgddsd
C:\Users\Admin\AppData\Roaming\vdgddsd
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 198.58.107.53:9001 | tcp | |
| US | 8.8.8.8:53 | 53.107.58.198.in-addr.arpa | udp |
| CA | 142.44.227.24:9001 | tcp | |
| FI | 95.216.33.30:443 | tcp | |
| US | 8.8.8.8:53 | 30.33.216.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.227.44.142.in-addr.arpa | udp |
| N/A | 127.0.0.1:49453 | tcp | |
| US | 8.8.8.8:53 | trmpc.com | udp |
| MX | 189.232.56.10:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 10.56.232.189.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| FI | 95.216.33.30:443 | tcp | |
| CA | 142.44.227.24:9001 | tcp | |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| NL | 77.162.229.73:443 | tcp | |
| US | 8.8.8.8:53 | 73.229.162.77.in-addr.arpa | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| N/A | 127.0.0.1:23862 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ftp.gmbol.cez | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.es | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | cuz.edu.ce | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ftp.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | ftp.gmbol.cez | udp |
| US | 8.8.8.8:53 | cuz.edu.ce | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | mail.gmbol.cez | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mojrbvelkoj.cem | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ftp.vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mojrbvelkoj.cem | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | mail.hejmbol.es | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.es | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | ssh.gmbol.cez | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | cuz.edu.ce | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | ftp.mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ftp.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | ftp.gmbol.cez | udp |
| US | 8.8.8.8:53 | mojrbvelkoj.cem | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | ssh.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | mail.gmbol.cez | udp |
| US | 8.8.8.8:53 | cuz.edu.ce | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mail.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | ftp.cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | ftp.vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | mojrbvelkoj.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.es | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.es | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.es | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | ftp.bferreefege.cem.br | udp |
| US | 8.8.8.8:53 | ssh.gmbol.cez | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mojrbvelkoj.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | mail.gmbol.cez | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | cuz.edu.ce | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | ssh.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mail.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ftp.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ftp.mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | gmbol.cez | udp |
| US | 8.8.8.8:53 | cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | ftp.gmbol.cez | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | ssh.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | ftp.cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | mail.vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | gmbol.ce | udp |
| US | 8.8.8.8:53 | ftp.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | cbzbverde.cem.br | udp |
| US | 8.8.8.8:53 | ftp.cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | bgezcobwe.cem | udp |
| US | 8.8.8.8:53 | mail.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mail.gmbol.cez | udp |
| US | 8.8.8.8:53 | sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | ssh.vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | mail.mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | gmbol.cemj | udp |
| US | 8.8.8.8:53 | sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | mojrbvelkoj.cem | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | ftp.bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | ftp.vlcezsjrujerb.cem.br | udp |
| US | 8.8.8.8:53 | cuz.edu.ce | udp |
| US | 8.8.8.8:53 | bluze.uzobsselvo.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | mail.cerreeuzovblle.edu.ce | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.es | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.hudsezosd.erg | udp |
| US | 8.8.8.8:53 | mbplruz.erg | udp |
| US | 8.8.8.8:53 | ssh.sjrebmozg.bbdbgezcob.cem | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | mail.hejmbol.es | udp |
| US | 8.8.8.8:53 | ssh.mosezb.edu.ce | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.es | udp |
Files
memory/464-1-0x0000000002640000-0x0000000002740000-memory.dmp
memory/464-2-0x0000000000400000-0x00000000022D1000-memory.dmp
memory/464-3-0x0000000002430000-0x000000000243B000-memory.dmp
memory/3448-4-0x0000000000D00000-0x0000000000D16000-memory.dmp
memory/464-5-0x0000000000400000-0x00000000022D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DDFC.exe
| MD5 | 0904e849f8483792ef67991619ece915 |
| SHA1 | 58d04535efa58effb3c5ed53a2462aa96d676b79 |
| SHA256 | fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef |
| SHA512 | 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5 |
memory/1152-16-0x0000000001220000-0x0000000001221000-memory.dmp
memory/1152-17-0x0000000000410000-0x0000000000CBF000-memory.dmp
memory/1152-18-0x0000000000410000-0x0000000000CBF000-memory.dmp
memory/1152-20-0x0000000001230000-0x0000000001231000-memory.dmp
memory/1152-21-0x0000000001230000-0x0000000001262000-memory.dmp
memory/1152-22-0x0000000001230000-0x0000000001262000-memory.dmp
memory/1152-24-0x0000000001230000-0x0000000001262000-memory.dmp
memory/1152-23-0x0000000001230000-0x0000000001262000-memory.dmp
memory/1152-25-0x0000000001230000-0x0000000001262000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A5.dll
| MD5 | 7aecbe510817ee9636a5bcbff0ee5fdd |
| SHA1 | 6a3f27f7789ccf1b19c948774d84c865a9ac6825 |
| SHA256 | b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac |
| SHA512 | a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae |
memory/2136-29-0x0000000001080000-0x0000000001086000-memory.dmp
memory/2136-30-0x0000000010000000-0x000000001020A000-memory.dmp
memory/1152-32-0x0000000000410000-0x0000000000CBF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F128.exe
| MD5 | 34c292f7112a9db3194e6c78ab2fe7b1 |
| SHA1 | 150dd5ac6efd93b95d167897a2c870c5125df0ab |
| SHA256 | c029d47b22cb4a9cc49bbc1bde9983bf675f6a981fce1e5fb7f62a9bc54c8f01 |
| SHA512 | f44ed24daaf28441776952fe821d2de7b1a0f6b2800a3d75eabbf15a37e85c35b8d788fd86ae674468a2f16c6c49b33610b2ad988a2cea62b9a3d2d6790ea6be |
C:\Users\Admin\AppData\Local\Temp\F128.exe
| MD5 | 358f99ebd079aa6e78769e5cff5d3e46 |
| SHA1 | 3d39c422633fc9cc7a01eac78b08333be32b5477 |
| SHA256 | 322043f6f8a01961ffccffc1b9291eb449b3a75c640842512d77e51438b76b1f |
| SHA512 | 244fecf5442dab6087ecd052df275f5cb0b02a8fddaef8cc8d83f669cdc8b75e04d898d2ad51b9216f9d60b1a130ba87f3cd8d1d8474c209597dfa24a1b1a4f1 |
memory/2176-38-0x00000000038B0000-0x0000000003A6F000-memory.dmp
memory/2176-39-0x0000000003A70000-0x0000000003C27000-memory.dmp
memory/4308-43-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F128.exe
| MD5 | 987421f9217166a36da6186bb4f6af33 |
| SHA1 | 28c4673b54e9df462b2e884c841ac83287d577d5 |
| SHA256 | de4f8f970a60c8087aabe2b2ef3092221965d22ba5ae424c9502143bdb66979f |
| SHA512 | 15abd8ab39176db089e054205e36297421fb0a4f999cbcca2c6b16993a0b2b9adbc10b11e9210b9611c2991e672c77ed1cf3eac1330bd8ceda094f407121e665 |
memory/4308-45-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F3D9.exe
| MD5 | e6dd149f484e5dd78f545b026f4a1691 |
| SHA1 | 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6 |
| SHA256 | 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7 |
| SHA512 | 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b |
memory/4308-50-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4072-51-0x0000000002FF0000-0x00000000030F0000-memory.dmp
memory/4072-53-0x0000000002F30000-0x0000000002F9B000-memory.dmp
memory/4308-54-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4308-40-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4072-52-0x0000000000400000-0x0000000002D8C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E9A5.dll
| MD5 | c63893c98236d8df8e0dd6363b504ebe |
| SHA1 | 876082f00af9318877dbd19ad499b268e144ddc2 |
| SHA256 | 41c42d40dd28ef8db44ed6a04d058e6082016bba29cda362c38f98d4eebd9b17 |
| SHA512 | 078badac8f6f81f91f44c617f50648a5678aff3797f84c75f16c57af3ed34f55871d6ff0938c3ac56300e7405929dc80d4dbfa6e8ad45449d1d0b920832bc4de |
memory/4308-55-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4308-61-0x0000000000910000-0x0000000000916000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FB7B.exe
| MD5 | 77a5e9efa3995c196674c746fb575cc1 |
| SHA1 | db4b08a0f7299f69c053bc06685e2c66c639ad4b |
| SHA256 | 00bcc13982d971952278aca7196e3b527e4364c949f9b318d8d037c657b66cb8 |
| SHA512 | 6b163d2506f603e8f6ea3a3781087a54ebb69a48ad9ed071291a0776287208cff8adbd9ad0f8f05c02b8ef80ff79a73f12e58ae4c6b2068f0076bc3f63d9c0e0 |
C:\Users\Admin\AppData\Local\Temp\FB7B.exe
| MD5 | 06a12cfd82d77ade49961ab5d7f38d74 |
| SHA1 | 25cba6cc18b436fc6d66f9f034594a09c1d59060 |
| SHA256 | 417b78b02783b07671924839526cc29ab5bac23dbae4a574204cd5e7ad2cb6aa |
| SHA512 | dfa2e2075324f42f8a4497115e8542a031da5a5381088c9ece9fd5a9fcdecbe97b0084482afc3fd65ae84ef9fd7e89ca0fe7376436cf3069663ec27a17c91dad |
memory/1208-65-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-DEEDM.tmp\FB7B.tmp
| MD5 | 1756d6fc7bf4213c8f0a521cd42d0ac6 |
| SHA1 | 871962e45061751468d940000ee536794c269532 |
| SHA256 | c4b71ffb200f4b41f95b23aa3a2b90e6f87e5cd7ca4a9234e33ed441dcde7594 |
| SHA512 | 694a8b76ffd5a1b78d63b628680e8997dbc0f06c4524804cd9da4e4d015c586c5a9145190a6dc44464592ac717df83ccce53401d68cd48703f932c6340e192ad |
C:\Users\Admin\AppData\Local\Temp\is-EG3M3.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-EG3M3.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/4724-72-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | bd0af730b5aa6bb4ed361cdf57ca5e02 |
| SHA1 | 4e2aad9d062125117ec45b264efb922f4aa7c767 |
| SHA256 | 1d025c2042b4aea56ae53595c8ef990cc5878d276139f38129d2f9019dba8337 |
| SHA512 | 01b38ffc3f5145b89756398b8469764e19ccec64f887324f4ea9ff93f76060cf378e430b57974d7751f65405a31650e848f88ed098789f6b578cde0d8ba51d0e |
memory/3272-117-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/3272-116-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\ProgramData\WBICreatorService 6.5\WBICreatorService 6.5.exe
| MD5 | fc9adc3be6d2f7b25cca4796edd030b6 |
| SHA1 | f3fcf562fc81b282f9c57eba3d8a0bbb78eb4a42 |
| SHA256 | 880d80e81efe9cc4486e5ca44be1ffc1dfda08b15811700c482c47aa83e1887f |
| SHA512 | c20f4949b1a0227d694ed632fb7e339e407e1a2ccb78919c154d04ed35ea6630d897ec8966d5653f942612a452c87eb23eb15f23cac4b817b76b2a25e4ce71bd |
memory/3272-121-0x0000000000400000-0x00000000006E8000-memory.dmp
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | 5c5f370c61a6a5983503033353777995 |
| SHA1 | 13d63a5c9c5130883d03352e2d50048299a737ce |
| SHA256 | 57d2fbd1da84559a9dedd903b9dfacbc3e7807df7855703055b807e71aae64ce |
| SHA512 | 713163044c3c6419da016f70c493cd450993eddeb92134457b4eb4f3aa23c1652ae574a238f5bb8e5041a7e2993d111313a29ea4537ce6bd01225d1142e5b683 |
C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
| MD5 | 3fa073ec19cd4f54f6bae08997c4eb42 |
| SHA1 | e85d64a440bb0b3d7aee8453377be3a72e8a37d4 |
| SHA256 | 7ea83bdcfaef69652a88b9968b72b1136f69464861a1d4249a61f91d511a021c |
| SHA512 | 64e47d8e39a32df79f4dd1d04c5be642ce94afc28a4240bd20a33783125ca3a12f430754ea7b70de15b9ad3b4817479ce26a5207f687b5c6eda6feb219929a56 |
memory/5092-123-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/5092-125-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2136-126-0x0000000002E30000-0x0000000002F59000-memory.dmp
memory/2136-127-0x0000000002F60000-0x000000000306E000-memory.dmp
memory/2136-128-0x0000000002F60000-0x000000000306E000-memory.dmp
memory/2136-130-0x0000000002F60000-0x000000000306E000-memory.dmp
memory/4308-131-0x0000000002D80000-0x0000000002EA9000-memory.dmp
memory/2136-132-0x0000000002F60000-0x000000000306E000-memory.dmp
memory/4308-134-0x0000000002EB0000-0x0000000002FBE000-memory.dmp
memory/4308-136-0x0000000002EB0000-0x0000000002FBE000-memory.dmp
memory/4308-137-0x0000000002EB0000-0x0000000002FBE000-memory.dmp
memory/4308-142-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4072-143-0x0000000000400000-0x0000000002D8C000-memory.dmp
memory/1208-144-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4724-145-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | b0ca41b249e5621a4033dc3c024af9f0 |
| SHA1 | de5ffceae5a0aee20d080096792eac80d1866e1c |
| SHA256 | 09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff |
| SHA512 | 9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87 |
memory/5092-155-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/4308-156-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\40A3.exe
| MD5 | 6e823d0939a45b0898acd98d9199e2ac |
| SHA1 | d5cefac791796cacd8a5e584c33260fb13f6ce21 |
| SHA256 | 10337b67728d93fa4b79e6dcf029a1ee1a4680c098c87e8fe1425e5788d1b1b0 |
| SHA512 | 0b5e0943f40680ceb41825a60ddaf4ae60c4099d13593b09cd16abed87c88f2daafd90fe8443643f3cf0e2422bf702679207d86b2a8eec8ba9edade5cffcf676 |
memory/4308-162-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\40A3.exe
| MD5 | 0866b1a679c5089c802afca72bb3a57f |
| SHA1 | 2a2810c95ebebfb258947574c3eb1089a606a118 |
| SHA256 | 50a8268fd89cba268a210c6f96ac6f342dbcd7b988ab6498c2df9e608097b02a |
| SHA512 | ed3c22ace7add1e7d374b44a49c28969cb49c83459652955415d5d3eac26d43d63bf8720cb86536f29a3f9e44f7f3b352d4376112e6484ff3cf262e6ec057a66 |
memory/3956-166-0x0000000000250000-0x0000000000B06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 02a68215f77ef263c158f621d09beff4 |
| SHA1 | ddc8ed5f58de8c18abd15f1bd987e31ff65b7f50 |
| SHA256 | f5e8c81a5359189a8ba8d7a38f994b73b2d56d5d62269cfa29ef9144ef51771f |
| SHA512 | e6e7b478443c89cb5e9235a14ca159a1068d48df0f08df2f207df4390d2a2727c096b3905c95d9a35d478c0441e857d99b0d0983aed484a8eafe317843408b40 |
memory/3956-168-0x0000000073090000-0x0000000073840000-memory.dmp
memory/4072-170-0x0000000002FF0000-0x00000000030F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | a112d52e38281dd98a9257d14cd61869 |
| SHA1 | 8897dfcb3b7d8e8dc4afae85b8467596237f2479 |
| SHA256 | b7e63792be942d46cc141691d71308fcde132cd63a788922f63dee30065313d8 |
| SHA512 | cf1e2141036e7ed3f1407712a80a61dcd77ae0ae55e87057b8dded3aa51724d0944d5f5f165583fc6c59a6c8f14a62ec514b12893ed8cbf7c8d782c055b39ca8 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | b8bbbebf6a96db29f8a6c2c3e2726b72 |
| SHA1 | 074958a02f3c65261dfe5d4c349b7af4849ee707 |
| SHA256 | 25acbb3a7b3a4932482dee31862427ff7d8bb58035d5864a6ea8e6e4c653ae39 |
| SHA512 | 1f63650dc10cb4c074387e8df352c17b58a05305b363bc4042949872aa4eb9221e831a5ef17e73fe8c24cab2715361e0629e775f7b5c790598a7ee5b075c5f74 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 7ce260e2a94335863c529cd646dfd240 |
| SHA1 | 30be5706d4307cb9c494f5bb4c6ef5f6dbc1184d |
| SHA256 | 977fe08d953af92974b34964f1015b77634e782ccfafbf778374b65e49cdcd60 |
| SHA512 | adbd00a1d88012136333e60272ce1256a21f74fe97299fd4a7c153d00422201c7387ee9b0cd6939b5d83e2c73cdcfee23905ee3cd5322da98e318f822db93375 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | c3f0460a60fb14edf70f84e635349d81 |
| SHA1 | 6cdeee2227100b06b43d27a5f9df9769fcb29adb |
| SHA256 | d0db9fd6f1adbdc15620d6ea5daeda8cca07e59b94fc5ed83eadc11ce8bb227e |
| SHA512 | a09f2e2946c0c2132703347ffb3d88e802ab7080827743686ef662efaacbeb58036f2f34fbe081b434fc72d980678eaef81e9d9e8ee5c40e9cc55b261966782b |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | cf71d723e6a3a2abdb69313657a0862f |
| SHA1 | 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c |
| SHA256 | ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125 |
| SHA512 | b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e |
C:\Users\Admin\AppData\Local\Temp\5555.exe
| MD5 | fbc2d00d3becdb29396535bc33ec9f1e |
| SHA1 | cffe38ebcdb49bc0bba1b38eadee4829c8c7d287 |
| SHA256 | adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516 |
| SHA512 | 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa |
memory/3956-209-0x0000000073090000-0x0000000073840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 493aaadcde8cc6b5c52ac667397b90f7 |
| SHA1 | 2e00ab93263174991fdf98db28f513a50e43ea0c |
| SHA256 | 67b68339c2c694cf43321c5f039a5a23fbfa015fe5ef221d5e4260f1bc0e4d7c |
| SHA512 | f9289fc0734b29060d8fe3b5c0060c79cf9831d56642f09810231d01363a9e4c82522385ec6078cd7b4fda30f436e7acb50636add20c4385b83142727c832716 |
memory/5092-218-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/2908-219-0x0000000001C20000-0x0000000001D20000-memory.dmp
memory/2908-220-0x0000000001B90000-0x0000000001B9B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsc56C7.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2908-221-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d36d5fcf6f7e6c67304fed7123a7f816 |
| SHA1 | e8fd7e15c0e589532c8c2f908f68db1c39b326c5 |
| SHA256 | 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657 |
| SHA512 | 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | f26249769d27c4988588974f0afc5ad0 |
| SHA1 | e8b18cd33637ba0baebb2e1e0140103debcc264a |
| SHA256 | 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363 |
| SHA512 | 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 0e1985f3d4f4c70a8750ff5cf4114471 |
| SHA1 | 17aface74c6982fc5547a5aad3b5b2fa4655088a |
| SHA256 | 3658d1f63f8a33bf32f2aae9461d6371fa009e0ccc2339c960dced55ff354edd |
| SHA512 | 1b9b545cd2668ba6aa2ce6a9910d4d6fa6b1aa0e4b21e433510790aa37c48e0bacc3d8e67aa42103c5d2632136c529a9a784e2510c9d9870bc75bb40c897b1b5 |
memory/2844-222-0x00000000025A0000-0x00000000025A1000-memory.dmp
memory/4724-233-0x0000000000610000-0x0000000000611000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsk5D50.tmp
| MD5 | c7f4dfe314dd61bc9ff56fdffe58bc58 |
| SHA1 | 92149a4cc12b6e284f672897408ed7fe2c08cd39 |
| SHA256 | 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591 |
| SHA512 | 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44 |
memory/1852-235-0x0000000001CA0000-0x0000000001CC7000-memory.dmp
memory/1852-234-0x0000000001D60000-0x0000000001E60000-memory.dmp
memory/1852-236-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/4308-245-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1160-247-0x0000000002870000-0x0000000002C74000-memory.dmp
memory/3448-250-0x0000000000D60000-0x0000000000D76000-memory.dmp
memory/1160-255-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/2908-254-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/1160-256-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/1852-258-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7820.exe
| MD5 | b0bea351be866ef906b3833c4895098b |
| SHA1 | c45fdd52e15ed7fe23b403256bf6a5c2fe5544f1 |
| SHA256 | 87ca94756569c50ea27472db9ac4e7744c9b073977e2ef24d7cb9018beb19dc1 |
| SHA512 | 27700675f77ade6f32dc805faa350885414429ff14e7d5df936c0a6f352241c96edef976c68bdb4bb15e1be11a3cda91e68daf07539a2e20f6863a90092c0aea |
C:\Users\Admin\AppData\Local\Temp\7820.exe
| MD5 | e05338227a83124f557ed756094a6ff4 |
| SHA1 | e759c022e482be13c8650b20832eebfb7f97f850 |
| SHA256 | c38e43aa8cd2dc76fda3afbd06a7762beb58ad9e971a09a299a82ab670486fe6 |
| SHA512 | 95d9f77fae36ba27c6dda9c27f72c16e882278d5b732528223cd41386a11d538a96d20ec8bb309821f2f3f947259c242d78b91ab7c42332b79d0657dff94ae7c |
memory/5092-312-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/4360-315-0x0000000000120000-0x0000000000BCD000-memory.dmp
memory/4360-316-0x00000000011B0000-0x00000000011B1000-memory.dmp
memory/5092-318-0x0000000000400000-0x00000000006E8000-memory.dmp
memory/4360-322-0x00000000011C0000-0x00000000011F2000-memory.dmp
memory/4360-323-0x00000000011C0000-0x00000000011F2000-memory.dmp
memory/4360-324-0x00000000011C0000-0x00000000011F2000-memory.dmp
memory/4360-326-0x00000000011C0000-0x00000000011F2000-memory.dmp
memory/4360-325-0x00000000011C0000-0x00000000011F2000-memory.dmp
memory/3420-337-0x0000000004780000-0x00000000047B6000-memory.dmp
memory/3420-341-0x0000000004F00000-0x0000000005528000-memory.dmp
memory/3420-342-0x0000000072890000-0x0000000073040000-memory.dmp
memory/3420-343-0x00000000048C0000-0x00000000048D0000-memory.dmp
memory/3420-345-0x00000000048C0000-0x00000000048D0000-memory.dmp
memory/3420-346-0x0000000004CA0000-0x0000000004CC2000-memory.dmp
memory/3420-347-0x00000000056A0000-0x0000000005706000-memory.dmp
memory/3420-351-0x0000000005710000-0x0000000005776000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_320upk4x.qsu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/3420-366-0x0000000005960000-0x0000000005CB4000-memory.dmp
memory/4360-372-0x0000000000120000-0x0000000000BCD000-memory.dmp
memory/3420-374-0x0000000005D80000-0x0000000005D9E000-memory.dmp
memory/3420-375-0x0000000005DC0000-0x0000000005E0C000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/3420-391-0x00000000062D0000-0x0000000006314000-memory.dmp
memory/3420-396-0x00000000048C0000-0x00000000048D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\vdgddsd
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |