Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-ge7vnshf78
Target eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe
SHA256 eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b
Tags
smokeloader backdoor bootkit persistence trojan upx dcrat glupteba lumma socks5systemz pub1 botnet discovery dropper evasion infostealer loader rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b

Threat Level: Known bad

The file eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor bootkit persistence trojan upx dcrat glupteba lumma socks5systemz pub1 botnet discovery dropper evasion infostealer loader rat spyware stealer

Glupteba payload

Glupteba

SmokeLoader

Socks5Systemz

Detect Socks5Systemz Payload

Lumma Stealer

DcRat

Detects Windows executables referencing non-Windows User-Agents

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects executables packed with VMProtect.

UPX dump on OEP (original entry point)

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables containing URLs to raw contents of a Github gist

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables Discord URL observed in first stage droppers

Detects executables containing artifacts associated with disabling Widnows Defender

Stops running service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Creates new service(s)

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

UPX packed file

Deletes itself

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: MapViewOfSection

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Checks processor information in registry

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 05:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 05:44

Reported

2024-02-27 05:46

Platform

win7-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\A853.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2396 set thread context of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\89F7.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1176 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe
PID 1176 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe
PID 1176 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe
PID 1176 wrote to memory of 2544 N/A N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe
PID 1176 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1176 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1176 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1176 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1176 wrote to memory of 2512 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2512 wrote to memory of 2412 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2544 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe C:\Windows\SysWOW64\WerFault.exe
PID 2544 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\89F7.exe C:\Windows\SysWOW64\WerFault.exe
PID 1176 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 1176 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 1176 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 1176 wrote to memory of 2396 N/A N/A C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 2396 wrote to memory of 500 N/A C:\Users\Admin\AppData\Local\Temp\9697.exe C:\Users\Admin\AppData\Local\Temp\9697.exe
PID 1176 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\A853.exe
PID 1176 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\A853.exe
PID 1176 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\A853.exe
PID 1176 wrote to memory of 2724 N/A N/A C:\Users\Admin\AppData\Local\Temp\A853.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 1176 wrote to memory of 348 N/A N/A C:\Users\Admin\AppData\Local\Temp\E036.exe
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp
PID 348 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\E036.exe C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe

"C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"

C:\Users\Admin\AppData\Local\Temp\89F7.exe

C:\Users\Admin\AppData\Local\Temp\89F7.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\8F65.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2544 -s 124

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\8F65.dll

C:\Users\Admin\AppData\Local\Temp\9697.exe

C:\Users\Admin\AppData\Local\Temp\9697.exe

C:\Users\Admin\AppData\Local\Temp\9697.exe

C:\Users\Admin\AppData\Local\Temp\9697.exe

C:\Users\Admin\AppData\Local\Temp\A853.exe

C:\Users\Admin\AppData\Local\Temp\A853.exe

C:\Users\Admin\AppData\Local\Temp\E036.exe

C:\Users\Admin\AppData\Local\Temp\E036.exe

C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp

"C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp" /SL5="$201E4,2349102,54272,C:\Users\Admin\AppData\Local\Temp\E036.exe"

C:\Users\Admin\AppData\Local\Temp\3E3D.exe

C:\Users\Admin\AppData\Local\Temp\3E3D.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\52F7.exe

C:\Users\Admin\AppData\Local\Temp\52F7.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227054639.log C:\Windows\Logs\CBS\CbsPersist_20240227054639.cab

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 172.67.171.112:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 trmpc.com udp
PA 200.46.202.73:80 trmpc.com tcp
IT 2.233.91.176:19001 tcp
NL 185.227.82.7:443 tcp
DE 165.227.174.150:9001 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp

Files

memory/2164-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2164-1-0x0000000002400000-0x0000000002500000-memory.dmp

memory/2164-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/2164-5-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/1176-4-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\89F7.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/2544-17-0x0000000000320000-0x0000000000BCF000-memory.dmp

memory/2544-25-0x00000000778C0000-0x00000000778C1000-memory.dmp

memory/2544-16-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2544-23-0x0000000000320000-0x0000000000BCF000-memory.dmp

memory/2544-22-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2544-20-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8F65.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2544-26-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\89F7.exe

MD5 176a215ab92f489302e7c668a062bb13
SHA1 2c5e7c9a71288edb5d057c647fb63dcde6594d85
SHA256 ebbb5a8f6266eac828300b5728ebe2451a80dae6e93359da88c875a939c6fa09
SHA512 74747ae8f1403a856a8da7a917c5c111e2962bc1eef9a0d516539808d776bc97dec8372806c6f23c4403ea9905e897c29a05bd1b2c4347f4177a6d318c1ec872

\Users\Admin\AppData\Local\Temp\89F7.exe

MD5 0b897ef8d1d132a0fe3a30014b3ebea8
SHA1 fc38113191df978daee21738af595a5c4c08ac24
SHA256 d0efcbd34d7c6baec50e6fb9a4494619c97da2a7ee6d6625f07528e74fd6d0ee
SHA512 4f8324aa7a803b831350cf935a9896018d095a44ac084f1776f625571511fc445bcb416c353b324f127015ce6d427a5b7796b2d1496390ef40018b8fbacee6e7

\Users\Admin\AppData\Local\Temp\89F7.exe

MD5 286441f052a9e7c096cd4d42fb32aa55
SHA1 ebeb55b2814120514ff5cd194d81903382614129
SHA256 fde57eb24235e6a6af97df789b34683bbf050a98004b817f6eeb6469c54f5b03
SHA512 8a60f92fcc829e8fbdc27321753329c61bfacd6665f7a35b1e031b0be421c3996a349fff6fa62a781ea5a6b7421ba56e13ab33a6b5138f0cd794bdbdeb1718fd

memory/2412-32-0x0000000010000000-0x000000001020A000-memory.dmp

memory/2412-35-0x0000000000130000-0x0000000000136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9697.exe

MD5 139da5598038055862481aebd1405724
SHA1 3618cc00e0d10983f32404d43d35020ca3f5e056
SHA256 c88a6d16b718019ab24f80e2cea3e0272b329bd665468f961c7f57fc6e58a9ea
SHA512 4982aa62081064e253a11ea6e88c80d6ae2a4fa5c034dcb3365375a667fd52cd4de69e04533f2f744c4c67ff038e123b577861f3049e69f7550ff158a9b1f834

memory/2396-46-0x0000000003770000-0x0000000003927000-memory.dmp

memory/500-45-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2396-44-0x00000000035B0000-0x0000000003768000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9697.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2396-41-0x00000000035B0000-0x0000000003768000-memory.dmp

memory/500-51-0x0000000000400000-0x0000000000848000-memory.dmp

memory/500-54-0x0000000000400000-0x0000000000848000-memory.dmp

memory/500-53-0x0000000000400000-0x0000000000848000-memory.dmp

memory/500-52-0x0000000000400000-0x0000000000848000-memory.dmp

\Users\Admin\AppData\Local\Temp\8F65.dll

MD5 9fca731329981d8c929a495ea1f5a29d
SHA1 4e3ca4690888eb3e10af4c5994b8662a6837df67
SHA256 d9be5fd005d7c954f0f136118465c2d7f1c7759c25f6c8c4f69047d363d09338
SHA512 caf0bf243aeacb9b2a9637c7960a5b0dde527099711a76268170c7c3bfba493b24308c7c24062dcde219de1340557688630417b5e9ca040433a0a12ae035c49d

memory/500-59-0x0000000000270000-0x0000000000276000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A853.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

C:\Users\Admin\AppData\Local\Temp\A853.exe

MD5 5ca23e287efc9b49e2790d8df9902ca0
SHA1 77fccbb8305864c45b52c434019af4482980ae2a
SHA256 034504341030441b10992cde6b5701ae55b17189fe2d456efc0ec9d2751a922d
SHA512 9bb21bf30a999da768c0d0436f1f358229ca2f37d0d220b12dc502a0bc770e9a2b7f6ffb20e30cbf882e16e1837468b9873aa34e34ae7b8189ece99baabfebea

memory/500-55-0x0000000000400000-0x0000000000848000-memory.dmp

memory/500-50-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-68-0x00000000002B0000-0x000000000031B000-memory.dmp

memory/2724-67-0x0000000002E10000-0x0000000002F10000-memory.dmp

memory/500-48-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-70-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9697.exe

MD5 3a57dc900df7d0c26658c8359e9cf0ed
SHA1 13bf3442ea417341c42a99fc00627fda7d3cf623
SHA256 d86b53f57b7e62d4e0d02d9566e6a893c2ca85d7b81c8623d3f362e61fc4cf84
SHA512 57153a2e069a8ce6879529c6bc47e6ef970796bd6d1e354e5f7fd231f6408e2c0935b3c0f1b83f96d9ae9aff715dd9a2d7f058ed7f2afd9702348cbb5cdc893e

memory/2412-72-0x00000000025C0000-0x00000000026E9000-memory.dmp

memory/2412-80-0x0000000010000000-0x000000001020A000-memory.dmp

memory/348-79-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E036.exe

MD5 428ec09f0ea1ed4bbc27a740039a534e
SHA1 83304bf64a5b79c627042f3bea0b3aa8ffc2a215
SHA256 c2d5e6fe0ee8809d18a6b820caa4323e18d11803b737e74f2aa6049c9a93a8fe
SHA512 e4375df044ca4e78e7657b5bc771998e9462ea4aa43ae9423cabd597ae419797419220a0626cae4999a00fce6f9e349dbc5d0533dd98cff47f863a9efebc8fc2

memory/2724-88-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/348-91-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-UB7N3.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-787OR.tmp\E036.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

\Users\Admin\AppData\Local\Temp\is-UB7N3.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/500-117-0x0000000002910000-0x0000000002A39000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-UB7N3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/500-119-0x0000000002A40000-0x0000000002B4E000-memory.dmp

memory/500-121-0x0000000002A40000-0x0000000002B4E000-memory.dmp

memory/2412-84-0x00000000026F0000-0x00000000027FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E036.exe

MD5 e4a41feae8a0ea34b8318bf3ddafded3
SHA1 1234026e5d8872a8b7022850ea889f55370a3ff5
SHA256 be482bb853fccfef39948f3b2a01773cb2236dc512cf9cd61e7fdfe26687bcb6
SHA512 d825e42389ccfda3e11b30948f44d001710d2ea69b43402f1240f06671621f26499ca4ef1e69d25bea706e5baaf14a8ddfae145d409a9680c413b39f9586c903

memory/2412-77-0x00000000026F0000-0x00000000027FE000-memory.dmp

memory/2412-73-0x00000000026F0000-0x00000000027FE000-memory.dmp

memory/2412-122-0x00000000026F0000-0x00000000027FE000-memory.dmp

memory/500-124-0x0000000002B50000-0x00000000040FF000-memory.dmp

memory/500-123-0x0000000002A40000-0x0000000002B4E000-memory.dmp

memory/500-125-0x0000000004100000-0x00000000041FC000-memory.dmp

memory/500-126-0x0000000004200000-0x00000000042FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3E3D.exe

MD5 99b7a8db86b43f1d79ae520b96085c70
SHA1 647bf934e3384d4a7bb17c39741b332a7bb0383a
SHA256 0559e3b49fb301e7d306663a173e74faebad50f62fc1a978d54f783b733dd913
SHA512 90443d3dcbf7a9084a33c97c1f8d71dcf338fc89d855171c25a0f5f9c76b19e024af79d2026dbe7633c0289a9822ea1f35121ef56dac6fa03d57e7c13810a942

C:\Users\Admin\AppData\Local\Temp\3E3D.exe

MD5 d922f3c5e78bce1efb6599044ed6b927
SHA1 d628676d386b81d07a5e73ad19e545824d538805
SHA256 92de145f33ec744efe61450d29ebe16f2bb23c4c915df1a78163db266371ae99
SHA512 f4b2c6ddd5700026050ca748b6e56ffa341e03d9dcd233a43376dffe0879f955d26eeb6948096f6ab972f776dd34a9f1b76a1d219ee8605cc1229771f2f4863c

memory/1728-138-0x00000000009A0000-0x0000000001256000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 dee6f72532b423c83b1483ef216a83d3
SHA1 06a812a3c174067dcf15447be310608fe0235a0b
SHA256 e02a6c5a59aa4d07173f6fc254dabff117e1519a5d49fe1428d854ab5be007a0
SHA512 7a41ce71088edff82af7963381c84871e72ee1bc6fb1889d79015103baa040a31f4433ff52604af45fd6787401ddd9e0d222b015d8b0a22640ec3e3a61580974

memory/2300-148-0x00000000026C0000-0x0000000002AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 167d3d67c322a67d33bb8b4b2dc041e8
SHA1 6b64ab0817892f969fa3141afd467bbe5f9c8c00
SHA256 5c91b896721aab20defe9244568581e92cdb2ccef648e7e6f6ce6f4459aa95ff
SHA512 19891422afad93c70f105a46792a64ecd41ac0d419c019022e7ac0deeb48adce52680410e49e6ba6ce5da175fba7f09c38a984c645d76e10d9e2dd08771a2b48

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 6e1c3da5e773acb3dfd13e38cd9c1898
SHA1 b9fb4c0bef05310d6528a1fb47dd702970302c56
SHA256 7d5ba777ef0835d0a7f38587ac7f6ba1a96a1288114f6157b55ede2d35658ff0
SHA512 814bfcac9800d5956fe2cd5dcf23f26fb6572386f829c58fd2a3eea3061a37d312e1766568595bf2e3bd33c3fababe220c8eac4d79712d2170cb3c6711e70ad5

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 57a32cdd8b8e80cb7341196856b5e455
SHA1 fe1447a890d0da144201d0dbaef2447225a93e30
SHA256 2dd9ff36657a829958de92a369aecea3ae057cfc004dc1634a11a91f3d7f412c
SHA512 a8e8074cfc1bc19f3d7093cd19aff29e77c1872cf2a4d4ed16a6b1e22dd45095e9c871df8524e5aacef691aa246ae867d145d8d06378871ba5858768fd3ccee9

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 147b6aa5bd0222e5d58af8984b073c56
SHA1 399923e38ba252bffbe5c13b39bcbf41798e15f5
SHA256 6a2447d974f6eeaaa5ad420a24faa13417df7ebd5c76d0b872a11183d29c5bd9
SHA512 c0002076c0eed73addcaee17d389293eee9b462d02187944ad7c5a5235b78265257efc958473d91bd5e63f3b0a8ed7ed166a550f311c348170914620da519d70

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 dc301e7b410b4824b071332b3fbfe2f1
SHA1 a9deda9c23931439801ee28e848d5be2582046fa
SHA256 74c128080dda13dc7847c4d1e9681dbac8ed2754c6178d2d66312b72431cf429
SHA512 a394de8c9414d89ae9b48cb491d6c07a9bde679665581d81a66e49897d30f38f149f9e1d8c2e542c2e356b3e6a002b81f757875e6c8be24f3651c11b90365fd3

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 fd7431015eb5f5ebfe9e4a7397bb7b45
SHA1 fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914
SHA256 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04
SHA512 dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208

\Users\Admin\AppData\Local\Temp\nsj514C.tmp\INetC.dll

MD5 6f1ce1943fa3960509afc6c147500de0
SHA1 ff3e90a4de60a80b65d745fdb4c93fa66e37e8bf
SHA256 0fec6c6bd33d7863f0e2327bd5e97e51f0efe11691cfe8bb23dab5213e1b75ee
SHA512 165b7f8655a726f249ead3aa9f1fe16ed81a19e25d1b4dca157d4005425683e15cbc1ff7f930216437c4fa342f1f7edf99b7fbe0fba973ea51ffd573e15e8051

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 12bb67f8a53b999e25d8999017370787
SHA1 4202f134ed28998cb9fbae00f1a60708ea3fe9c1
SHA256 3530a42e92e8849fcce2f1df33f315b0449ff14f57559dbb89e732f42fd394fe
SHA512 77bf1d02d7e02c58553da9539516bad1aa745461410a3de29337ba7e49931ee5ecfc2d490bfa5f453418a809b6355ce04ae9fcabd02c20c29eef9b87a2e87e8c

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 f7be4711796c5bf8288008ffc5f939c7
SHA1 3ffc33333779c8ba82f491c4d6db608fb95dff45
SHA256 e91f1b1aa49ce745d7c10c0085bf317e6d53373f95f805338c3c0919a89cc223
SHA512 6fa7d1b1e6407d65d81db90072c8262447b589741fa5d267d54f46b7f48b75d89bd6d5c957979a9f886ac035bbbe8e9073291020e02df84c89ad28eba3fd45f9

C:\Users\Admin\AppData\Local\Temp\52F7.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/1728-174-0x00000000735C0000-0x0000000073CAE000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj514C.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2452-197-0x0000000002790000-0x0000000002B88000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 05:44

Reported

2024-02-27 05:46

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Socks5Systemz Payload

Description Indicator Process Target
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Socks5Systemz

botnet socks5systemz

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E17C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\A867.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\AB56.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3652 set thread context of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 2628 set thread context of 1020 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\system32\conhost.exe
PID 2628 set thread context of 4956 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\explorer.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\19E2.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\19E2.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\19E2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1471 = "Magadan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-771 = "Montevideo Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-142 = "Canada Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3428 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B75.exe
PID 3428 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B75.exe
PID 3428 wrote to memory of 456 N/A N/A C:\Users\Admin\AppData\Local\Temp\9B75.exe
PID 3428 wrote to memory of 3280 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3428 wrote to memory of 3280 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3280 wrote to memory of 2888 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3280 wrote to memory of 2888 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3280 wrote to memory of 2888 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3428 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3428 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3428 wrote to memory of 3652 N/A N/A C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3652 wrote to memory of 516 N/A C:\Users\Admin\AppData\Local\Temp\A867.exe C:\Users\Admin\AppData\Local\Temp\A867.exe
PID 3428 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB56.exe
PID 3428 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB56.exe
PID 3428 wrote to memory of 4960 N/A N/A C:\Users\Admin\AppData\Local\Temp\AB56.exe
PID 3428 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\B104.exe
PID 3428 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\B104.exe
PID 3428 wrote to memory of 3700 N/A N/A C:\Users\Admin\AppData\Local\Temp\B104.exe
PID 3700 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\B104.exe C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp
PID 3700 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\B104.exe C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp
PID 3700 wrote to memory of 4596 N/A C:\Users\Admin\AppData\Local\Temp\B104.exe C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp
PID 4596 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4596 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4596 wrote to memory of 3444 N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4596 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4596 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 4596 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe
PID 3428 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe
PID 3428 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe
PID 3428 wrote to memory of 1684 N/A N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe
PID 1684 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1684 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1684 wrote to memory of 4416 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1684 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1684 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1684 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 1684 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1684 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\E17C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4516 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4516 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4516 wrote to memory of 2504 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4516 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp
PID 4516 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp
PID 4516 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp
PID 2628 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2628 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2628 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3428 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\19E2.exe
PID 3428 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\19E2.exe
PID 3428 wrote to memory of 1808 N/A N/A C:\Users\Admin\AppData\Local\Temp\19E2.exe
PID 2628 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2628 wrote to memory of 2012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3428 wrote to memory of 632 N/A N/A C:\Users\Admin\AppData\Local\Temp\475C.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe

"C:\Users\Admin\AppData\Local\Temp\eda7932e202bcce9f10d91e5d282bd4114c168f9eaf136cddadb4565bca9dc1b.exe"

C:\Users\Admin\AppData\Local\Temp\9B75.exe

C:\Users\Admin\AppData\Local\Temp\9B75.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\A28A.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\A28A.dll

C:\Users\Admin\AppData\Local\Temp\A867.exe

C:\Users\Admin\AppData\Local\Temp\A867.exe

C:\Users\Admin\AppData\Local\Temp\A867.exe

C:\Users\Admin\AppData\Local\Temp\A867.exe

C:\Users\Admin\AppData\Local\Temp\AB56.exe

C:\Users\Admin\AppData\Local\Temp\AB56.exe

C:\Users\Admin\AppData\Local\Temp\B104.exe

C:\Users\Admin\AppData\Local\Temp\B104.exe

C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp

"C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp" /SL5="$90162,2349102,54272,C:\Users\Admin\AppData\Local\Temp\B104.exe"

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -i

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

"C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe" -s

C:\Users\Admin\AppData\Local\Temp\E17C.exe

C:\Users\Admin\AppData\Local\Temp\E17C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp

C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\19E2.exe

C:\Users\Admin\AppData\Local\Temp\19E2.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\475C.exe

C:\Users\Admin\AppData\Local\Temp\475C.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4428 -ip 4428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 2044

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
PA 200.46.202.73:80 trmpc.com tcp
US 8.8.8.8:53 73.202.46.200.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 172.67.195.126:443 detectordiscusser.shop tcp
IE 52.111.236.21:443 tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 104.21.10.242:443 associationokeo.shop tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
NL 51.15.89.13:14433 xmr-eu2.nanopool.org tcp
US 199.249.230.115:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 13.89.15.51.in-addr.arpa udp
DE 185.220.101.143:10143 tcp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 143.101.220.185.in-addr.arpa udp
DE 194.55.13.50:9001 tcp
FI 65.21.94.13:443 tcp
DE 212.227.165.251:443 tcp
US 8.8.8.8:53 50.13.55.194.in-addr.arpa udp
US 8.8.8.8:53 251.165.227.212.in-addr.arpa udp
US 8.8.8.8:53 13.94.21.65.in-addr.arpa udp
US 8.8.8.8:53 kamsmad.com udp
KR 123.140.161.243:80 kamsmad.com tcp
US 8.8.8.8:53 243.161.140.123.in-addr.arpa udp
DE 212.227.165.251:443 tcp
KR 123.140.161.243:80 kamsmad.com tcp
FI 65.21.94.13:443 tcp
N/A 127.0.0.1:59255 tcp

Files

memory/1412-1-0x0000000002440000-0x0000000002540000-memory.dmp

memory/1412-2-0x0000000003EE0000-0x0000000003EEB000-memory.dmp

memory/1412-3-0x0000000000400000-0x00000000022D1000-memory.dmp

memory/3428-4-0x0000000002750000-0x0000000002766000-memory.dmp

memory/1412-5-0x0000000000400000-0x00000000022D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9B75.exe

MD5 0904e849f8483792ef67991619ece915
SHA1 58d04535efa58effb3c5ed53a2462aa96d676b79
SHA256 fca631b3198194fcc0c619b5690dbde2e9f38afb1b978bab8ea3f92b572ce1ef
SHA512 258fc59050aa455ad56167dd1bbe5e098eefc0f3e950c90d89bac2aa74abb5cfa1710d866c0e28e58dcb2f914736470a4dd9838dd6412b633aee87d71b867cf5

memory/456-16-0x0000000000B10000-0x00000000013BF000-memory.dmp

memory/456-15-0x0000000001940000-0x0000000001941000-memory.dmp

memory/456-17-0x0000000000B10000-0x00000000013BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A28A.dll

MD5 7aecbe510817ee9636a5bcbff0ee5fdd
SHA1 6a3f27f7789ccf1b19c948774d84c865a9ac6825
SHA256 b4ee4aa0b664fe673986399de8105c600330339971bd8583177fa38dddd13aac
SHA512 a681efb97745aed5f73d197730049ff80798d133245d8e8bcb0faf3532a9ef440d1687016c9f666c1f56479c7db003b0388e0a69bb2626f34c86046bc477edae

memory/2888-22-0x0000000000660000-0x0000000000666000-memory.dmp

memory/2888-23-0x0000000010000000-0x000000001020A000-memory.dmp

memory/456-25-0x0000000000B10000-0x00000000013BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A867.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/3652-31-0x00000000038E0000-0x0000000003A9B000-memory.dmp

memory/3652-32-0x0000000003AA0000-0x0000000003C57000-memory.dmp

memory/516-35-0x0000000000400000-0x0000000000848000-memory.dmp

memory/516-36-0x0000000000400000-0x0000000000848000-memory.dmp

memory/516-33-0x0000000000400000-0x0000000000848000-memory.dmp

memory/516-37-0x0000000000400000-0x0000000000848000-memory.dmp

memory/516-38-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AB56.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/4960-47-0x0000000002F70000-0x0000000003070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A28A.dll

MD5 350842cb91aed3da670b1ef73e65b70c
SHA1 8cf17bb1afa04e12437f543237e5c659ece4a207
SHA256 b89f43a42be0f8b1fd6600c6db28a3e6fc86f4831f10a7c6ea1603c3d8b29e26
SHA512 b23d3330a6b348299ffdfd0fa49091aa5bd8355866ed5aed768fc14f2c711671ca2a8d8bafecfc568654ad27e556579e5995d88b46bce6a3f3f4c5876396e1a0

memory/4960-50-0x0000000004A40000-0x0000000004AAB000-memory.dmp

memory/516-44-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4960-48-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/516-51-0x0000000000900000-0x0000000000906000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B104.exe

MD5 baa4e78169a0d50f8d868ca9cdb1b166
SHA1 bf3e4f0fac7be83d03949a47e356bc11c7b4b2a3
SHA256 9242271452141bf9010b9769bcfe344748468861cf6d6c424cabaf0c47a3f830
SHA512 58203086b3892877b2e9e156e3ba5cd7db341ed46f3d978e5b3886b9dbf9948795349b3ebbb2216ca0b7dc4205c6bd4cbd3fa23a9a713ece2e9ec54aed4ee3bf

C:\Users\Admin\AppData\Local\Temp\B104.exe

MD5 507c0587f547e4d752fef1eee444688c
SHA1 dc40e87cb42dcd196ada46a6361c2abc27d575df
SHA256 fb56ea35195cb286ca68ee0966cdbc0fe50a2ae2b408588add239099be52d584
SHA512 a55c5833543c6f4695ffe6435688fde5fca08086f2e75a266d6437ff15e697127bef33863de6d7367f17be60881a73402f5a39ae9566352ad433f16ebcdeabf4

memory/3700-57-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp

MD5 ca4955a8a8b691465262d3076c87bc47
SHA1 544e7330f0b7b9bdc9cb1da3ced383b184856eaf
SHA256 71bafa73d6ed53e0f61a65ea63a9f82165e368649fefb884e316fcaf43ae030e
SHA512 e28456526a3f682e96cdbdfe66e26cd76acf9257d9cd8b0056e331afc5b6f585ad140bb4544e13e703f3ee2d53dd930cfaf3ac80123bcaf461be4e467a201833

C:\Users\Admin\AppData\Local\Temp\is-6U5DR.tmp\B104.tmp

MD5 14db4253fd181e84e26eebc8f4150402
SHA1 79e77f75b5b8b1386c1bb76324790caaa908ca8d
SHA256 65cc67e5c73ef94bcaa28719f3452756967f3e7461199fb7715000db90da6e28
SHA512 9939fe82c087fcb38573efbc2692def67877063851c9a67400aba84085f7db4c2d2dcd7685200747f5da9a93f47f6e4ac202dcf1202976a57bcdd8d5b7426f1e

memory/4596-78-0x00000000020C0000-0x00000000020C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TSIBL.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-TSIBL.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 4fd907bc808a1ef6f8fb9796bba2ee72
SHA1 f02332b1bfe440cd89ca5868c537fa83ed6686c3
SHA256 e08e7078a2a36df686ad938710b22c11b2cc5da7c55b18167a98d11e4a3f00ad
SHA512 16aac4bb4afcba566cb20751a3048ebcad37371fd419b2362cd50b53ee0cee4eeb6e4c8b1b84fd3f78930c6de75c34ff1b66114eaba929e6eeaf9fb735afcda9

memory/2888-109-0x0000000002470000-0x0000000002599000-memory.dmp

memory/3444-110-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\ProgramData\WBICreatorService 6.5\WBICreatorService 6.5.exe

MD5 bd0af730b5aa6bb4ed361cdf57ca5e02
SHA1 4e2aad9d062125117ec45b264efb922f4aa7c767
SHA256 1d025c2042b4aea56ae53595c8ef990cc5878d276139f38129d2f9019dba8337
SHA512 01b38ffc3f5145b89756398b8469764e19ccec64f887324f4ea9ff93f76060cf378e430b57974d7751f65405a31650e848f88ed098789f6b578cde0d8ba51d0e

memory/3444-113-0x0000000000400000-0x00000000006E8000-memory.dmp

C:\Users\Admin\AppData\Local\Mario CD-DVD Speed\cddvdspeed.exe

MD5 ff0546c208045c0825dd3bfe90ef3faf
SHA1 278999e554e5363a7c7f2f7355c67ad2e875b2fa
SHA256 5cd2bfec348fe210475f230fb27c73a514ebcc5bf9e94e1389e273059f482746
SHA512 8040a04b8cf35b6696f8134e07625d4f818484d728c5ae1203e52eb88ea3e9dd34b3bd520430fd7d7d7346fb7b1af546468bcb0ca702cfeb9fc3bc7338e98e94

memory/4312-116-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4312-118-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/2888-119-0x00000000025A0000-0x00000000026AE000-memory.dmp

memory/2888-120-0x00000000025A0000-0x00000000026AE000-memory.dmp

memory/2888-122-0x00000000025A0000-0x00000000026AE000-memory.dmp

memory/516-123-0x0000000002D50000-0x0000000002E79000-memory.dmp

memory/516-125-0x0000000002E80000-0x0000000002F8E000-memory.dmp

memory/516-127-0x0000000002E80000-0x0000000002F8E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E17C.exe

MD5 fa436ac081f0353e4c8a7a20547280d5
SHA1 7c2006a60a591139e619190b9ff1663d22e7c761
SHA256 01f3d6aa8bb750c954f544e8b466c10807cbe274429b07a81155fba8e9e006a6
SHA512 a4693cf957b52f05c99d42901ab7403a78ce4272e9825732d2242eb0e3dafb45e882b4068e7fb0ec5d36f345ead4e691100213b3732d6684f04655b409a3c27c

C:\Users\Admin\AppData\Local\Temp\E17C.exe

MD5 891b0ecba023c942258e77f219e08e47
SHA1 b6902ef9eef4c4822532c059656e67606090d1f9
SHA256 cde4d1fb53812f82a6ae30d9fe315b2a27fd77900f27c9ed3a6b49c21e51b330
SHA512 90867d45c751c0c0c685b980cc772a8cbe4a88378bc5cfe5187ce23e38005c102d5dfb95ec8fb63557caf9c0b2ac8c07320baf39159cde85f2f20c273ae1c0df

memory/2888-132-0x0000000010000000-0x000000001020A000-memory.dmp

memory/1684-134-0x0000000000C90000-0x0000000001546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 ab43192ad620e08c545c7f7c4b52802b
SHA1 090a9c43a6be4ead3385a92bb4779865ed10127d
SHA256 4d69fa18d7f1fac5f56f9396b65057a21f42a13349b83cbe7291f00fc0b989db
SHA512 1dcb00254d0ad110ebfa0e4cd267e31930f633f6762c3226579e62693401a465a8f9d0094d57354bb545ce5a5c2b15292c555506549b1dbcfae7629d91e0bbe0

memory/4960-137-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/3700-145-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4312-148-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4596-146-0x0000000000400000-0x00000000004BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 eab2fcd5ec933106a83b15fac38a8694
SHA1 13fa5c0464e1be041adb926aa61e90636463863d
SHA256 652e0d8953899a43735e3a819818674d9f4c1215b7c55d12424273102058698c
SHA512 e1e2cc108211d8efab0060aba41acc105b84f0ccf0fc88ae4214027e2b3d1e305d48371a352b3e168a1cc208ba5e31106cc7bdb6ed2c0d243ae093337d52e523

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 682fc35530a6dc6f2bdfad98ecd7eae2
SHA1 10666b26129587b4a564fb59d367539f57c76ca3
SHA256 83414b912a4ba1cbfea8b625890291ae866860408ed45da5923d1a67ea7c4101
SHA512 ea68038310a51b183dfee7acabd61cad8d93372f30321ec0ed9ccf53016c82b7133b90930fcff107f42582f7a65315f2cf5ba8078597cf275fb45c6881da25da

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 0f68106658c054bde5c705e5b1f000e6
SHA1 5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102
SHA256 58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c
SHA512 30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e

memory/1684-157-0x0000000072680000-0x0000000072E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 bf254ad5640e2dadab1c1aee4847c749
SHA1 41cdb51034f2c66207eb9e601d547f080858da66
SHA256 d923708674e9ea58024997745047f6613c80f1c03003b6e6304b80b3e57dfeff
SHA512 ff99bac22e234ed344c6231c69ca3caed5dcfdcb5e13c2ceaa3bd499e7168817643bd9ebbed6662039d73c03779de19f1e6231e08697259dc674f199d102da68

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 56b83c068dc6c8df9c02236e9587cd42
SHA1 9803091206a0fff470768e67577426cce937a939
SHA256 678ad0e61f6de9398cc11b9b36be203c12b690a0b06f06e5a62b1cfd51d0036e
SHA512 e270b50ee7a2b70409c2881f3f936013f0034b7e4e66f914dfe97fc94af3e779de6174673a39b9b45b98beede0c04151609f4ee0e4277988d56a7d3ea62830cb

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 342df85aa81aa82ef2875364b6f999e0
SHA1 78ecb246b2e99279a32d0cdc4682493828dcae1a
SHA256 b301267f75c00647520a3f025fefd4fdda4ce4e0c483c923f58a095184241f5f
SHA512 8e1b9ebe17fb988da47162327a57436ccc3a9020da396317ddcceaa212567d3cf0c1709e9d4062fd49513977f9e5a6b4bf536c8ba90bba4b20fdbc94a76c5385

C:\Users\Admin\AppData\Local\Temp\nsmF03D.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 2ca32a64d491385b9191b77cd9e1245e
SHA1 3689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256 eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512 a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 029a5147d2f0d080800b095d06298a55
SHA1 6d53b0c00f128318d23de9db082989e30369baad
SHA256 cd1818fa6f2a4cbdd75985ba9e36c6141d206f5728b994875c3af7c874938566
SHA512 b035c22bd7b41375cff69882f696d37f8167c12a770da3f6d919d1350789bd1f1d4cfc623fe325c696b3f30e96632bbd1233cdff878df05e8c5b7a153f3c9e1c

memory/1684-180-0x0000000072680000-0x0000000072E30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 10da85ae04da6c225fd4ea9d204378c9
SHA1 d3730e020f9e2a5c217926180d44b65a91cf6a4a
SHA256 d753eef117aabaa8247c3bcea0d39f64cfeaf612193e30995f5c00ead203e9c5
SHA512 1cc1ef5da86f4683422301f8318c1bd6d30515aa36e1d6949eb749b47a3b557990b79f7bc682eb3e3f2ccef4155e56f8adeb1f09beec97de067acf40c91e9d69

memory/2504-182-0x0000000002460000-0x0000000002461000-memory.dmp

memory/4416-188-0x00000000029A0000-0x0000000002D9E000-memory.dmp

memory/4416-189-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/4416-190-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4960-192-0x0000000002F70000-0x0000000003070000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscFED4.tmp

MD5 c7f4dfe314dd61bc9ff56fdffe58bc58
SHA1 92149a4cc12b6e284f672897408ed7fe2c08cd39
SHA256 3eec4a52959c31d4d0cfa6890f27ef9802cfcd0732e4e4450228976ca0698591
SHA512 09f9710c21bfec59e10accadafa2922a730ebdddabe346abb5916f9854669c5bd89214d02aba4d22d7a20ac18954cb39cb832024cd734ea9bc73f83c18d01f44

memory/4428-204-0x0000000001D60000-0x0000000001E60000-memory.dmp

memory/4428-205-0x0000000001B80000-0x0000000001BA7000-memory.dmp

memory/4312-207-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4428-206-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4428-209-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\19E2.exe

MD5 fbc2d00d3becdb29396535bc33ec9f1e
SHA1 cffe38ebcdb49bc0bba1b38eadee4829c8c7d287
SHA256 adab8714a1aca2cb83ffc8b4d87427b8619417a99ea50b85d7584d6aa0620516
SHA512 55399ce7a94501adac61c4159578b40200ddcbaa7cda95a9f934716f72ee4640618c0865339e4f78367351631ba9d9a92b6a9848101be9179dbe963e5180bdaa

memory/4416-222-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2504-224-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4596-226-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/1808-228-0x0000000001B30000-0x0000000001C30000-memory.dmp

memory/1808-230-0x00000000034F0000-0x00000000034FB000-memory.dmp

memory/1808-233-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1808-273-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\475C.exe

MD5 e2e72850cd8cb2e9e1d25276b097b4b1
SHA1 dfcc53d6f6dce8a7239d2e60c8314cfb2447f447
SHA256 c5526ce4c6edb5a574750fe7b446e92dd591cb1226f168e2b128c84b82b47484
SHA512 5681d2c73d083dcb7105db3e1e623013a4cf85e696105b916dcd51f6580710c9e91bc800357dcd2ccf32edb655230c1276a33576032b6e5c96a52e7be4071cc0

C:\Users\Admin\AppData\Local\Temp\475C.exe

MD5 eaa244bcc280805a06303b283c342413
SHA1 22bf3cecb67b58a2b8f506a7e0e3e9c2a50c7fa1
SHA256 dedccef043421417a11bdd1623f8ded11939c6f7ac2ba82d62facb75226549cc
SHA512 91e34d6e4a035566fd4579d74e68b02e2721ad839ee080c17b0c455ec52cc8e32a85493b3d81edbcd43bc02d5942326471d4c7330f433fe33b486c540d6f071e

memory/632-332-0x0000000003900000-0x0000000003901000-memory.dmp

memory/632-331-0x0000000000CC0000-0x000000000176D000-memory.dmp

memory/632-333-0x0000000003910000-0x0000000003911000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/632-343-0x0000000000CC0000-0x000000000176D000-memory.dmp

memory/4312-351-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/1996-352-0x00007FFD5F250000-0x00007FFD5FD11000-memory.dmp

memory/1996-355-0x0000025962C30000-0x0000025962C40000-memory.dmp

memory/1996-356-0x0000025962C30000-0x0000025962C40000-memory.dmp

memory/1996-362-0x0000025962B90000-0x0000025962BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vpipopmp.uor.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4428-368-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/4312-387-0x0000000000400000-0x00000000006E8000-memory.dmp

memory/4312-392-0x0000000000A20000-0x0000000000AC2000-memory.dmp

memory/2504-404-0x0000000002460000-0x0000000002461000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 93df53829d7ff15b36cca0997bdf9523
SHA1 85961b7b321c9492e276ada800debaa55c9c1d59
SHA256 107f6e6bf02253e4453b28539faa31bbcdd8c7048373fd3678aeec3e4faf2e5c
SHA512 37edf278c32461498cf9fb723806553f8f99f00eda1e8fd3b314733759f249cc9db11db400b0a2e8985b1bdbb31749f80e4608f03c783e95fe5a144437337f16

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

memory/4416-414-0x00000000029A0000-0x0000000002D9E000-memory.dmp

memory/2324-413-0x0000000002890000-0x00000000028C6000-memory.dmp

memory/4416-415-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2324-418-0x0000000005120000-0x0000000005748000-memory.dmp

memory/4276-419-0x000001A5D3CE0000-0x000001A5D3CF0000-memory.dmp

memory/4276-417-0x00007FFD5F250000-0x00007FFD5FD11000-memory.dmp

memory/2324-416-0x0000000071C00000-0x00000000723B0000-memory.dmp

memory/2324-421-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4276-420-0x000001A5D3CE0000-0x000001A5D3CF0000-memory.dmp

memory/2324-431-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/2324-437-0x00000000057C0000-0x0000000005826000-memory.dmp

memory/2324-442-0x0000000005930000-0x0000000005996000-memory.dmp

memory/2324-443-0x00000000059A0000-0x0000000005CF4000-memory.dmp

memory/2324-444-0x0000000005E40000-0x0000000005E5E000-memory.dmp

memory/1996-447-0x00007FFD5F250000-0x00007FFD5FD11000-memory.dmp

memory/2324-446-0x0000000005F00000-0x0000000005F4C000-memory.dmp

memory/4276-460-0x000001A5D4900000-0x000001A5D491C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 b0ca41b249e5621a4033dc3c024af9f0
SHA1 de5ffceae5a0aee20d080096792eac80d1866e1c
SHA256 09cb7eb67ee77cdac1bf25afdf5c0fd9a7435a74afc7008e761788d8fed9f5ff
SHA512 9e6ceb353f42f4fb4e014cfaf7b832ba8c5056fc07787fa44b70abdbb0b9eecd12769f5e2fa3d735a45f86a13e4a0e980d16e8364fea1eff6ddbe20ba8c6ce87

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 654e2acf81a36a91149844b610506f89
SHA1 d4ecca0d9acbfcf46bc9a575a5b54d9f3e4f3e8f
SHA256 84ed5601c88d32e00b02422a0e7ab5d24d392b56933b39249160c50b5f5903e3
SHA512 d96547ca2d789075d51d341e8ea55878c269b822006ccf1631a244622b37d1d1c5887c3fe27a00e7bb89e333625c5fdcba149c0127e577aeda06eb20d0e5319e

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 29c74e5c6c3fe79311b0d35809d8b7d6
SHA1 7e2da3fa3a02cf37df1ce6bc91a4dfa7fbf40351
SHA256 a43dff0c2459e985a3a51652846be31f2214253db1ce4982a05443f557d3edba
SHA512 3d52180d95fcb0de250dbe15b9764ddfc2504db7ed2be3660c6b359a0b16a02831e37b8a939a9edf8f19ee53ab11708e7776b19a53afa766a65a20213f787e02