Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-p87e1ahd99
Target 056d02ea6dc581ad442aee7313ac4a3b.exe
SHA256 ea98c56328b0659d7bfe4a2a04cb0a4c6c10ad5ce9f05c305b9264f305095c86
Tags
dcrat glupteba lumma smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea98c56328b0659d7bfe4a2a04cb0a4c6c10ad5ce9f05c305b9264f305095c86

Threat Level: Known bad

The file 056d02ea6dc581ad442aee7313ac4a3b.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba lumma smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat spyware stealer trojan upx

Lumma Stealer

Glupteba

DcRat

Glupteba payload

SmokeLoader

Creates new service(s)

Modifies Windows Firewall

Stops running service(s)

Downloads MZ/PE file

UPX packed file

Loads dropped DLL

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Reads data files stored by FTP clients

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Uses Task Scheduler COM API

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 13:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 13:01

Reported

2024-02-27 13:03

Platform

win10v2004-20240226-en

Max time kernel

69s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\B058.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\80E8.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\96D3.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1228 set thread context of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BFBB.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BFBB.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\BFBB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BFBB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3480 wrote to memory of 1228 N/A N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 3480 wrote to memory of 1228 N/A N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 3480 wrote to memory of 1228 N/A N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 1228 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\80E8.exe C:\Users\Admin\AppData\Local\Temp\80E8.exe
PID 3480 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\9442.exe
PID 3480 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\9442.exe
PID 3480 wrote to memory of 3140 N/A N/A C:\Users\Admin\AppData\Local\Temp\9442.exe
PID 3480 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\96D3.exe
PID 3480 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\96D3.exe
PID 3480 wrote to memory of 1912 N/A N/A C:\Users\Admin\AppData\Local\Temp\96D3.exe
PID 3480 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CC0.exe
PID 3480 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CC0.exe
PID 3480 wrote to memory of 1588 N/A N/A C:\Users\Admin\AppData\Local\Temp\9CC0.exe
PID 1588 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\9CC0.exe C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp
PID 1588 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\9CC0.exe C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp
PID 1588 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\9CC0.exe C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp
PID 3552 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3552 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3552 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3552 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3552 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3552 wrote to memory of 4584 N/A C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3480 wrote to memory of 3412 N/A N/A C:\Users\Admin\AppData\Local\Temp\B058.exe
PID 3480 wrote to memory of 3412 N/A N/A C:\Users\Admin\AppData\Local\Temp\B058.exe
PID 3480 wrote to memory of 3412 N/A N/A C:\Users\Admin\AppData\Local\Temp\B058.exe
PID 3412 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3412 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3412 wrote to memory of 4932 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3412 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3412 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3412 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3412 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3412 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\B058.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 2560 wrote to memory of 5744 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2560 wrote to memory of 5744 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2560 wrote to memory of 5744 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3480 wrote to memory of 5148 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFBB.exe
PID 3480 wrote to memory of 5148 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFBB.exe
PID 3480 wrote to memory of 5148 N/A N/A C:\Users\Admin\AppData\Local\Temp\BFBB.exe
PID 5744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 5744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 5744 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
PID 2560 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
PID 2560 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
PID 972 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 972 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 972 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 972 wrote to memory of 4512 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4932 wrote to memory of 5800 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 5800 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4932 wrote to memory of 5800 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3480 wrote to memory of 5740 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3480 wrote to memory of 5740 N/A N/A C:\Windows\system32\regsvr32.exe
PID 5740 wrote to memory of 4220 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe

"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"

C:\Users\Admin\AppData\Local\Temp\80E8.exe

C:\Users\Admin\AppData\Local\Temp\80E8.exe

C:\Users\Admin\AppData\Local\Temp\80E8.exe

C:\Users\Admin\AppData\Local\Temp\80E8.exe

C:\Users\Admin\AppData\Local\Temp\9442.exe

C:\Users\Admin\AppData\Local\Temp\9442.exe

C:\Users\Admin\AppData\Local\Temp\96D3.exe

C:\Users\Admin\AppData\Local\Temp\96D3.exe

C:\Users\Admin\AppData\Local\Temp\9CC0.exe

C:\Users\Admin\AppData\Local\Temp\9CC0.exe

C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp" /SL5="$A0230,2248936,56832,C:\Users\Admin\AppData\Local\Temp\9CC0.exe"

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s

C:\Users\Admin\AppData\Local\Temp\B058.exe

C:\Users\Admin\AppData\Local\Temp\B058.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BFBB.exe

C:\Users\Admin\AppData\Local\Temp\BFBB.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp

C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C922.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\C922.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5800 -ip 5800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 2364

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4804 -ip 4804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2340

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
BE 109.236.63.122:9001 tcp
N/A 127.0.0.1:55963 tcp
DE 88.198.112.25:9001 tcp
NL 45.153.160.131:9001 tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 188.114.97.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
AR 186.13.17.220:80 trmpc.com tcp
US 8.8.8.8:53 220.17.13.186.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
FI 95.216.118.16:4223 tcp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
UA 194.147.140.102:465 tcp
DE 46.232.248.143:9001 tcp
US 8.8.8.8:53 143.248.232.46.in-addr.arpa udp
US 8.8.8.8:53 102.140.147.194.in-addr.arpa udp
AL 31.171.155.114:443 tcp
US 8.8.8.8:53 114.155.171.31.in-addr.arpa udp
UA 194.147.140.102:465 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
DE 46.232.248.143:9001 tcp
AL 31.171.155.114:443 tcp
N/A 127.0.0.1:56313 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
N/A 127.0.0.1:56313 tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 smservoces.jz udp
N/A 127.0.0.1:56313 tcp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.smservoces.jz udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ftp.purezole.us udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 ftp.smservoces.jz udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 usb.cem udp
N/A 127.0.0.1:56313 tcp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
N/A 127.0.0.1:56313 tcp
US 8.8.8.8:53 mail.smservoces.jz udp
US 8.8.8.8:53 ssh.smservoces.jz udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ftp.purezole.us udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.purezole.us udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 207.153.2.192:9001 tcp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 ssh.purezole.us udp
US 8.8.8.8:53 ftp.smservoces.jz udp
US 8.8.8.8:53 192.2.153.207.in-addr.arpa udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 mail.smservoces.jz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ssh.smservoces.jz udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ftp.purezole.us udp
US 8.8.8.8:53 mail.purezole.us udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.smservoces.jz udp
US 8.8.8.8:53 ssh.purezole.us udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 purezole.us udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 smservoces.jz udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.smservoces.jz udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ssh.smservoces.jz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.purezole.us udp
US 8.8.8.8:53 mail.purezole.us udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 esjudbzje.ufcg.edu.br udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.ce.od udp
US 8.8.8.8:53 usb.cem udp
US 8.8.8.8:53 hejmbol.cem udp

Files

memory/5428-1-0x0000000001A80000-0x0000000001B80000-memory.dmp

memory/5428-2-0x0000000001BF0000-0x0000000001BFB000-memory.dmp

memory/5428-3-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/3480-4-0x0000000002560000-0x0000000002576000-memory.dmp

memory/5428-5-0x0000000000400000-0x0000000001A2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\80E8.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/1228-16-0x00000000038A0000-0x0000000003A5F000-memory.dmp

memory/1228-17-0x0000000003A90000-0x0000000003C47000-memory.dmp

memory/836-18-0x0000000000400000-0x0000000000848000-memory.dmp

memory/836-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/836-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/836-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/836-24-0x0000000000400000-0x0000000000848000-memory.dmp

memory/836-25-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9442.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

memory/3140-35-0x00000000008B0000-0x000000000135D000-memory.dmp

memory/3140-36-0x00000000018C0000-0x00000000018C1000-memory.dmp

memory/3140-34-0x00000000018B0000-0x00000000018B1000-memory.dmp

memory/3140-37-0x0000000001A00000-0x0000000001A01000-memory.dmp

memory/3140-38-0x00000000034B0000-0x00000000034B1000-memory.dmp

memory/3140-39-0x00000000034C0000-0x00000000034C1000-memory.dmp

memory/3140-40-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/3140-41-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/3140-42-0x00000000008B0000-0x000000000135D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\96D3.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/3140-49-0x00000000034F0000-0x0000000003522000-memory.dmp

memory/3140-50-0x00000000034F0000-0x0000000003522000-memory.dmp

memory/3140-51-0x00000000034F0000-0x0000000003522000-memory.dmp

memory/1912-54-0x00000000035B0000-0x000000000361B000-memory.dmp

memory/3140-52-0x00000000034F0000-0x0000000003522000-memory.dmp

memory/1912-53-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/1912-55-0x0000000001D10000-0x0000000001E10000-memory.dmp

memory/1912-56-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9CC0.exe

MD5 8b0b0943877aa89cf021d5d5e2cbb1aa
SHA1 7a64ea593c231fb4b1d7c584980a6650960ac32b
SHA256 b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
SHA512 d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc

memory/1588-62-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp

MD5 a1b45df2ed6b73416fdf10a62a69f8f0
SHA1 053d566b3d1d4ec47d4dff670611a20802b1a366
SHA256 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512 bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

C:\Users\Admin\AppData\Local\Temp\is-CRHKF.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

C:\Users\Admin\AppData\Local\Temp\is-CRHKF.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/3552-69-0x0000000002100000-0x0000000002101000-memory.dmp

memory/3140-104-0x00000000008B0000-0x000000000135D000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 5c64ecde29da99c3f8e2fb087d86873e
SHA1 a9f30fcb14242d577b36eef78071c100499fbf99
SHA256 a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261
SHA512 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

memory/4960-106-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4960-107-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4960-111-0x0000000000400000-0x0000000000700000-memory.dmp

memory/836-110-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4584-114-0x0000000000400000-0x0000000000700000-memory.dmp

memory/836-116-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B058.exe

MD5 4c20a0b3bfb264f2bbf5807d76d51b31
SHA1 1bbddb7721d4361348c17f2dbee3bb5545521f35
SHA256 e572f57c60f8c833ce16571af58e5c000af408f2d6c051588e47b16ef699c2bc
SHA512 ff90c869e44e7c9c9fba20c92c928552e46ab0980a05ddd05e8c602074b7206462ac77db91258021bbd3aedf352824028acbd161cca419528c2af386a836ccff

C:\Users\Admin\AppData\Local\Temp\B058.exe

MD5 93b61d3c6975382f22c8e5665e2a3068
SHA1 0abf90a9b5d4cc1aec20c68387dc42741ed0697d
SHA256 01e2d78afe1e5b0885f984f94bcb0826b4fa93b2e133beb94192c450809ac42e
SHA512 4a362868adf24af78469b7ceb2a84c2f70d74b998a0fa25e6f9af5a8bec3b8ae3419dd522de5c2a93fd91c04e2b622beff2c061e5e85148d05b1cb4adb4b209e

memory/3412-120-0x0000000072820000-0x0000000072FD0000-memory.dmp

memory/3412-121-0x0000000000840000-0x00000000010F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

memory/3412-156-0x0000000072820000-0x0000000072FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 5e94f0f6265f9e8b2f706f1d46bbd39e
SHA1 d0189cba430f5eea07efe1ab4f89adf5ae2453db
SHA256 50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503
SHA512 473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd

C:\Users\Admin\AppData\Local\Temp\nsuB799.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/5744-162-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/1912-163-0x0000000001D10000-0x0000000001E10000-memory.dmp

memory/1912-164-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/4932-165-0x0000000002B20000-0x0000000002F27000-memory.dmp

memory/4932-166-0x0000000002F30000-0x000000000381B000-memory.dmp

memory/4932-169-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BFBB.exe

MD5 b2c14d5c21130dc795b521206c0b97d4
SHA1 3cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256 ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512 bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

memory/1588-173-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3552-181-0x0000000002100000-0x0000000002101000-memory.dmp

memory/5148-182-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

memory/5148-183-0x0000000001AB0000-0x0000000001ABB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp

MD5 da812d63d6637fbc245339e746ccf1f9
SHA1 1d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA256 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA512 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

memory/5148-190-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/4804-192-0x0000000001B80000-0x0000000001BA7000-memory.dmp

memory/4804-193-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/4804-194-0x0000000001D80000-0x0000000001E80000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3552-196-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/5800-197-0x0000000002880000-0x00000000028B6000-memory.dmp

memory/4584-198-0x0000000000400000-0x0000000000700000-memory.dmp

memory/5800-199-0x0000000072350000-0x0000000072B00000-memory.dmp

memory/5800-201-0x0000000004FC0000-0x00000000055E8000-memory.dmp

memory/5800-202-0x00000000028D0000-0x00000000028E0000-memory.dmp

memory/5800-200-0x00000000028D0000-0x00000000028E0000-memory.dmp

memory/5800-204-0x0000000004EA0000-0x0000000004EC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C922.dll

MD5 29eb6d30843e8be8868fa094be34ce1d
SHA1 9bfb7fa1d52b4747597c89fadbb2ed783955fcc2
SHA256 5ef77adb0b5b0981d5c1f14c7a1623d5b49f38ef441ed7cd1f660ed675e17548
SHA512 191b68119ab6388b5775d9981b8c2537e42306709ed4c33fe2463dca8015abc48fe90b66394d3f70ffe38200c1b211feb24e9df3c6136566b001488daf06e3e9

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ozaueobh.kl5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5800-206-0x0000000004F40000-0x0000000004FA6000-memory.dmp

memory/5800-216-0x0000000005920000-0x0000000005986000-memory.dmp

memory/4220-218-0x0000000010000000-0x0000000010202000-memory.dmp

memory/4584-221-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4220-222-0x0000000000A70000-0x0000000000A76000-memory.dmp

memory/5800-220-0x0000000005A80000-0x0000000005DD4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C922.dll

MD5 9b1697d40dfd386fdd7e9327844f301a
SHA1 e75defb119e2c7b7d3f75ab70a100ec504af5ebf
SHA256 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d
SHA512 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69

memory/5800-223-0x0000000005E60000-0x0000000005E7E000-memory.dmp

memory/5800-224-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/4804-225-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/5800-232-0x00000000063D0000-0x0000000006414000-memory.dmp

memory/3480-241-0x0000000000670000-0x0000000000686000-memory.dmp

memory/5148-244-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/5800-252-0x0000000007180000-0x00000000071F6000-memory.dmp

memory/5800-264-0x0000000007880000-0x0000000007EFA000-memory.dmp

memory/5800-271-0x0000000007230000-0x000000000724A000-memory.dmp

memory/5800-276-0x00000000073F0000-0x0000000007422000-memory.dmp

memory/5800-277-0x000000006E640000-0x000000006E68C000-memory.dmp

memory/4584-278-0x0000000000400000-0x0000000000700000-memory.dmp

memory/836-275-0x0000000000400000-0x0000000000848000-memory.dmp

memory/5800-279-0x000000006FCD0000-0x0000000070024000-memory.dmp

memory/4932-280-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5800-291-0x000000007F260000-0x000000007F270000-memory.dmp

memory/5800-290-0x0000000007430000-0x000000000744E000-memory.dmp

memory/5800-292-0x0000000007450000-0x00000000074F3000-memory.dmp

memory/5800-296-0x0000000007540000-0x000000000754A000-memory.dmp

memory/4220-300-0x0000000002B10000-0x0000000002C38000-memory.dmp

memory/4220-301-0x0000000002C40000-0x0000000002D4D000-memory.dmp

memory/5800-302-0x0000000072350000-0x0000000072B00000-memory.dmp

memory/4220-308-0x0000000002C40000-0x0000000002D4D000-memory.dmp

C:\ProgramData\nss3.dll

MD5 4df2bf0ae4cdb77998d0c70281d3ca12
SHA1 935d164feabd42243aa34f96e8b6af39c93b6306
SHA256 e83d04c5b94f9228037452a4d98b9b495e9f0ccae61fd379bc6ca6819ce904d2
SHA512 bd8c22fbe054da820656e78eb1f00a2da810d99f31100efc47fc1182a24d014890a158fcd606a0beba011194620c4f9153f3be4b6acdd0c59858cd3d4a2c1138

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 cc756fc6afdbbb3c22e6ff4803639f60
SHA1 d3966429c97b0cc9771f17cbb5a38e975a172998
SHA256 4cac574a06392103aa79a6b3f9c0cf73a4b6fe8f4d5e3aba8241147a8506b704
SHA512 48f1d14da05e7314c66947093d4307505ac04c09abfd26276b337f414fed557e3ba0376990a4ce6d3b91bba20f8ce78ce032644a66b3d3b248eb6eb55e092b25

C:\ProgramData\mozglue.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4932-335-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 d5fa60c20f0697651ebbd4e0877011c4
SHA1 5b226c73d6e3cbcf2d4a2d218d0246222296b146
SHA256 ca30187f134e499bcbe173cc6545c2a5997c47ee10b52a914fa6c78880c330c2
SHA512 8377148ef0804e3fe73fd233eb9104e58a70a3c9006c36173f022733c7de8e811488a9070c4302f980db2232f57d0745205aceed606d8cf89898d3dff04c7866

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 13:01

Reported

2024-02-27 13:03

Platform

win7-20240221-en

Max time kernel

55s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\B8D4.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\D358.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2644 set thread context of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\CF32.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FF0C.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FF0C.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\FF0C.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0C.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 1380 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 1380 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 1380 wrote to memory of 2644 N/A N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 2644 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\B8D4.exe C:\Users\Admin\AppData\Local\Temp\B8D4.exe
PID 1380 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe
PID 1380 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe
PID 1380 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe
PID 1380 wrote to memory of 2472 N/A N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\D358.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\D358.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\D358.exe
PID 1380 wrote to memory of 2924 N/A N/A C:\Users\Admin\AppData\Local\Temp\D358.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 1380 wrote to memory of 2812 N/A N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2812 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\DBD1.exe C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
PID 2472 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe C:\Windows\SysWOW64\WerFault.exe
PID 2472 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\CF32.exe C:\Windows\SysWOW64\WerFault.exe
PID 1380 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\F980.exe
PID 1380 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\F980.exe
PID 1380 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\F980.exe
PID 1380 wrote to memory of 1268 N/A N/A C:\Users\Admin\AppData\Local\Temp\F980.exe
PID 1380 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0C.exe
PID 1380 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0C.exe
PID 1380 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0C.exe
PID 1380 wrote to memory of 2272 N/A N/A C:\Users\Admin\AppData\Local\Temp\FF0C.exe
PID 1268 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F980.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1268 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F980.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1268 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F980.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1268 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\F980.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 1380 wrote to memory of 1120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1380 wrote to memory of 1120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1380 wrote to memory of 1120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1380 wrote to memory of 1120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1380 wrote to memory of 1120 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1120 wrote to memory of 1552 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1268 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\F980.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

Processes

C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe

"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"

C:\Users\Admin\AppData\Local\Temp\B8D4.exe

C:\Users\Admin\AppData\Local\Temp\B8D4.exe

C:\Users\Admin\AppData\Local\Temp\B8D4.exe

C:\Users\Admin\AppData\Local\Temp\B8D4.exe

C:\Users\Admin\AppData\Local\Temp\CF32.exe

C:\Users\Admin\AppData\Local\Temp\CF32.exe

C:\Users\Admin\AppData\Local\Temp\D358.exe

C:\Users\Admin\AppData\Local\Temp\D358.exe

C:\Users\Admin\AppData\Local\Temp\DBD1.exe

C:\Users\Admin\AppData\Local\Temp\DBD1.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 124

C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp" /SL5="$70120,2248936,56832,C:\Users\Admin\AppData\Local\Temp\DBD1.exe"

C:\Users\Admin\AppData\Local\Temp\F980.exe

C:\Users\Admin\AppData\Local\Temp\F980.exe

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CD3.dll

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CD3.dll

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsj3999.tmp

C:\Users\Admin\AppData\Local\Temp\nsj3999.tmp

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227130210.log C:\Windows\Logs\CBS\CbsPersist_20240227130210.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
FR 163.172.68.222:9001 tcp
N/A 127.0.0.1:49238 tcp
RU 46.188.6.64:9001 tcp
DE 185.220.101.23:30023 tcp
DE 185.213.155.169:5753 tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
BA 185.12.79.25:80 trmpc.com tcp
SE 185.97.32.34:9001 tcp
DE 131.188.40.189:443 tcp
DE 176.96.137.199:9100 tcp
CH 188.63.254.56:30004 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
FR 217.182.138.77:666 tcp
FR 62.210.97.21:443 tcp
US 174.128.250.166:80 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
CH 188.63.254.56:30004 tcp
DE 176.96.137.199:9100 tcp
DE 176.9.57.157:9001 tcp
US 8.8.8.8:53 kamsmad.com udp
KR 210.182.29.70:80 kamsmad.com tcp
KR 210.182.29.70:80 kamsmad.com tcp
KR 210.182.29.70:80 kamsmad.com tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 bmbol3.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sjjeresbscheel.oz udp
US 8.8.8.8:53 sezzbm.cz udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 gvjc.cem udp
US 8.8.8.8:53 ujp.bc.pb udp
US 8.8.8.8:53 mbolfole.erg udp
US 8.8.8.8:53 bmbol3.cem udp
US 8.8.8.8:53 bmbol3.cem udp
US 8.8.8.8:53 sjjeresbscheel.oz udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 sjjeresbscheel.oz udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 sezzbm.cz udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gvjc.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 mbolfole.erg udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ujp.bc.pb udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.jw udp
KR 210.182.29.70:80 kamsmad.com tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 byombgozbjoez.cem udp
US 8.8.8.8:53 ybhee.ce.jh udp
US 8.8.8.8:53 byombgozbjoez.cem udp
US 8.8.8.8:53 ybhee.ce.jh udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 vosbybs.glebelozes.cem.ph.cem.ph udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 zyc.rr.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 vosbybs.glebelozes.cem.ph.cem.ph udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 zyc.rr.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 sjudezj.jp.edu.sg udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 sjudezj.jp.edu.sg udp
KR 210.182.29.70:80 kamsmad.com tcp
US 8.8.8.8:53 beherb3.mee.edu.eg udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 forembol.bj udp
US 8.8.8.8:53 beherb3.mee.edu.eg udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 bel.cem udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 drmbol.oz udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 42763f4b-eb44-436f-8261-a65ada0f71e2.uuid.statsexplorer.org udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 forembol.bj udp
US 8.8.8.8:53 ybhee.fr udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 mbckjeroe.cem udp
US 8.8.8.8:53 dogocemmercegreup.cem udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 bel.cem udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 cezjrblcezjreldbjb.cem.br udp
US 8.8.8.8:53 hejmbol.fr udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 drmbol.oz udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 reybzdk.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 ybhee.cem.br udp
US 8.8.8.8:53 dogocemmercegreup.cem udp
US 8.8.8.8:53 mbckjeroe.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 reybzdk.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 ybhee.es udp
KR 210.182.29.70:80 kamsmad.com tcp
US 45.79.222.138:80 vosbybs.glebelozes.cem.ph.cem.ph tcp
US 135.148.100.89:443 tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 jbblom.mb udp
US 8.8.8.8:53 ybhee.cem.br udp

Files

memory/2956-1-0x0000000000270000-0x0000000000370000-memory.dmp

memory/2956-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/2956-3-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/1380-4-0x00000000026F0000-0x0000000002706000-memory.dmp

memory/2956-5-0x0000000000400000-0x0000000001A2C000-memory.dmp

memory/2956-8-0x00000000001B0000-0x00000000001BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8D4.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2644-18-0x0000000003410000-0x00000000035C8000-memory.dmp

memory/2644-19-0x0000000003410000-0x00000000035C8000-memory.dmp

memory/2756-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2644-24-0x00000000035D0000-0x0000000003787000-memory.dmp

memory/2756-25-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B8D4.exe

MD5 dd22fa3503a193f07332b55be4281baf
SHA1 515a34abc727f94df4cf2a904517a2fb843d22df
SHA256 488ea9cd85ff26069e7058656761e545cba1ecadd1dec8138056d20b6817890b
SHA512 18efbcb3b6abe156b159bf1df561473e9fb346920cc29f6db61521c83be5c27820ba80b8e36e501182dc47d7568996e5b13999c160684a71769d84ce759c7b9f

memory/2756-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2756-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2756-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2756-31-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2756-32-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CF32.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

C:\Users\Admin\AppData\Local\Temp\D358.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/2924-49-0x0000000001B20000-0x0000000001C20000-memory.dmp

memory/2924-50-0x00000000002D0000-0x000000000033B000-memory.dmp

memory/2472-51-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2472-54-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2472-53-0x0000000000EC0000-0x000000000196D000-memory.dmp

memory/2472-57-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2472-59-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2924-58-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/2472-61-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2472-63-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2472-66-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2472-68-0x0000000000110000-0x0000000000111000-memory.dmp

memory/2472-71-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2472-73-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2472-76-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2472-78-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2472-81-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2472-83-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2472-84-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2472-86-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2472-88-0x0000000000190000-0x0000000000191000-memory.dmp

memory/2472-90-0x0000000077700000-0x0000000077701000-memory.dmp

memory/2472-93-0x00000000001A0000-0x00000000001A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DBD1.exe

MD5 8b0b0943877aa89cf021d5d5e2cbb1aa
SHA1 7a64ea593c231fb4b1d7c584980a6650960ac32b
SHA256 b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
SHA512 d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc

memory/2812-98-0x0000000000400000-0x0000000000414000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp

MD5 a1b45df2ed6b73416fdf10a62a69f8f0
SHA1 053d566b3d1d4ec47d4dff670611a20802b1a366
SHA256 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512 bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

memory/2756-107-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1608-108-0x00000000002C0000-0x00000000002C1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-5R7BV.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-5R7BV.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

\Users\Admin\AppData\Local\Temp\is-5R7BV.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\CF32.exe

MD5 eaa244bcc280805a06303b283c342413
SHA1 22bf3cecb67b58a2b8f506a7e0e3e9c2a50c7fa1
SHA256 dedccef043421417a11bdd1623f8ded11939c6f7ac2ba82d62facb75226549cc
SHA512 91e34d6e4a035566fd4579d74e68b02e2721ad839ee080c17b0c455ec52cc8e32a85493b3d81edbcd43bc02d5942326471d4c7330f433fe33b486c540d6f071e

\Users\Admin\AppData\Local\Temp\CF32.exe

MD5 5da4883f8ac78d69d47b1dfe11e520e3
SHA1 00cb082add96a09d6afcd6bbe1f00f640c5efb14
SHA256 efa199532e7cedab9c86e7d7341d4d1f5fcf9efc26878babd7e23d82e1bfc646
SHA512 d86889c8514b7798ab8b4f311e90f417e4ca5a2605f8cba383cc3d89d82cc7ad01558117b5ed69e65c29e51f2aabcde94290ae75089f084c1dc0e972d9efcee2

\Users\Admin\AppData\Local\Temp\CF32.exe

MD5 f7744affd3a2d6e411a04434f376915a
SHA1 f782e667ac2f1f55ccdb2be6b1e6c03f92a81c4f
SHA256 3b2ee23621b23af2609e0c206510f002927a69f86dcc806e489795740f7853b9
SHA512 7821bd32412521ebca8cb5eeaff3f73d9e273a3f7b15b86acd45f25bd78f43bb6d390f9e51152e98a3926abaea922303a34ce8be0b0e6b296a5a689486ed3e26

memory/2756-134-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F980.exe

MD5 734d6855b16661cb69bb5b6a90090d31
SHA1 a2e7b1d00195979d861545c2265bbb34fd270322
SHA256 6a66918218c3d4e21661fa9c5ce4e9b173bd7efd59401d58b5feb09f84f5736e
SHA512 a42c2144441453672dfcd44c213e2308e0a3eb7b7bd5800fdbc6d527dbcf45dcf864acf768e13acee5440957a6579a011295202cec42d78a2b766805ff654ddf

C:\Users\Admin\AppData\Local\Temp\F980.exe

MD5 eee536f4a6ede82f65053565a4fd8ad2
SHA1 699dad222c2b27e99e5d1f31230b981701257d51
SHA256 89d9b8ec8b0ded42c487fe899692d672b76ac937abc8a59155c4317165b9fb52
SHA512 c8a3bcdd8c522006abbf3525cb26cefd2c565fd2306b9999362d8932c938d47637e74d12054e47dbfcf5437204d02248fd035951a9f52382be1989b8341585e5

memory/2924-140-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FF0C.exe

MD5 b2c14d5c21130dc795b521206c0b97d4
SHA1 3cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256 ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512 bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

memory/1268-141-0x00000000008F0000-0x00000000011A6000-memory.dmp

memory/1268-149-0x0000000073400000-0x0000000073AEE000-memory.dmp

memory/2812-150-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2272-151-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2272-152-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/2272-153-0x0000000001B20000-0x0000000001C20000-memory.dmp

memory/2924-154-0x0000000001B20000-0x0000000001C20000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d8fd6ee086168ae33101a622914ea1aa
SHA1 087e83ecd19f56d7e1613dd3ec4397790a56bcdc
SHA256 8c83aa0ca592ee93a216ce28bb14385acafe2568df56ad4b28a8d2e36e32ed3d
SHA512 84227739f05c24c889086a4ec8ca1b92b62d85fb687a49c13024fe223129bb4af98cec4ddf1cf72c0ca0f5b63f3a55a3b3e01c97f4a34eba0dedd3f9da86bfde

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 550ee7188c527b01bfa4d015377d121c
SHA1 44c45f90daaef2f68d08512a79d0efa86a748f4b
SHA256 b236c2da74955dc9bcd4fc696ae78f49edbbc6f06aacaa80f0246da3deb3265d
SHA512 677f8a65ca34a290ce916d13966f0511875d5cfc12cc0983d7463a64047528a2407eb62ca8cae392452d06e756b9d07014af52c92d91ec61264c2005468f2a1a

memory/2212-164-0x0000000002770000-0x0000000002B68000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\CD3.dll

MD5 286796d0050225040303192dffc1c4ef
SHA1 daef291b3941387fee3ced03d44a4e254dfec217
SHA256 1546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24
SHA512 04d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f75b9beec810c7d22ac06871935465cc
SHA1 02a949c1e44035114022079454555c9c145bf8fb
SHA256 edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182
SHA512 e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 e57b67d14aa175312da3f5a69294668e
SHA1 01618135f1a7177023c59fd8d1fed58e03c59945
SHA256 170a9e9bf03a35b9d62cc43bcd485ca87482e0dab5ce1a6eaa1a38c0f73425da
SHA512 0fdcc9b5a2018c67c2cb7019e8684f9f44d5af83d36cde827d38c1fc35def799af6a056d0bf023a6f164f7b87a281cb7816c433221e3068357e7d65e96b4f299

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b29cd31f15d37cebbe2804adc62ce2e9
SHA1 e036f370e3b9a849609823c1cf295c07968b91a0
SHA256 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2
SHA512 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4

memory/2756-181-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2924-184-0x00000000002D0000-0x000000000033B000-memory.dmp

memory/1608-183-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2212-185-0x0000000002770000-0x0000000002B68000-memory.dmp

memory/2212-186-0x0000000002B70000-0x000000000345B000-memory.dmp

memory/2212-187-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1268-182-0x0000000073400000-0x0000000073AEE000-memory.dmp

memory/2472-188-0x0000000000EC0000-0x000000000196D000-memory.dmp

memory/1380-191-0x0000000003C20000-0x0000000003C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 0159c753801f7e27ae10b8527805eb8c
SHA1 aa87fef2ddf7159ae08194089e4d4178d5dbe009
SHA256 db2b1d24d4ae5442db39be1d3aae8329b9a2c752e402fb6669b27343c15ccd8c
SHA512 4fd68d99b5bada4e40c271b50f27b5f5e7ae330609a05087eca6cc0ff8e746487de43ca322f80d26f843e06e31d53d5cf4d0a1d8ec1bf455cc901e967cd54c3a

memory/2272-192-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 5ca7fc407124217ed4ac456d5369e951
SHA1 5defeaea509bafe38005a9232d94282b59525ef3
SHA256 dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120
SHA512 dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 c0edb4bdfa9609b484821a931dcb20df
SHA1 670337c951b8db965c0f96fc2c8ba31233311346
SHA256 aefb25d522bf71ea8eea24172f27dfcf3759a2c2b3bd1ba8c019a41adc554c50
SHA512 e7380f25d992bcd687aa281f525600debd31802b3fc594d02f3ded4d1e9150714474a0be90e4a1b6853ba4bfb0295106fedef5d85dd3d2f1f095ac1f566f93b9

\Users\Admin\AppData\Local\Temp\CD3.dll

MD5 d88cfcec577f4802c42cb752a315474a
SHA1 ff66289dd3da72eac2923869e669dd6c64b2b2fe
SHA256 a3ee7cd13efaadc84d9d74ffcb95a5baf5a9af2e0eea8f7344a36526c7f2974e
SHA512 1a4f7611ecf3751d1fdba2e0af20d88e059f951e0e89559c9029f2ed8499fcfe77544cdd206d5953a954987a0fc409f38da5f656aeb49b547941989e4337c0c4

memory/1552-199-0x0000000010000000-0x0000000010202000-memory.dmp

memory/1552-198-0x0000000000130000-0x0000000000136000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj168E.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 2ca32a64d491385b9191b77cd9e1245e
SHA1 3689280aeae1870caec7d5a32c5b0ae6be4f310a
SHA256 eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae
SHA512 a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 5dda57f208bce79bb557eca7195d8b84
SHA1 2b28b1da149bd869169bc72fc27aac195ec7b5cf
SHA256 bcc4c28be2fd1c79527cdc8ff8b772cb78cdcef55aec63a4c22b94ffbc561a1e
SHA512 bc14a9aebfa4e7df0f5442810376328d98261653aaf7a5902ec4a32ade85f2bbd2e219ef1f4181f00fa32cf9dbb702a2ca3e2465c959d3b6b379bb9d3a9f8bf5

memory/1632-211-0x0000000000240000-0x0000000000241000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj3999.tmp

MD5 da812d63d6637fbc245339e746ccf1f9
SHA1 1d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA256 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA512 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 9bcaea6efb5a1f9f39602d3975f9c20b
SHA1 eebbfc1bd15fd1461bc669b3c83407d76369b65a
SHA256 ebf099babce34f2e26cf09093973ecd055677fc11ce468f864a778b97ee62fce
SHA512 13d3e9f4aee201640a66fea27ae3ed60e22365f0a20c97fff4f7c098a84bce0dda39573228ec76f44907767a2075b7e5173b9afab21db26a6e906e33a07402c3

memory/1092-254-0x0000000001AF0000-0x0000000001BF0000-memory.dmp

memory/1092-255-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1092-256-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 05289f5848a855ff3d7a78b862498e26
SHA1 1021a66f15e425f33047d76a247680e916e736b0
SHA256 9c6d6f161b0253f9a78cd099ed0aa225b6ac00d3801859ff7405abd08b501407
SHA512 46265b61d4bdaeaf8af057fe5d49062f69b5ba7ca28198724c0767750af9705bf2f203183b7d33713ba45a9a02009539c5a2253ba567e7b4a4c0a79e85c200a7

memory/1608-267-0x00000000002C0000-0x00000000002C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

memory/2212-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2736-300-0x00000000027C0000-0x0000000002BB8000-memory.dmp

memory/2736-301-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Windows\rss\csrss.exe

MD5 630dfa44d79eae6e77011c43d36944af
SHA1 0b3fb8ed546593cd92b6128761edbffad633ae81
SHA256 806fae64d18d87b7d9829ef0d3417a39c95ac0e52b9f88725439d602265eb0ed
SHA512 bb1aa89c27c751c6e1b4056a3dc73b6804ba19100cf0f6dfdfebac783931cf5d7d06961bf94997cd3ee8396efb33d143883b0b77af402e2ac5f6106b36c74248

C:\Windows\rss\csrss.exe

MD5 e75541c5590c89a0fe3e54389fb55206
SHA1 90f859047ad79a70a663c4fd7644123aadc8da32
SHA256 88ede6ceb2f99ea6e72def366135b52fc54e7b9044c4ec11909f01fd354831de
SHA512 7504346951cdc9e42ea1a6cd11cd26d6602b58751b80f989dfe45cf24821fd40bf7152bf7aef3a3a36a1a8efde595f67ea0a3973f4b7e5fd2e5770d786f0b18a

memory/2736-318-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2100-322-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2100-324-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b8c50d741d429e4cd6210293c0f0d881
SHA1 059f1aa663f344b66b7ab96bd092bfd08ef6b091
SHA256 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b
SHA512 b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096

memory/2676-584-0x000000001B1A0000-0x000000001B482000-memory.dmp

memory/2676-648-0x0000000001DB0000-0x0000000001DB8000-memory.dmp

memory/2676-1133-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp

memory/2676-1157-0x0000000002654000-0x0000000002657000-memory.dmp

memory/2676-1172-0x000000000265B000-0x00000000026C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 6a190e993f065d939995adfdb07cc8a1
SHA1 9664f606593178eb502cc38b5431189cc4c2cd5e
SHA256 6c8188b31f1c40c05d61e65ea787b2fdde140b631a41a72318d33c5ca475df21
SHA512 a6c1421c487bb344f8bb7ebe9cf2ac2a72cea9c9b70fd9a4092f0891e2de2a3f8150f7ad213bd46300639f21649c79a8360ab917833cbfcb7460bc06de2d17e2

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 f26249769d27c4988588974f0afc5ad0
SHA1 e8b18cd33637ba0baebb2e1e0140103debcc264a
SHA256 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363
SHA512 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 cf71d723e6a3a2abdb69313657a0862f
SHA1 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c
SHA256 ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125
SHA512 b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 37a34cf341124d12f66711d65b92f63f
SHA1 85457cebf25e771ccb5179768e19698044b7d19a
SHA256 7e1549fbe0bd82d5a7fd18a47e3f1b018362a7e76efd6a14b156a7dcf203c79f
SHA512 0db2f1b87f4fc1adf077fa94dc3e16f036f70b72ed40533ee84cead602b1229ebd3902b3989d33e4306d7057b2cab572ed02b5d16a36ab8fc7de6f8aa400c091

memory/4100-1819-0x0000000019AD0000-0x0000000019DB2000-memory.dmp

memory/4100-1825-0x00000000009C0000-0x00000000009C8000-memory.dmp