Analysis Overview
SHA256
ea98c56328b0659d7bfe4a2a04cb0a4c6c10ad5ce9f05c305b9264f305095c86
Threat Level: Known bad
The file 056d02ea6dc581ad442aee7313ac4a3b.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Glupteba
DcRat
Glupteba payload
SmokeLoader
Creates new service(s)
Modifies Windows Firewall
Stops running service(s)
Downloads MZ/PE file
UPX packed file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Reads data files stored by FTP clients
Adds Run key to start application
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 13:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 13:01
Reported
2024-02-27 13:03
Platform
win10v2004-20240226-en
Max time kernel
69s
Max time network
151s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\B058.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\80E8.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\96D3.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1228 set thread context of 836 | N/A | C:\Users\Admin\AppData\Local\Temp\80E8.exe | C:\Users\Admin\AppData\Local\Temp\80E8.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BFBB.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BFBB.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\BFBB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-652 = "AUS Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-449 = "Azerbaijan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BFBB.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe
"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"
C:\Users\Admin\AppData\Local\Temp\80E8.exe
C:\Users\Admin\AppData\Local\Temp\80E8.exe
C:\Users\Admin\AppData\Local\Temp\80E8.exe
C:\Users\Admin\AppData\Local\Temp\80E8.exe
C:\Users\Admin\AppData\Local\Temp\9442.exe
C:\Users\Admin\AppData\Local\Temp\9442.exe
C:\Users\Admin\AppData\Local\Temp\96D3.exe
C:\Users\Admin\AppData\Local\Temp\96D3.exe
C:\Users\Admin\AppData\Local\Temp\9CC0.exe
C:\Users\Admin\AppData\Local\Temp\9CC0.exe
C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp" /SL5="$A0230,2248936,56832,C:\Users\Admin\AppData\Local\Temp\9CC0.exe"
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
C:\Users\Admin\AppData\Local\Temp\B058.exe
C:\Users\Admin\AppData\Local\Temp\B058.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BFBB.exe
C:\Users\Admin\AppData\Local\Temp\BFBB.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\C922.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\C922.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5800 -ip 5800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 2364
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4804 -ip 4804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 2340
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| BE | 109.236.63.122:9001 | tcp | |
| N/A | 127.0.0.1:55963 | tcp | |
| DE | 88.198.112.25:9001 | tcp | |
| NL | 45.153.160.131:9001 | tcp | |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 188.114.97.2:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 104.21.76.253:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 253.76.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| AR | 186.13.17.220:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 220.17.13.186.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| FI | 95.216.118.16:4223 | tcp | |
| US | 204.13.164.118:443 | tcp | |
| US | 8.8.8.8:53 | 118.164.13.204.in-addr.arpa | udp |
| UA | 194.147.140.102:465 | tcp | |
| DE | 46.232.248.143:9001 | tcp | |
| US | 8.8.8.8:53 | 143.248.232.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.140.147.194.in-addr.arpa | udp |
| AL | 31.171.155.114:443 | tcp | |
| US | 8.8.8.8:53 | 114.155.171.31.in-addr.arpa | udp |
| UA | 194.147.140.102:465 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| DE | 46.232.248.143:9001 | tcp | |
| AL | 31.171.155.114:443 | tcp | |
| N/A | 127.0.0.1:56313 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| N/A | 127.0.0.1:56313 | tcp | |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| N/A | 127.0.0.1:56313 | tcp | |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.smservoces.jz | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.purezole.us | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | ftp.smservoces.jz | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| N/A | 127.0.0.1:56313 | tcp | |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| N/A | 127.0.0.1:56313 | tcp | |
| US | 8.8.8.8:53 | mail.smservoces.jz | udp |
| US | 8.8.8.8:53 | ssh.smservoces.jz | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.purezole.us | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.purezole.us | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 207.153.2.192:9001 | tcp | |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.purezole.us | udp |
| US | 8.8.8.8:53 | ftp.smservoces.jz | udp |
| US | 8.8.8.8:53 | 192.2.153.207.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.smservoces.jz | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.smservoces.jz | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.purezole.us | udp |
| US | 8.8.8.8:53 | mail.purezole.us | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.smservoces.jz | udp |
| US | 8.8.8.8:53 | ssh.purezole.us | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | purezole.us | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | smservoces.jz | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.smservoces.jz | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.smservoces.jz | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.purezole.us | udp |
| US | 8.8.8.8:53 | mail.purezole.us | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | esjudbzje.ufcg.edu.br | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.od | udp |
| US | 8.8.8.8:53 | usb.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
Files
memory/5428-1-0x0000000001A80000-0x0000000001B80000-memory.dmp
memory/5428-2-0x0000000001BF0000-0x0000000001BFB000-memory.dmp
memory/5428-3-0x0000000000400000-0x0000000001A2C000-memory.dmp
memory/3480-4-0x0000000002560000-0x0000000002576000-memory.dmp
memory/5428-5-0x0000000000400000-0x0000000001A2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\80E8.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/1228-16-0x00000000038A0000-0x0000000003A5F000-memory.dmp
memory/1228-17-0x0000000003A90000-0x0000000003C47000-memory.dmp
memory/836-18-0x0000000000400000-0x0000000000848000-memory.dmp
memory/836-21-0x0000000000400000-0x0000000000848000-memory.dmp
memory/836-22-0x0000000000400000-0x0000000000848000-memory.dmp
memory/836-23-0x0000000000400000-0x0000000000848000-memory.dmp
memory/836-24-0x0000000000400000-0x0000000000848000-memory.dmp
memory/836-25-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9442.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
memory/3140-35-0x00000000008B0000-0x000000000135D000-memory.dmp
memory/3140-36-0x00000000018C0000-0x00000000018C1000-memory.dmp
memory/3140-34-0x00000000018B0000-0x00000000018B1000-memory.dmp
memory/3140-37-0x0000000001A00000-0x0000000001A01000-memory.dmp
memory/3140-38-0x00000000034B0000-0x00000000034B1000-memory.dmp
memory/3140-39-0x00000000034C0000-0x00000000034C1000-memory.dmp
memory/3140-40-0x00000000034D0000-0x00000000034D1000-memory.dmp
memory/3140-41-0x00000000034E0000-0x00000000034E1000-memory.dmp
memory/3140-42-0x00000000008B0000-0x000000000135D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\96D3.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/3140-49-0x00000000034F0000-0x0000000003522000-memory.dmp
memory/3140-50-0x00000000034F0000-0x0000000003522000-memory.dmp
memory/3140-51-0x00000000034F0000-0x0000000003522000-memory.dmp
memory/1912-54-0x00000000035B0000-0x000000000361B000-memory.dmp
memory/3140-52-0x00000000034F0000-0x0000000003522000-memory.dmp
memory/1912-53-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/1912-55-0x0000000001D10000-0x0000000001E10000-memory.dmp
memory/1912-56-0x0000000000400000-0x0000000001A77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9CC0.exe
| MD5 | 8b0b0943877aa89cf021d5d5e2cbb1aa |
| SHA1 | 7a64ea593c231fb4b1d7c584980a6650960ac32b |
| SHA256 | b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905 |
| SHA512 | d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc |
memory/1588-62-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-BPSC2.tmp\9CC0.tmp
| MD5 | a1b45df2ed6b73416fdf10a62a69f8f0 |
| SHA1 | 053d566b3d1d4ec47d4dff670611a20802b1a366 |
| SHA256 | 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d |
| SHA512 | bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2 |
C:\Users\Admin\AppData\Local\Temp\is-CRHKF.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
C:\Users\Admin\AppData\Local\Temp\is-CRHKF.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/3552-69-0x0000000002100000-0x0000000002101000-memory.dmp
memory/3140-104-0x00000000008B0000-0x000000000135D000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 5c64ecde29da99c3f8e2fb087d86873e |
| SHA1 | a9f30fcb14242d577b36eef78071c100499fbf99 |
| SHA256 | a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261 |
| SHA512 | 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d |
memory/4960-106-0x0000000000400000-0x0000000000700000-memory.dmp
memory/4960-107-0x0000000000400000-0x0000000000700000-memory.dmp
memory/4960-111-0x0000000000400000-0x0000000000700000-memory.dmp
memory/836-110-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4584-114-0x0000000000400000-0x0000000000700000-memory.dmp
memory/836-116-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B058.exe
| MD5 | 4c20a0b3bfb264f2bbf5807d76d51b31 |
| SHA1 | 1bbddb7721d4361348c17f2dbee3bb5545521f35 |
| SHA256 | e572f57c60f8c833ce16571af58e5c000af408f2d6c051588e47b16ef699c2bc |
| SHA512 | ff90c869e44e7c9c9fba20c92c928552e46ab0980a05ddd05e8c602074b7206462ac77db91258021bbd3aedf352824028acbd161cca419528c2af386a836ccff |
C:\Users\Admin\AppData\Local\Temp\B058.exe
| MD5 | 93b61d3c6975382f22c8e5665e2a3068 |
| SHA1 | 0abf90a9b5d4cc1aec20c68387dc42741ed0697d |
| SHA256 | 01e2d78afe1e5b0885f984f94bcb0826b4fa93b2e133beb94192c450809ac42e |
| SHA512 | 4a362868adf24af78469b7ceb2a84c2f70d74b998a0fa25e6f9af5a8bec3b8ae3419dd522de5c2a93fd91c04e2b622beff2c061e5e85148d05b1cb4adb4b209e |
memory/3412-120-0x0000000072820000-0x0000000072FD0000-memory.dmp
memory/3412-121-0x0000000000840000-0x00000000010F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
memory/3412-156-0x0000000072820000-0x0000000072FD0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 5e94f0f6265f9e8b2f706f1d46bbd39e |
| SHA1 | d0189cba430f5eea07efe1ab4f89adf5ae2453db |
| SHA256 | 50a46b3120da828502ef0caba15defbad004a3adb88e6eacf1f9604572e2d503 |
| SHA512 | 473dfa66a36feed9b29a43245074141478327ce22ba7cce512599379dcb783b4d665e2d65c5e9750b988c7ed8f6c3349a7a12d4b8b57c89840eee6ca6e1a30cd |
C:\Users\Admin\AppData\Local\Temp\nsuB799.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/5744-162-0x00000000026A0000-0x00000000026A1000-memory.dmp
memory/1912-163-0x0000000001D10000-0x0000000001E10000-memory.dmp
memory/1912-164-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/4932-165-0x0000000002B20000-0x0000000002F27000-memory.dmp
memory/4932-166-0x0000000002F30000-0x000000000381B000-memory.dmp
memory/4932-169-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BFBB.exe
| MD5 | b2c14d5c21130dc795b521206c0b97d4 |
| SHA1 | 3cfe837b022d15fd869e6262813e38ed8efb92dc |
| SHA256 | ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37 |
| SHA512 | bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107 |
memory/1588-173-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3552-181-0x0000000002100000-0x0000000002101000-memory.dmp
memory/5148-182-0x0000000001CA0000-0x0000000001DA0000-memory.dmp
memory/5148-183-0x0000000001AB0000-0x0000000001ABB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsnC0D1.tmp
| MD5 | da812d63d6637fbc245339e746ccf1f9 |
| SHA1 | 1d5c645e81e96606b26aa56526fb0022bb68c4b0 |
| SHA256 | 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba |
| SHA512 | 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177 |
memory/5148-190-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/4804-192-0x0000000001B80000-0x0000000001BA7000-memory.dmp
memory/4804-193-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/4804-194-0x0000000001D80000-0x0000000001E80000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3552-196-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/5800-197-0x0000000002880000-0x00000000028B6000-memory.dmp
memory/4584-198-0x0000000000400000-0x0000000000700000-memory.dmp
memory/5800-199-0x0000000072350000-0x0000000072B00000-memory.dmp
memory/5800-201-0x0000000004FC0000-0x00000000055E8000-memory.dmp
memory/5800-202-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/5800-200-0x00000000028D0000-0x00000000028E0000-memory.dmp
memory/5800-204-0x0000000004EA0000-0x0000000004EC2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C922.dll
| MD5 | 29eb6d30843e8be8868fa094be34ce1d |
| SHA1 | 9bfb7fa1d52b4747597c89fadbb2ed783955fcc2 |
| SHA256 | 5ef77adb0b5b0981d5c1f14c7a1623d5b49f38ef441ed7cd1f660ed675e17548 |
| SHA512 | 191b68119ab6388b5775d9981b8c2537e42306709ed4c33fe2463dca8015abc48fe90b66394d3f70ffe38200c1b211feb24e9df3c6136566b001488daf06e3e9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ozaueobh.kl5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5800-206-0x0000000004F40000-0x0000000004FA6000-memory.dmp
memory/5800-216-0x0000000005920000-0x0000000005986000-memory.dmp
memory/4220-218-0x0000000010000000-0x0000000010202000-memory.dmp
memory/4584-221-0x0000000000400000-0x0000000000700000-memory.dmp
memory/4220-222-0x0000000000A70000-0x0000000000A76000-memory.dmp
memory/5800-220-0x0000000005A80000-0x0000000005DD4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C922.dll
| MD5 | 9b1697d40dfd386fdd7e9327844f301a |
| SHA1 | e75defb119e2c7b7d3f75ab70a100ec504af5ebf |
| SHA256 | 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d |
| SHA512 | 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69 |
memory/5800-223-0x0000000005E60000-0x0000000005E7E000-memory.dmp
memory/5800-224-0x0000000005EA0000-0x0000000005EEC000-memory.dmp
memory/4804-225-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/5800-232-0x00000000063D0000-0x0000000006414000-memory.dmp
memory/3480-241-0x0000000000670000-0x0000000000686000-memory.dmp
memory/5148-244-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/5800-252-0x0000000007180000-0x00000000071F6000-memory.dmp
memory/5800-264-0x0000000007880000-0x0000000007EFA000-memory.dmp
memory/5800-271-0x0000000007230000-0x000000000724A000-memory.dmp
memory/5800-276-0x00000000073F0000-0x0000000007422000-memory.dmp
memory/5800-277-0x000000006E640000-0x000000006E68C000-memory.dmp
memory/4584-278-0x0000000000400000-0x0000000000700000-memory.dmp
memory/836-275-0x0000000000400000-0x0000000000848000-memory.dmp
memory/5800-279-0x000000006FCD0000-0x0000000070024000-memory.dmp
memory/4932-280-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5800-291-0x000000007F260000-0x000000007F270000-memory.dmp
memory/5800-290-0x0000000007430000-0x000000000744E000-memory.dmp
memory/5800-292-0x0000000007450000-0x00000000074F3000-memory.dmp
memory/5800-296-0x0000000007540000-0x000000000754A000-memory.dmp
memory/4220-300-0x0000000002B10000-0x0000000002C38000-memory.dmp
memory/4220-301-0x0000000002C40000-0x0000000002D4D000-memory.dmp
memory/5800-302-0x0000000072350000-0x0000000072B00000-memory.dmp
memory/4220-308-0x0000000002C40000-0x0000000002D4D000-memory.dmp
C:\ProgramData\nss3.dll
| MD5 | 4df2bf0ae4cdb77998d0c70281d3ca12 |
| SHA1 | 935d164feabd42243aa34f96e8b6af39c93b6306 |
| SHA256 | e83d04c5b94f9228037452a4d98b9b495e9f0ccae61fd379bc6ca6819ce904d2 |
| SHA512 | bd8c22fbe054da820656e78eb1f00a2da810d99f31100efc47fc1182a24d014890a158fcd606a0beba011194620c4f9153f3be4b6acdd0c59858cd3d4a2c1138 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | cc756fc6afdbbb3c22e6ff4803639f60 |
| SHA1 | d3966429c97b0cc9771f17cbb5a38e975a172998 |
| SHA256 | 4cac574a06392103aa79a6b3f9c0cf73a4b6fe8f4d5e3aba8241147a8506b704 |
| SHA512 | 48f1d14da05e7314c66947093d4307505ac04c09abfd26276b337f414fed557e3ba0376990a4ce6d3b91bba20f8ce78ce032644a66b3d3b248eb6eb55e092b25 |
C:\ProgramData\mozglue.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/4932-335-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | d5fa60c20f0697651ebbd4e0877011c4 |
| SHA1 | 5b226c73d6e3cbcf2d4a2d218d0246222296b146 |
| SHA256 | ca30187f134e499bcbe173cc6545c2a5997c47ee10b52a914fa6c78880c330c2 |
| SHA512 | 8377148ef0804e3fe73fd233eb9104e58a70a3c9006c36173f022733c7de8e811488a9070c4302f980db2232f57d0745205aceed606d8cf89898d3dff04c7866 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 13:01
Reported
2024-02-27 13:03
Platform
win7-20240221-en
Max time kernel
55s
Max time network
154s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8D4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B8D4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CF32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\D358.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DBD1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F980.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF0C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\B8D4.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\D358.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2644 set thread context of 2756 | N/A | C:\Users\Admin\AppData\Local\Temp\B8D4.exe | C:\Users\Admin\AppData\Local\Temp\B8D4.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\CF32.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\FF0C.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\FF0C.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\FF0C.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FF0C.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe
"C:\Users\Admin\AppData\Local\Temp\056d02ea6dc581ad442aee7313ac4a3b.exe"
C:\Users\Admin\AppData\Local\Temp\B8D4.exe
C:\Users\Admin\AppData\Local\Temp\B8D4.exe
C:\Users\Admin\AppData\Local\Temp\B8D4.exe
C:\Users\Admin\AppData\Local\Temp\B8D4.exe
C:\Users\Admin\AppData\Local\Temp\CF32.exe
C:\Users\Admin\AppData\Local\Temp\CF32.exe
C:\Users\Admin\AppData\Local\Temp\D358.exe
C:\Users\Admin\AppData\Local\Temp\D358.exe
C:\Users\Admin\AppData\Local\Temp\DBD1.exe
C:\Users\Admin\AppData\Local\Temp\DBD1.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 124
C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp" /SL5="$70120,2248936,56832,C:\Users\Admin\AppData\Local\Temp\DBD1.exe"
C:\Users\Admin\AppData\Local\Temp\F980.exe
C:\Users\Admin\AppData\Local\Temp\F980.exe
C:\Users\Admin\AppData\Local\Temp\FF0C.exe
C:\Users\Admin\AppData\Local\Temp\FF0C.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CD3.dll
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CD3.dll
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\nsj3999.tmp
C:\Users\Admin\AppData\Local\Temp\nsj3999.tmp
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227130210.log C:\Windows\Logs\CBS\CbsPersist_20240227130210.cab
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| FR | 163.172.68.222:9001 | tcp | |
| N/A | 127.0.0.1:49238 | tcp | |
| RU | 46.188.6.64:9001 | tcp | |
| DE | 185.220.101.23:30023 | tcp | |
| DE | 185.213.155.169:5753 | tcp | |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| BA | 185.12.79.25:80 | trmpc.com | tcp |
| SE | 185.97.32.34:9001 | tcp | |
| DE | 131.188.40.189:443 | tcp | |
| DE | 176.96.137.199:9100 | tcp | |
| CH | 188.63.254.56:30004 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| FR | 217.182.138.77:666 | tcp | |
| FR | 62.210.97.21:443 | tcp | |
| US | 174.128.250.166:80 | tcp | |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| CH | 188.63.254.56:30004 | tcp | |
| DE | 176.96.137.199:9100 | tcp | |
| DE | 176.9.57.157:9001 | tcp | |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| KR | 210.182.29.70:80 | kamsmad.com | tcp |
| KR | 210.182.29.70:80 | kamsmad.com | tcp |
| KR | 210.182.29.70:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | bmbol3.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sjjeresbscheel.oz | udp |
| US | 8.8.8.8:53 | sezzbm.cz | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | gvjc.cem | udp |
| US | 8.8.8.8:53 | ujp.bc.pb | udp |
| US | 8.8.8.8:53 | mbolfole.erg | udp |
| US | 8.8.8.8:53 | bmbol3.cem | udp |
| US | 8.8.8.8:53 | bmbol3.cem | udp |
| US | 8.8.8.8:53 | sjjeresbscheel.oz | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | sjjeresbscheel.oz | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | sezzbm.cz | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | gvjc.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | mbolfole.erg | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ujp.bc.pb | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| KR | 210.182.29.70:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | byombgozbjoez.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.jh | udp |
| US | 8.8.8.8:53 | byombgozbjoez.cem | udp |
| US | 8.8.8.8:53 | ybhee.ce.jh | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | vosbybs.glebelozes.cem.ph.cem.ph | udp |
| US | 8.8.8.8:53 | ybhee.fr | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | zyc.rr.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | vosbybs.glebelozes.cem.ph.cem.ph | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.fr | udp |
| US | 8.8.8.8:53 | zyc.rr.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | sjudezj.jp.edu.sg | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | sjudezj.jp.edu.sg | udp |
| KR | 210.182.29.70:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | beherb3.mee.edu.eg | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | forembol.bj | udp |
| US | 8.8.8.8:53 | beherb3.mee.edu.eg | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | bel.cem | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | drmbol.oz | udp |
| US | 8.8.8.8:53 | ybhee.fr | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | 42763f4b-eb44-436f-8261-a65ada0f71e2.uuid.statsexplorer.org | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | forembol.bj | udp |
| US | 8.8.8.8:53 | ybhee.fr | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | mbckjeroe.cem | udp |
| US | 8.8.8.8:53 | dogocemmercegreup.cem | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | bel.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | cezjrblcezjreldbjb.cem.br | udp |
| US | 8.8.8.8:53 | hejmbol.fr | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | drmbol.oz | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | reybzdk.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
| US | 8.8.8.8:53 | dogocemmercegreup.cem | udp |
| US | 8.8.8.8:53 | mbckjeroe.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | reybzdk.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| KR | 210.182.29.70:80 | kamsmad.com | tcp |
| US | 45.79.222.138:80 | vosbybs.glebelozes.cem.ph.cem.ph | tcp |
| US | 135.148.100.89:443 | tcp | |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | jbblom.mb | udp |
| US | 8.8.8.8:53 | ybhee.cem.br | udp |
Files
memory/2956-1-0x0000000000270000-0x0000000000370000-memory.dmp
memory/2956-2-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/2956-3-0x0000000000400000-0x0000000001A2C000-memory.dmp
memory/1380-4-0x00000000026F0000-0x0000000002706000-memory.dmp
memory/2956-5-0x0000000000400000-0x0000000001A2C000-memory.dmp
memory/2956-8-0x00000000001B0000-0x00000000001BB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8D4.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/2644-18-0x0000000003410000-0x00000000035C8000-memory.dmp
memory/2644-19-0x0000000003410000-0x00000000035C8000-memory.dmp
memory/2756-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2644-24-0x00000000035D0000-0x0000000003787000-memory.dmp
memory/2756-25-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B8D4.exe
| MD5 | dd22fa3503a193f07332b55be4281baf |
| SHA1 | 515a34abc727f94df4cf2a904517a2fb843d22df |
| SHA256 | 488ea9cd85ff26069e7058656761e545cba1ecadd1dec8138056d20b6817890b |
| SHA512 | 18efbcb3b6abe156b159bf1df561473e9fb346920cc29f6db61521c83be5c27820ba80b8e36e501182dc47d7568996e5b13999c160684a71769d84ce759c7b9f |
memory/2756-28-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2756-29-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2756-30-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2756-31-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2756-32-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CF32.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
C:\Users\Admin\AppData\Local\Temp\D358.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/2924-49-0x0000000001B20000-0x0000000001C20000-memory.dmp
memory/2924-50-0x00000000002D0000-0x000000000033B000-memory.dmp
memory/2472-51-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2472-54-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2472-53-0x0000000000EC0000-0x000000000196D000-memory.dmp
memory/2472-57-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2472-59-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2924-58-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/2472-61-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2472-63-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2472-66-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2472-68-0x0000000000110000-0x0000000000111000-memory.dmp
memory/2472-71-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2472-73-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2472-76-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2472-78-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2472-81-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2472-83-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2472-84-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2472-86-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2472-88-0x0000000000190000-0x0000000000191000-memory.dmp
memory/2472-90-0x0000000077700000-0x0000000077701000-memory.dmp
memory/2472-93-0x00000000001A0000-0x00000000001A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DBD1.exe
| MD5 | 8b0b0943877aa89cf021d5d5e2cbb1aa |
| SHA1 | 7a64ea593c231fb4b1d7c584980a6650960ac32b |
| SHA256 | b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905 |
| SHA512 | d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc |
memory/2812-98-0x0000000000400000-0x0000000000414000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-KVUFK.tmp\DBD1.tmp
| MD5 | a1b45df2ed6b73416fdf10a62a69f8f0 |
| SHA1 | 053d566b3d1d4ec47d4dff670611a20802b1a366 |
| SHA256 | 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d |
| SHA512 | bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2 |
memory/2756-107-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1608-108-0x00000000002C0000-0x00000000002C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-5R7BV.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\is-5R7BV.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
\Users\Admin\AppData\Local\Temp\is-5R7BV.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\CF32.exe
| MD5 | eaa244bcc280805a06303b283c342413 |
| SHA1 | 22bf3cecb67b58a2b8f506a7e0e3e9c2a50c7fa1 |
| SHA256 | dedccef043421417a11bdd1623f8ded11939c6f7ac2ba82d62facb75226549cc |
| SHA512 | 91e34d6e4a035566fd4579d74e68b02e2721ad839ee080c17b0c455ec52cc8e32a85493b3d81edbcd43bc02d5942326471d4c7330f433fe33b486c540d6f071e |
\Users\Admin\AppData\Local\Temp\CF32.exe
| MD5 | 5da4883f8ac78d69d47b1dfe11e520e3 |
| SHA1 | 00cb082add96a09d6afcd6bbe1f00f640c5efb14 |
| SHA256 | efa199532e7cedab9c86e7d7341d4d1f5fcf9efc26878babd7e23d82e1bfc646 |
| SHA512 | d86889c8514b7798ab8b4f311e90f417e4ca5a2605f8cba383cc3d89d82cc7ad01558117b5ed69e65c29e51f2aabcde94290ae75089f084c1dc0e972d9efcee2 |
\Users\Admin\AppData\Local\Temp\CF32.exe
| MD5 | f7744affd3a2d6e411a04434f376915a |
| SHA1 | f782e667ac2f1f55ccdb2be6b1e6c03f92a81c4f |
| SHA256 | 3b2ee23621b23af2609e0c206510f002927a69f86dcc806e489795740f7853b9 |
| SHA512 | 7821bd32412521ebca8cb5eeaff3f73d9e273a3f7b15b86acd45f25bd78f43bb6d390f9e51152e98a3926abaea922303a34ce8be0b0e6b296a5a689486ed3e26 |
memory/2756-134-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\F980.exe
| MD5 | 734d6855b16661cb69bb5b6a90090d31 |
| SHA1 | a2e7b1d00195979d861545c2265bbb34fd270322 |
| SHA256 | 6a66918218c3d4e21661fa9c5ce4e9b173bd7efd59401d58b5feb09f84f5736e |
| SHA512 | a42c2144441453672dfcd44c213e2308e0a3eb7b7bd5800fdbc6d527dbcf45dcf864acf768e13acee5440957a6579a011295202cec42d78a2b766805ff654ddf |
C:\Users\Admin\AppData\Local\Temp\F980.exe
| MD5 | eee536f4a6ede82f65053565a4fd8ad2 |
| SHA1 | 699dad222c2b27e99e5d1f31230b981701257d51 |
| SHA256 | 89d9b8ec8b0ded42c487fe899692d672b76ac937abc8a59155c4317165b9fb52 |
| SHA512 | c8a3bcdd8c522006abbf3525cb26cefd2c565fd2306b9999362d8932c938d47637e74d12054e47dbfcf5437204d02248fd035951a9f52382be1989b8341585e5 |
memory/2924-140-0x0000000000400000-0x0000000001A77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FF0C.exe
| MD5 | b2c14d5c21130dc795b521206c0b97d4 |
| SHA1 | 3cfe837b022d15fd869e6262813e38ed8efb92dc |
| SHA256 | ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37 |
| SHA512 | bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107 |
memory/1268-141-0x00000000008F0000-0x00000000011A6000-memory.dmp
memory/1268-149-0x0000000073400000-0x0000000073AEE000-memory.dmp
memory/2812-150-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2272-151-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2272-152-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/2272-153-0x0000000001B20000-0x0000000001C20000-memory.dmp
memory/2924-154-0x0000000001B20000-0x0000000001C20000-memory.dmp
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d8fd6ee086168ae33101a622914ea1aa |
| SHA1 | 087e83ecd19f56d7e1613dd3ec4397790a56bcdc |
| SHA256 | 8c83aa0ca592ee93a216ce28bb14385acafe2568df56ad4b28a8d2e36e32ed3d |
| SHA512 | 84227739f05c24c889086a4ec8ca1b92b62d85fb687a49c13024fe223129bb4af98cec4ddf1cf72c0ca0f5b63f3a55a3b3e01c97f4a34eba0dedd3f9da86bfde |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 550ee7188c527b01bfa4d015377d121c |
| SHA1 | 44c45f90daaef2f68d08512a79d0efa86a748f4b |
| SHA256 | b236c2da74955dc9bcd4fc696ae78f49edbbc6f06aacaa80f0246da3deb3265d |
| SHA512 | 677f8a65ca34a290ce916d13966f0511875d5cfc12cc0983d7463a64047528a2407eb62ca8cae392452d06e756b9d07014af52c92d91ec61264c2005468f2a1a |
memory/2212-164-0x0000000002770000-0x0000000002B68000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
C:\Users\Admin\AppData\Local\Temp\CD3.dll
| MD5 | 286796d0050225040303192dffc1c4ef |
| SHA1 | daef291b3941387fee3ced03d44a4e254dfec217 |
| SHA256 | 1546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24 |
| SHA512 | 04d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | f75b9beec810c7d22ac06871935465cc |
| SHA1 | 02a949c1e44035114022079454555c9c145bf8fb |
| SHA256 | edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182 |
| SHA512 | e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | e57b67d14aa175312da3f5a69294668e |
| SHA1 | 01618135f1a7177023c59fd8d1fed58e03c59945 |
| SHA256 | 170a9e9bf03a35b9d62cc43bcd485ca87482e0dab5ce1a6eaa1a38c0f73425da |
| SHA512 | 0fdcc9b5a2018c67c2cb7019e8684f9f44d5af83d36cde827d38c1fc35def799af6a056d0bf023a6f164f7b87a281cb7816c433221e3068357e7d65e96b4f299 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b29cd31f15d37cebbe2804adc62ce2e9 |
| SHA1 | e036f370e3b9a849609823c1cf295c07968b91a0 |
| SHA256 | 082ab87e967c75809e40fab5cdfd97aa48c3827b52e26188d9fabfadd5da4bf2 |
| SHA512 | 2a031213cadf534acf2ef564937fa6102f7103d91513498c0c4dfef4f3056a1f568e7db70ef9ad817e75117dbead7b0f5e4e8bf59767f026ca09831f321860f4 |
memory/2756-181-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2924-184-0x00000000002D0000-0x000000000033B000-memory.dmp
memory/1608-183-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2212-185-0x0000000002770000-0x0000000002B68000-memory.dmp
memory/2212-186-0x0000000002B70000-0x000000000345B000-memory.dmp
memory/2212-187-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1268-182-0x0000000073400000-0x0000000073AEE000-memory.dmp
memory/2472-188-0x0000000000EC0000-0x000000000196D000-memory.dmp
memory/1380-191-0x0000000003C20000-0x0000000003C36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 0159c753801f7e27ae10b8527805eb8c |
| SHA1 | aa87fef2ddf7159ae08194089e4d4178d5dbe009 |
| SHA256 | db2b1d24d4ae5442db39be1d3aae8329b9a2c752e402fb6669b27343c15ccd8c |
| SHA512 | 4fd68d99b5bada4e40c271b50f27b5f5e7ae330609a05087eca6cc0ff8e746487de43ca322f80d26f843e06e31d53d5cf4d0a1d8ec1bf455cc901e967cd54c3a |
memory/2272-192-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 5ca7fc407124217ed4ac456d5369e951 |
| SHA1 | 5defeaea509bafe38005a9232d94282b59525ef3 |
| SHA256 | dff322ad2a276c1108b45e701c5af4f94a664fb25b72e95b3b29b60bd034a120 |
| SHA512 | dacc7e70b13b59f4dc7d47f2b254c510d6603f1c3cb59213569cc267057beb2a8952dc5fd1fda2fe3747d94144c1526c85c454af9e7a6e47a0c41f40cbd5f572 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | c0edb4bdfa9609b484821a931dcb20df |
| SHA1 | 670337c951b8db965c0f96fc2c8ba31233311346 |
| SHA256 | aefb25d522bf71ea8eea24172f27dfcf3759a2c2b3bd1ba8c019a41adc554c50 |
| SHA512 | e7380f25d992bcd687aa281f525600debd31802b3fc594d02f3ded4d1e9150714474a0be90e4a1b6853ba4bfb0295106fedef5d85dd3d2f1f095ac1f566f93b9 |
\Users\Admin\AppData\Local\Temp\CD3.dll
| MD5 | d88cfcec577f4802c42cb752a315474a |
| SHA1 | ff66289dd3da72eac2923869e669dd6c64b2b2fe |
| SHA256 | a3ee7cd13efaadc84d9d74ffcb95a5baf5a9af2e0eea8f7344a36526c7f2974e |
| SHA512 | 1a4f7611ecf3751d1fdba2e0af20d88e059f951e0e89559c9029f2ed8499fcfe77544cdd206d5953a954987a0fc409f38da5f656aeb49b547941989e4337c0c4 |
memory/1552-199-0x0000000010000000-0x0000000010202000-memory.dmp
memory/1552-198-0x0000000000130000-0x0000000000136000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj168E.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 2ca32a64d491385b9191b77cd9e1245e |
| SHA1 | 3689280aeae1870caec7d5a32c5b0ae6be4f310a |
| SHA256 | eee6f86fc319c64e0ea3af8103d282a73fb604af3b1516b1ebc4141cd3039fae |
| SHA512 | a004e023c9103608b17d2c9454dd6bc328b3d15a1c86effdfc04eb18d739453f77627b950ebf3be18ae9498ca7029985e60be294398884d153e50a233d9b455f |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 5dda57f208bce79bb557eca7195d8b84 |
| SHA1 | 2b28b1da149bd869169bc72fc27aac195ec7b5cf |
| SHA256 | bcc4c28be2fd1c79527cdc8ff8b772cb78cdcef55aec63a4c22b94ffbc561a1e |
| SHA512 | bc14a9aebfa4e7df0f5442810376328d98261653aaf7a5902ec4a32ade85f2bbd2e219ef1f4181f00fa32cf9dbb702a2ca3e2465c959d3b6b379bb9d3a9f8bf5 |
memory/1632-211-0x0000000000240000-0x0000000000241000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj3999.tmp
| MD5 | da812d63d6637fbc245339e746ccf1f9 |
| SHA1 | 1d5c645e81e96606b26aa56526fb0022bb68c4b0 |
| SHA256 | 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba |
| SHA512 | 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 9bcaea6efb5a1f9f39602d3975f9c20b |
| SHA1 | eebbfc1bd15fd1461bc669b3c83407d76369b65a |
| SHA256 | ebf099babce34f2e26cf09093973ecd055677fc11ce468f864a778b97ee62fce |
| SHA512 | 13d3e9f4aee201640a66fea27ae3ed60e22365f0a20c97fff4f7c098a84bce0dda39573228ec76f44907767a2075b7e5173b9afab21db26a6e906e33a07402c3 |
memory/1092-254-0x0000000001AF0000-0x0000000001BF0000-memory.dmp
memory/1092-255-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1092-256-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 05289f5848a855ff3d7a78b862498e26 |
| SHA1 | 1021a66f15e425f33047d76a247680e916e736b0 |
| SHA256 | 9c6d6f161b0253f9a78cd099ed0aa225b6ac00d3801859ff7405abd08b501407 |
| SHA512 | 46265b61d4bdaeaf8af057fe5d49062f69b5ba7ca28198724c0767750af9705bf2f203183b7d33713ba45a9a02009539c5a2253ba567e7b4a4c0a79e85c200a7 |
memory/1608-267-0x00000000002C0000-0x00000000002C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
memory/2212-273-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2736-300-0x00000000027C0000-0x0000000002BB8000-memory.dmp
memory/2736-301-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 630dfa44d79eae6e77011c43d36944af |
| SHA1 | 0b3fb8ed546593cd92b6128761edbffad633ae81 |
| SHA256 | 806fae64d18d87b7d9829ef0d3417a39c95ac0e52b9f88725439d602265eb0ed |
| SHA512 | bb1aa89c27c751c6e1b4056a3dc73b6804ba19100cf0f6dfdfebac783931cf5d7d06961bf94997cd3ee8396efb33d143883b0b77af402e2ac5f6106b36c74248 |
C:\Windows\rss\csrss.exe
| MD5 | e75541c5590c89a0fe3e54389fb55206 |
| SHA1 | 90f859047ad79a70a663c4fd7644123aadc8da32 |
| SHA256 | 88ede6ceb2f99ea6e72def366135b52fc54e7b9044c4ec11909f01fd354831de |
| SHA512 | 7504346951cdc9e42ea1a6cd11cd26d6602b58751b80f989dfe45cf24821fd40bf7152bf7aef3a3a36a1a8efde595f67ea0a3973f4b7e5fd2e5770d786f0b18a |
memory/2736-318-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2100-322-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/2100-324-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | b8c50d741d429e4cd6210293c0f0d881 |
| SHA1 | 059f1aa663f344b66b7ab96bd092bfd08ef6b091 |
| SHA256 | 862a2046656a5a5dc1638c6b9ac7c751b90fceae08d37b4e2702b73c45278a8b |
| SHA512 | b7e6e142048371568ecdc9bc10c0da83c73125bdff1964839244f0b95eb7fd08a34f42f4fcd26ff5fac52f4350fb28c2505df2ce69c51a2fd0ff76a903d83096 |
memory/2676-584-0x000000001B1A0000-0x000000001B482000-memory.dmp
memory/2676-648-0x0000000001DB0000-0x0000000001DB8000-memory.dmp
memory/2676-1133-0x000007FEF5170000-0x000007FEF5B0D000-memory.dmp
memory/2676-1157-0x0000000002654000-0x0000000002657000-memory.dmp
memory/2676-1172-0x000000000265B000-0x00000000026C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 6a190e993f065d939995adfdb07cc8a1 |
| SHA1 | 9664f606593178eb502cc38b5431189cc4c2cd5e |
| SHA256 | 6c8188b31f1c40c05d61e65ea787b2fdde140b631a41a72318d33c5ca475df21 |
| SHA512 | a6c1421c487bb344f8bb7ebe9cf2ac2a72cea9c9b70fd9a4092f0891e2de2a3f8150f7ad213bd46300639f21649c79a8360ab917833cbfcb7460bc06de2d17e2 |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | f26249769d27c4988588974f0afc5ad0 |
| SHA1 | e8b18cd33637ba0baebb2e1e0140103debcc264a |
| SHA256 | 473cd36e397548c71f0dc65cfefaab1080f92dd29caf1f3ded7fe34e644aa363 |
| SHA512 | 805a479d4638968920c12dd139114e6741b0eea512fb1e68003a6497a3b0deb1ee0f704169a8e5a1932cb4e8a1a50ded1fb05fcc93ae778c93a1d3db6fcd8fcd |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | cf71d723e6a3a2abdb69313657a0862f |
| SHA1 | 9fae6ddc3f0a9e3c874a278435946d83f3f9ab1c |
| SHA256 | ed443d39cd06137b2b8c8a54057b8a855a84960f41c4bb53ed81028293dfe125 |
| SHA512 | b140ee2a326a7727c80b3c817f266a6f3299102d113cdecf674f70613e90f83b4466fec1b91a3639cc5722e6d5b6c3baabe46d8dabc330c881a5732b32d36d6e |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 37a34cf341124d12f66711d65b92f63f |
| SHA1 | 85457cebf25e771ccb5179768e19698044b7d19a |
| SHA256 | 7e1549fbe0bd82d5a7fd18a47e3f1b018362a7e76efd6a14b156a7dcf203c79f |
| SHA512 | 0db2f1b87f4fc1adf077fa94dc3e16f036f70b72ed40533ee84cead602b1229ebd3902b3989d33e4306d7057b2cab572ed02b5d16a36ab8fc7de6f8aa400c091 |
memory/4100-1819-0x0000000019AD0000-0x0000000019DB2000-memory.dmp
memory/4100-1825-0x00000000009C0000-0x00000000009C8000-memory.dmp