Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-pckw5agh4z
Target 84b607224b08194b311683727ad11950.exe
SHA256 01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Tags
glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion loader persistence trojan upx dcrat lumma infostealer rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0

Threat Level: Known bad

The file 84b607224b08194b311683727ad11950.exe was found to be: Known bad.

Malicious Activity Summary

glupteba smokeloader pub1 backdoor bootkit discovery dropper evasion loader persistence trojan upx dcrat lumma infostealer rat stealer

SmokeLoader

Glupteba

Lumma Stealer

DcRat

Glupteba payload

Modifies boot configuration data using bcdedit

Possible attempt to disable PatchGuard

Stops running service(s)

Downloads MZ/PE file

Creates new service(s)

Modifies Windows Firewall

Executes dropped EXE

UPX packed file

Loads dropped DLL

Checks computer location settings

Deletes itself

Writes to the Master Boot Record (MBR)

Checks installed software on the system

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 12:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 12:11

Reported

2024-02-27 12:13

Platform

win7-20240221-en

Max time kernel

37s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\7A10.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\9D2B.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2760 set thread context of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\99E0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1068 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 1068 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 1068 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 1068 wrote to memory of 2760 N/A N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 2760 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\7A10.exe C:\Users\Admin\AppData\Local\Temp\7A10.exe
PID 1068 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe
PID 1068 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe
PID 1068 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe
PID 1068 wrote to memory of 2376 N/A N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe
PID 2376 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2376 wrote to memory of 2452 N/A C:\Users\Admin\AppData\Local\Temp\99E0.exe C:\Windows\SysWOW64\WerFault.exe
PID 1068 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2B.exe
PID 1068 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2B.exe
PID 1068 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2B.exe
PID 1068 wrote to memory of 2312 N/A N/A C:\Users\Admin\AppData\Local\Temp\9D2B.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 1068 wrote to memory of 2128 N/A N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2128 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\A27A.exe C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
PID 2688 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 2688 wrote to memory of 1416 N/A C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1068 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\B031.exe
PID 1068 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\B031.exe
PID 1068 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\B031.exe
PID 1068 wrote to memory of 2228 N/A N/A C:\Users\Admin\AppData\Local\Temp\B031.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

C:\Users\Admin\AppData\Local\Temp\7A10.exe

C:\Users\Admin\AppData\Local\Temp\7A10.exe

C:\Users\Admin\AppData\Local\Temp\7A10.exe

C:\Users\Admin\AppData\Local\Temp\7A10.exe

C:\Users\Admin\AppData\Local\Temp\99E0.exe

C:\Users\Admin\AppData\Local\Temp\99E0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 124

C:\Users\Admin\AppData\Local\Temp\9D2B.exe

C:\Users\Admin\AppData\Local\Temp\9D2B.exe

C:\Users\Admin\AppData\Local\Temp\A27A.exe

C:\Users\Admin\AppData\Local\Temp\A27A.exe

C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp" /SL5="$4017A,2248936,56832,C:\Users\Admin\AppData\Local\Temp\A27A.exe"

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s

C:\Users\Admin\AppData\Local\Temp\B031.exe

C:\Users\Admin\AppData\Local\Temp\B031.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227121143.log C:\Windows\Logs\CBS\CbsPersist_20240227121143.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp

C:\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp

C:\Users\Admin\AppData\Local\Temp\C058.exe

C:\Users\Admin\AppData\Local\Temp\C058.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CBED.dll

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CBED.dll

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
RU 109.71.204.203:9001 tcp
DE 144.76.170.20:443 tcp
N/A 127.0.0.1:49225 tcp
DE 78.46.174.72:9001 tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
KR 58.151.148.90:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 a01865cb-ef0e-4fa6-9912-c9a47eee96b2.uuid.statsexplorer.org udp
NO 87.248.7.41:9003 tcp
NL 45.66.33.45:443 tcp
FR 145.239.158.234:9001 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
US 204.13.164.118:443 tcp
DE 194.140.117.58:993 tcp
BG 5.181.80.181:9001 tcp
MD 178.17.170.172:443 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 8.8.8.8:53 kamsmad.com udp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 xmr-eu1.nanopool.org udp
PL 54.37.137.114:14433 xmr-eu1.nanopool.org tcp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
AR 186.182.55.44:80 kamsmad.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 server7.statsexplorer.org udp
BG 185.82.216.108:443 server7.statsexplorer.org tcp
AR 186.182.55.44:80 kamsmad.com tcp
AR 186.182.55.44:80 kamsmad.com tcp

Files

memory/2924-1-0x0000000001AA0000-0x0000000001BA0000-memory.dmp

memory/2924-2-0x00000000002A0000-0x00000000002AB000-memory.dmp

memory/2924-3-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1068-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp

memory/2924-5-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7A10.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2760-17-0x0000000003490000-0x0000000003648000-memory.dmp

memory/2516-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2516-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2760-20-0x0000000003490000-0x0000000003648000-memory.dmp

memory/2760-24-0x0000000003650000-0x0000000003807000-memory.dmp

memory/2516-27-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2516-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2516-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2516-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2516-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\99E0.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

memory/2376-41-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2376-43-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2376-45-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2376-47-0x00000000008A0000-0x000000000134D000-memory.dmp

memory/2376-46-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2376-49-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2376-51-0x0000000000100000-0x0000000000101000-memory.dmp

memory/2376-59-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2376-56-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2376-54-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/2376-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2376-64-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2376-66-0x00000000001C0000-0x00000000001C1000-memory.dmp

memory/2376-69-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2376-71-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2376-72-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2376-74-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2376-76-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2376-79-0x0000000077030000-0x0000000077031000-memory.dmp

memory/2376-80-0x00000000001F0000-0x00000000001F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\99E0.exe

MD5 aca9b5c0e6196ab07ceaadd12b6a9dc3
SHA1 7b8af452ce5761b8cc705491bc61d76a1c9c2027
SHA256 091edc246a27c4c10af02a2aaf0470a673af361e42e177828cb2caddea6985b9
SHA512 d11c4c557afa3487b15ac7f2a3f5ab00492768871fac2d01868d51ed995e5a860d9fae2831194f930306ba6c306f80f99596a6e15b113d93f1198d17ecc5f29d

\Users\Admin\AppData\Local\Temp\99E0.exe

MD5 f2f77d5eb169f5cf5b3a85988fbc9dab
SHA1 ea1a3b327e0b0b9d6b22fc2caf2051c4bfc62dcf
SHA256 3e2f1204bc07fc407d940ae7ef8e8dc339c2e00493a1b50241b15e61a8662c01
SHA512 5d68a3ca9df62d7d5b62f59bcd4cff2cac2223fe1f9344f7ba18bffc2f39355c768da78e0a5c7885026747680fb2ceb2c71d051e469730a7d29b9179354715f4

\Users\Admin\AppData\Local\Temp\99E0.exe

MD5 0d0f5251077ae162ed4b95bad5cfd889
SHA1 43f623a91771ae3fb3e4e7a66694c3e6817b63f6
SHA256 d7e43d82dfbab4866300d5231513ca9ff93c012249c93f3593c78fb1d440f9a2
SHA512 8cc8f51f6a9848387509e7188b0ccc7d4fa8726a821f1977d892444855563fc2c1bc839d214ac0fa9899da4b4080adcfedde5f742df74b0098004b1fd5b36db7

\Users\Admin\AppData\Local\Temp\99E0.exe

MD5 77cff13b75ea6377d271d733f38b2b62
SHA1 296853e9d37e449aba8ee8b4eb56b237031a7d29
SHA256 c70187ffd28e9c65dda0ccd1640364e84b1ba3bce95016f0466c81c6fbf97f15
SHA512 a5aee34376be7aa4f5c87a40ee1adb7287db5af9c4141889f0c66ee1bfdbd407d8aa1afde2965907084b515d8126c255716115866552f8036715d3e50f9ba1f8

C:\Users\Admin\AppData\Local\Temp\9D2B.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/2312-92-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2312-93-0x00000000031D0000-0x000000000323B000-memory.dmp

memory/2760-94-0x0000000003650000-0x0000000003807000-memory.dmp

memory/2312-96-0x0000000000400000-0x0000000001A77000-memory.dmp

\Users\Admin\AppData\Local\Temp\99E0.exe

MD5 94187d9d51fabee5249e2906dcf6cd34
SHA1 ac5937a321a3e70d95fbeb19ab32a0858e92a008
SHA256 bf2fedb76209470bacf9e3d69000984b67929abb92dd7602c139fb89697235b3
SHA512 98cea89a6e7bb58ebd2338c94d1d8f9d165ddb7ec52979a0285f5ccd1bab5f60bb0b71451a2d8d2bd7c415664f06a0236dc31406f0741da90cc39aec1d1f6e8e

memory/2312-97-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/2516-103-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A27A.exe

MD5 0d2e79b47a14158baeca6ec05bc7b649
SHA1 3d7096e8cbd965b2503eb533e8a61ac8cd7543f8
SHA256 6f3668817b615dba14a2a697e0b94694faa1602860dcecec2009bdd781fa02e6
SHA512 f08364b8c96568754e0298cc2478cf928f934c5aca78cb0ba07db748580c33e261d66ee61eb41d1bafecab1cd40c27ab388ddd2a7591822ef201b76c9e84ec9c

memory/2128-107-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2516-105-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2128-102-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\A27A.exe

MD5 8b0b0943877aa89cf021d5d5e2cbb1aa
SHA1 7a64ea593c231fb4b1d7c584980a6650960ac32b
SHA256 b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
SHA512 d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc

\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp

MD5 a1b45df2ed6b73416fdf10a62a69f8f0
SHA1 053d566b3d1d4ec47d4dff670611a20802b1a366
SHA256 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512 bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

memory/2688-126-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-2C4II.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-2C4II.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

\Users\Admin\AppData\Local\Temp\is-2C4II.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 9c8c4324466851ffedfd07ed09e8787e
SHA1 9807e1ecbe43b81693493174aeba9796717a0160
SHA256 a23ea44ecfc82f7fc2fd7dc0c0134050c50a60601b90ba169affbfc392343dc7
SHA512 4a7d125dbb061a8a4adb4fb9375fedc8cd2dfb6a1a2fb5746cead24a1646033b502fdff39a7abc0689bc086ac370c18bcd5d50740f8d3cd36191f4344587ab2b

memory/2688-149-0x0000000003B60000-0x0000000003E60000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 5c64ecde29da99c3f8e2fb087d86873e
SHA1 a9f30fcb14242d577b36eef78071c100499fbf99
SHA256 a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261
SHA512 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

memory/2852-151-0x0000000000400000-0x0000000000700000-memory.dmp

memory/2852-152-0x0000000000400000-0x0000000000700000-memory.dmp

memory/2852-153-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 6a5ab8300780ae16d5b6c2ce73872f48
SHA1 ea483f0c765820bbc8393c910ec1e46fdac1bfed
SHA256 65fb1863b675f078a36301afd33a7dfdca3e1e7a8012c9bdf4158754fa22f49d
SHA512 0c982a3d4df18fa675f52e40cf07306a560030f26255e00300f79e9d3c73117e3ed063575e46b5c6c964a4e351f203bbc4ea149d32339b7a4dd1fda3941ccfc6

memory/2852-156-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 5e9c2d95de9f7a9d695d75b553293cf1
SHA1 3453b0c85291e7c4abbc95d0d48142537fbc3608
SHA256 7130a8e2a627de64a3997633de575775275d8101fd358186081c7496ea144a8d
SHA512 cf327fe2c453900324284a3e969662da3be05af07cdc22bf0b68f01ba4bbd229fa0d5ce881b2bd903ab667c028b19fd67359fef08fd89d4c77cb9b37b675c9a0

memory/2376-158-0x00000000008A0000-0x000000000134D000-memory.dmp

memory/1416-159-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B031.exe

MD5 faa87fac6b4b2b411e9e6f24dd8522e6
SHA1 4291529fcfc94aa3fcc4985138d38f86348ee9f9
SHA256 7e9e3585e3bfef7542791d12f20c23de743da139e83e57f55674f212356bce64
SHA512 d55ce83cba429ab357b1feffcd72e8f4ae2813d4a18a2a1120f1c9216f89cd51ddc0bd7abc7056b037c69053ca033344c64376d9b7efbc0df364fdf0c492df5f

C:\Users\Admin\AppData\Local\Temp\B031.exe

MD5 9c6a5e32d855c8141a28045214f4a69d
SHA1 937120281e2bd925849952b25787e9cd964060be
SHA256 e1349dcbc33107759a3e6d4cd188894b837a70872b099c8434c74aaf89d4b66a
SHA512 2784f3d293e2b19165d0f1e37b423f6092658dedef34c12446aab8aea274bdee68c1f188bbc227844dd278fcd94eaf417e91eca6e368c488039390e3b901e106

memory/2228-165-0x0000000000180000-0x0000000000A36000-memory.dmp

memory/2228-167-0x0000000072B90000-0x000000007327E000-memory.dmp

memory/1416-168-0x0000000000400000-0x0000000000700000-memory.dmp

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 12007d4eb2e809cfd579b3de02c5db3c
SHA1 e293a39618a0f5c8a3ab440fff47f12b93bd0b98
SHA256 ccae08a42bca5700f01cc99d50681226b83c86f814516e2c23f6e1f2f90162b6
SHA512 e22ba709876324def313ef32d4892dc2dbcb54c3c949f6b1b7d936690c3490614f739a1a9e60b995a6f0851412382d5388eb115433fcb35ebf934e351393e109

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 34666eafe0fffb6a73e31c1e09ecac4f
SHA1 ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256 d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 e586b2aaf752f2be4580c1b8ae4ab0c1
SHA1 9e745f012e784ff066bc31143ea7c8546416d41b
SHA256 bb8ae729d6502667f111a6712843370924427efca7ab333f80a108717097a987
SHA512 655540cac0d2bde3c286e1e7b4547af203f07125ad8664e81cc309867d728df9af5216a7c88ff51c53991ab3d7285e450b91f94cb3ebf78e4178ca61a3b929e7

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 f10e073f6e66ab2d417029c5eebb1d50
SHA1 950706d000d6b4a2e834b13f6d0b73155c00420b
SHA256 d5fc8b78f43f5724f26d9babd6cb0291fcd3799b5da4a9caf7dba9de35192f54
SHA512 de1776af379dcab21d8a6fe8e200ee3a6681e083331d9676f410a280e6b95b3c7128b3149f664565d369df95c29f953edc57aeef3ed55932d3a6b90a62b28d52

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/1400-184-0x00000000026B0000-0x0000000002AA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 6083c5a7b0f4a0ea229b348aa9af793b
SHA1 0380b8f9fa245f35665fea430d978795a336664f
SHA256 28ecd92a36d05d1cd15b3b09fe2a686ddb36142a7351946bcc3d6395da908df6
SHA512 d767f4d0e51e5f9d1cc78a0fc7bcdca048f59c49090cd8972d7fa76ffc5f06dafbfa2f27d9234477f3554f7f860a3ae7b1be095e948ef718eb92f4de2c511c9c

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a9613e2b41a417931c575390200d573a
SHA1 a321a65725e3f918536ef2983002c7dd4c72d704
SHA256 a02f0d493d3134bbf78ba9f1956c2bf215951f6c3f0b8d7ea6a67d7044ebb0bf
SHA512 1208f4ca2fd283cdeba709ed95c4253862fa2908962b5bc4db7bf7ff9246568b1fb17cd44b4bd8db7a9e6f4aa2737cbad8735097b9d5f7691df6fdf8e28076ac

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 5ca01423a29016851cc4e6281916cb2c
SHA1 583cbe4fc8a69b4f324e60257da872531c7b1a5a
SHA256 8ff85221e7fdd4c93b8828ebcef9c255273f5beb067a44b24e1ca87d9e898ec1
SHA512 68a605768e4dac8ce37ac43d54536429c3f6aa6e5be656e6f0bc61155380a604d434b50899fa986d017316e8397ddf2f91445a9c4ce72a9072580a003ad022a4

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d3eaeffb2f339af26a93e37a3fe24a97
SHA1 2048882e7bfe3cfdcac5a92543978c6a13c92629
SHA256 f10c19e5d0026268f3ec75d1be5139f364d367b8e26c1926dc7d6a857c6c376f
SHA512 b56d234ed512b4b4e463fca920eece54b6487976fe5fe248ee4b50d869307aed6d09cdc974cbfc6992e69e2a6e4fd226245e0703c42c20305bf2a641b84009c9

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 c897abee1620946f71da6a0c1c5025e1
SHA1 dce398e6e30d39f69a540a9e6b272bfa3eb68db5
SHA256 30de6ba7b72ccbe4d1e7b520b5e7594f1417661e89ba6f6a688d999f5d2b1da9
SHA512 a4c226017eb289d380fcbbf18c2c32db89f0923a5281b4a0cd8c6788a9c3b6995dadd945768f11abb92c78add3f635de111dfe7c056e7cb5e184a3cc89e19c33

\Users\Admin\AppData\Local\Temp\nsoB57B.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2312-205-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2312-206-0x00000000031D0000-0x000000000323B000-memory.dmp

memory/1400-207-0x00000000026B0000-0x0000000002AA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 16f9215b8d04ddbd6bdb31a956405749
SHA1 303e9e60d334a7a1e909cdc1d66e5b06045b098c
SHA256 9323ab17cf1e6e18c64fe54d7e9a4ac44e603367653dbba2155186af15fd9e53
SHA512 05668816b604c4c471e45aca804968ec4a101dd3358c15bb1d62ce60aa8684499d22afd25498d7afcabf9940f9f100ff73960a9bba4cb396df3fc9b5dfe9764e

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0145888ba27250ffd29bcb65b34442cd
SHA1 66e65cf2eeec68fa8aa69829176a617a6a69eeb0
SHA256 13037c98fe1fea0543d858fa1fe26e30d1e552dd1c0279a815133a99214d4d91
SHA512 9d934d125288584dd6d5e1d3c64fc945dcb60b94e258f9ac4cbc09782a3e6b8f71fb6339bcde7d09a670373970299732c69f6eef529875e29241108d7eba3e3f

memory/2312-208-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/1400-209-0x0000000002AB0000-0x000000000339B000-memory.dmp

memory/2764-211-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1400-210-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2228-195-0x0000000072B90000-0x000000007327E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d06b00c65c1bb2c83b2916b704cf1f52
SHA1 5f865da9b2e8b58513d7f7f0cd61da46c1bf8413
SHA256 a75d86438769402dd2f1b0ddcad0601f4f0e477d220d886b9205189ff44a048d
SHA512 44a50298ccbba83c8d25495823a57d7566414cf3881e32ae5357c65981944e624236e084fcf1dd6c04a5c0712b2597f202f4d1f7a739cdbf9769a19b35c887af

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 7c277165dcead3616b33d9432afcb485
SHA1 b725f0009bb07f8c3f434adc10ccc8d78967ea62
SHA256 a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30
SHA512 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105

memory/2184-219-0x0000000002570000-0x0000000002968000-memory.dmp

memory/1400-220-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\syncUpd[1].exe

MD5 2c74f60b536102ac12b9936dd1b603c3
SHA1 47d789115f7e3aed53a66e84a642650a59d463c7
SHA256 28f560f19b91b14ad5dc5a2450e8aa7962c03ae754f37cca70daa52c327b6af0
SHA512 4ba198eb5967fa0e2457709b58b480f45f0dc65c158065835fd6f97f0d9d77a162ba5423a7bbdce39301f9695eb4e0aa4cb6e423d4a5b8fd1772514901252910

C:\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp

MD5 da812d63d6637fbc245339e746ccf1f9
SHA1 1d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA256 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA512 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

memory/1524-232-0x0000000000220000-0x0000000000247000-memory.dmp

memory/1524-231-0x0000000001AD0000-0x0000000001BD0000-memory.dmp

memory/2128-233-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1524-234-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/2688-235-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2184-244-0x0000000002570000-0x0000000002968000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C058.exe

MD5 b2c14d5c21130dc795b521206c0b97d4
SHA1 3cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256 ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512 bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

memory/2688-236-0x0000000003B60000-0x0000000003E60000-memory.dmp

memory/2184-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2924-246-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2924-247-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/2924-248-0x0000000001BD0000-0x0000000001CD0000-memory.dmp

\Windows\rss\csrss.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

memory/2184-256-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2424-258-0x00000000025C0000-0x00000000029B8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 7a80cd42234506c4eca04b6a54d5bf7f
SHA1 b571f657031f54fc5c733759b558d43bdf88eedb
SHA256 3084537f35cd8e74646264612514628aa49ddda9c1fd79894c8641a9b7768df9
SHA512 88e692b05423c082b7fea2a8de7440a035d94af4cabab28ac07c6bb19be2ac3c57d2e05a9a321ca512098786b942ed2f60d4fd13a100fa7832b10d327a78c5a7

memory/2424-260-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2516-261-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2424-262-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1416-263-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 37bd3380e2dc5ed47b453915f177ab15
SHA1 3d10f3ebc6df0df7c17a559c6b199be8f33aed7b
SHA256 f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62
SHA512 6e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f

C:\Users\Admin\AppData\Local\Temp\CBED.dll

MD5 da30e7111769af02730a498c7d635877
SHA1 052813b8db392217776729867bf3e082d89edd15
SHA256 1edd160ab194f1894469cce0d336ae3caa29f1434350c4a7a32dceb30b5ef2e4
SHA512 02aa1608592043503b96c48d508699110009c729bbcda779b1def9fad0fd64394e5c78c29f70678d46548c7a1e48ac1620608b850a36c3d680de7dab4ccaa702

\Users\Admin\AppData\Local\Temp\CBED.dll

MD5 9b1697d40dfd386fdd7e9327844f301a
SHA1 e75defb119e2c7b7d3f75ab70a100ec504af5ebf
SHA256 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d
SHA512 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69

memory/1580-274-0x0000000000100000-0x0000000000106000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2924-312-0x0000000000400000-0x0000000001A2A000-memory.dmp

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 13aaafe14eb60d6a718230e82c671d57
SHA1 e039dd924d12f264521b8e689426fb7ca95a0a7b
SHA256 f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3
SHA512 ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 241104190a6a823b4a3a1748c857c1c7
SHA1 9aa81a6dd330ba5e80b2f84562e30629b7eb8bcc
SHA256 0ad38308bccfa0195062fc11e045a87c8dd277b28e065540a2033407324e0e1b
SHA512 1ba5ea8e76a7fcfda36ed92a6e25d4c731afdaba8c294f13b79320ed5357fe11d15fc73824abd601e02bc3e44ceb53e48d4bb02a9f495c58a0b6a68b9c875093

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Cab27CE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar30A7.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 31251171581456da2c38d0ffa9cfe52c
SHA1 91088cac912e9075822b4072ed534b9d09cda3e0
SHA256 bd2e3b303d745bee8b4157734782fd2b16f4330420a67145e78261323b95e474
SHA512 7b810051a2c6af6ae705e5169807ebb4766afaa9d5346aba15d80138ca2cf526e28847c993bb053ba85d8df9b75f77d4448a6de2f20b9af288658b243226fe51

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 552763442a80982d3d985ba17b3a9c85
SHA1 31b989aa8449b4185f7fad43a1fa39dc5416a4b1
SHA256 f3255cd04896bf6a6e13c73866052c652a5fd9f5b6ec2f26d755843a963bc5b6
SHA512 68176f688df3a871660c89070d23937a80d68bfcd01c304c741039c526a1dc565e0a94704e91c46112284c886b7ead0d849282de63049e10eba8157f715f07a6

memory/2644-418-0x000000001B520000-0x000000001B802000-memory.dmp

memory/2644-419-0x0000000001F80000-0x0000000001F88000-memory.dmp

memory/2644-420-0x000007FEF4800000-0x000007FEF519D000-memory.dmp

memory/2644-421-0x00000000029D4000-0x00000000029D7000-memory.dmp

memory/2644-422-0x00000000029DB000-0x0000000002A42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 03cba695cb947c2a4bce01e454744abb
SHA1 ad5f55ede43e7ee9eb7521b72d1e61f9b782adb6
SHA256 35c52b1030b5f89daa39175ef6e31350ea2844eb263de25b53bf3803d0453892
SHA512 619d83221ce3fad744c686ccb8764475d3cb9e7d7892e3f1c0a1e87eccdff5f796e3ab1bdb94ba8c00d2707bf60c66b2fd178c3030cf18b4b3a7f4da6b47bec4

memory/1912-426-0x0000000019A70000-0x0000000019D52000-memory.dmp

memory/1912-427-0x00000000008A0000-0x00000000008A8000-memory.dmp

memory/1912-428-0x000007FEF4830000-0x000007FEF51CD000-memory.dmp

memory/1912-429-0x00000000010D4000-0x00000000010D7000-memory.dmp

memory/1912-430-0x00000000010DB000-0x0000000001142000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 f0ab94aa2433897d8da7bc573da36571
SHA1 c5d60aa120a3e1d078b35043e9db5a06f64c6296
SHA256 8239f28a418c5bc2aeb10a1c526be464bdae9c46ff5f40943e48b5d153e91fc6
SHA512 0843b48a30b3d5236fcead64fd6b73145762bcca00823a29fffe8acfc125a90b576a39bf6359f3d5847720dccbef8db3df98c72b02cb894b8ffd9681ca063fbe

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 4579513d6c6fd4ff2a85929af8522a69
SHA1 e0818cee69cb86f227d97fd3015ac91c5e061e6c
SHA256 fd51617d03af3da1c1df0ed7218a95859fbe017fb68c3a65a8e17fdf07a222e8
SHA512 31c2e69d8738789ead6a41d3e503c1500df33fdea866f291823842dd7ea26351cddc21cf4090ace7763b57c55282e98a38b96b7eb373a8c6614fb99ae9688ed6

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 12:11

Reported

2024-02-27 12:13

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

Signatures

DcRat

rat infostealer dcrat

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CC6C.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9E24.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\B5D5.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3048 set thread context of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\DC8A.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\DC8A.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\DC8A.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3500 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3500 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3500 wrote to memory of 3048 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3048 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\9E24.exe C:\Users\Admin\AppData\Local\Temp\9E24.exe
PID 3500 wrote to memory of 4312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B324.exe
PID 3500 wrote to memory of 4312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B324.exe
PID 3500 wrote to memory of 4312 N/A N/A C:\Users\Admin\AppData\Local\Temp\B324.exe
PID 3500 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5D5.exe
PID 3500 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5D5.exe
PID 3500 wrote to memory of 4140 N/A N/A C:\Users\Admin\AppData\Local\Temp\B5D5.exe
PID 3500 wrote to memory of 4008 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1B.exe
PID 3500 wrote to memory of 4008 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1B.exe
PID 3500 wrote to memory of 4008 N/A N/A C:\Users\Admin\AppData\Local\Temp\BA1B.exe
PID 4008 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\BA1B.exe C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp
PID 4008 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\BA1B.exe C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp
PID 4008 wrote to memory of 4248 N/A C:\Users\Admin\AppData\Local\Temp\BA1B.exe C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp
PID 4248 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 4248 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 4248 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 4248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 4248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 4248 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3500 wrote to memory of 4292 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe
PID 3500 wrote to memory of 4292 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe
PID 3500 wrote to memory of 4292 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe
PID 4292 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4292 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4292 wrote to memory of 3928 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 4292 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4292 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4292 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 4292 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 4292 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\CC6C.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 2704 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2704 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2704 wrote to memory of 4260 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4260 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4260 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3308 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 3308 wrote to memory of 4912 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 2704 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssD880.tmp
PID 2704 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssD880.tmp
PID 2704 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nssD880.tmp
PID 3308 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3308 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3308 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 3500 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC8A.exe
PID 3500 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC8A.exe
PID 3500 wrote to memory of 780 N/A N/A C:\Users\Admin\AppData\Local\Temp\DC8A.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

C:\Users\Admin\AppData\Local\Temp\9E24.exe

C:\Users\Admin\AppData\Local\Temp\9E24.exe

C:\Users\Admin\AppData\Local\Temp\9E24.exe

C:\Users\Admin\AppData\Local\Temp\9E24.exe

C:\Users\Admin\AppData\Local\Temp\B324.exe

C:\Users\Admin\AppData\Local\Temp\B324.exe

C:\Users\Admin\AppData\Local\Temp\B5D5.exe

C:\Users\Admin\AppData\Local\Temp\B5D5.exe

C:\Users\Admin\AppData\Local\Temp\BA1B.exe

C:\Users\Admin\AppData\Local\Temp\BA1B.exe

C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp

"C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp" /SL5="$80224,2248936,56832,C:\Users\Admin\AppData\Local\Temp\BA1B.exe"

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s

C:\Users\Admin\AppData\Local\Temp\CC6C.exe

C:\Users\Admin\AppData\Local\Temp\CC6C.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\nssD880.tmp

C:\Users\Admin\AppData\Local\Temp\nssD880.tmp

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\DC8A.exe

C:\Users\Admin\AppData\Local\Temp\DC8A.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E5E2.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E5E2.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3208 -ip 3208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 2236

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2908 -ip 2908

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 2008

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 198.98.52.143:9001 tcp
N/A 127.0.0.1:57761 tcp
DE 116.203.140.74:9001 tcp
NL 51.158.147.25:443 tcp
US 8.8.8.8:53 25.147.158.51.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
NO 37.191.206.197:8443 tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.97.2:443 turkeyunlikelyofw.shop tcp
CH 213.144.142.24:9001 tcp
US 204.13.164.118:443 tcp
US 8.8.8.8:53 associationokeo.shop udp
US 172.67.147.18:443 associationokeo.shop tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 24.142.144.213.in-addr.arpa udp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
DE 51.77.90.246:8081 tcp
FR 92.222.79.186:443 tcp
KR 211.53.230.67:80 trmpc.com tcp
US 8.8.8.8:53 246.90.77.51.in-addr.arpa udp
US 8.8.8.8:53 186.79.222.92.in-addr.arpa udp
US 8.8.8.8:53 67.230.53.211.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
DE 51.77.90.246:8081 tcp
FR 92.222.79.186:443 tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 hejmbol.ce.uk udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
GB 35.176.106.252:21 hejmbol.ce.uk tcp
GB 35.176.106.252:22 hejmbol.ce.uk tcp
GB 35.176.106.252:443 hejmbol.ce.uk tcp
US 8.8.8.8:53 mail.ce.uk udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ce.uk udp
GB 35.176.106.252:143 ce.uk tcp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 252.106.176.35.in-addr.arpa udp
GB 35.176.106.252:80 ce.uk tcp
GB 35.176.106.252:465 ce.uk tcp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 ybhee.cem udp
GB 35.176.106.252:995 ce.uk tcp
GB 35.176.106.252:22 ce.uk tcp
GB 35.176.106.252:443 ce.uk tcp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ju.edu.ej udp
GB 35.176.106.252:443 ce.uk tcp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
GB 35.176.106.252:22 ce.uk tcp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
GB 35.176.106.252:21 ce.uk tcp
GB 35.176.106.252:143 ce.uk tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
GB 35.176.106.252:22 ce.uk tcp
GB 35.176.106.252:465 ce.uk tcp
US 8.8.8.8:53 ezweb.ze.jp udp
GB 35.176.106.252:995 ce.uk tcp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 ftp.ezweb.ze.jp udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 hejmbol.cem udp
GB 35.176.106.252:443 ce.uk tcp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 moucce.cem udp
GB 35.176.106.252:80 ce.uk tcp
GB 35.176.106.252:22 ce.uk tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 moucce.cem udp
GB 35.176.106.252:587 ce.uk tcp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
GB 35.176.106.252:990 ce.uk tcp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ftp.ezweb.ze.jp udp
US 8.8.8.8:53 ftp.ju.edu.ej udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ftp.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 hejmbol.cem udp
GB 35.176.106.252:80 ce.uk tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ssh.ezweb.ze.jp udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 ssh.eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ftp.ezweb.ze.jp udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ftp.ju.edu.ej udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 r3-3.deped.gev.ph udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
GB 35.176.106.252:443 ce.uk tcp
US 8.8.8.8:53 mail.ju.edu.ej udp
US 8.8.8.8:53 ftp.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 r3-3.deped.gev.ph udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ssh.ju.edu.ej udp
US 8.8.8.8:53 mail.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ssh.ezweb.ze.jp udp
US 8.8.8.8:53 ftp.hejmbol.ce.uk udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 ssh.eujleek.cem udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 brbb-jej.cem udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 ftp.ju.edu.ej udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 ftp.ezweb.ze.jp udp
GB 35.176.106.252:80 ftp.hejmbol.ce.uk tcp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 brbb-jej.cem udp
US 8.8.8.8:53 66grbus.cem.br udp
US 8.8.8.8:53 r3-3.deped.gev.ph udp
US 8.8.8.8:53 ssh.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 mail.ju.edu.ej udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 66grbus.cem.br udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 ssh.ju.edu.ej udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ssh.ezweb.ze.jp udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 mail.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ftp.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 brbb-jej.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mail.ju.edu.ej udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 ssh.eujleek.cem udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 66grbus.cem.br udp
US 45.79.222.138:80 r3-3.deped.gev.ph tcp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
GB 35.176.106.252:443 ftp.hejmbol.ce.uk tcp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ju.edu.ej udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 ftp.ju.edu.ej udp
US 8.8.8.8:53 sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 mail.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 bbvellbperde.cem.jr udp
US 8.8.8.8:53 brbb-jej.cem udp
US 8.8.8.8:53 ftp.jbzcoc.rs udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 meleefeojesbcezj.cem udp
US 8.8.8.8:53 66grbus.cem.br udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 ftp.hereez.ce.zw udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 mail.ju.edu.ej udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 bbvellbperde.cem.jr udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 ftp.ybhee.cem udp
US 8.8.8.8:53 ssh.ybhee.cem udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ssh.ju.edu.ej udp
US 8.8.8.8:53 138.222.79.45.in-addr.arpa udp
US 8.8.8.8:53 ssh.ezweb.ze.jp udp
US 8.8.8.8:53 ssh.hejmbol.cem udp
US 8.8.8.8:53 mail.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 pop.hejmbol.cem udp
US 8.8.8.8:53 ftp.sjudezjs.bsu.edu.je udp
US 8.8.8.8:53 hejmbol.ce udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 bsjrez.cem.pk udp
US 8.8.8.8:53 66grbus.cem.br udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.es udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 ssh.eujleek.cem udp
US 8.8.8.8:53 ftp.eujleek.cem udp
US 8.8.8.8:53 jbzcoc.rs udp
US 8.8.8.8:53 mail.eujleek.cem udp
US 8.8.8.8:53 mail.ju.edu.ej udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 brbb-jej.cem udp
US 8.8.8.8:53 ezweb.ze.jp udp
US 8.8.8.8:53 hereez.ce.zw udp
US 8.8.8.8:53 moucce.cem udp
US 8.8.8.8:53 mail.ezweb.ze.jp udp
US 8.8.8.8:53 bbvellbperde.cem.jr udp
US 8.8.8.8:53 bsjrez.cem.pk udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.es udp
US 8.8.8.8:53 hejmbol.ce udp

Files

memory/1488-1-0x0000000001DA0000-0x0000000001EA0000-memory.dmp

memory/1488-2-0x0000000001BC0000-0x0000000001BCB000-memory.dmp

memory/1488-3-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/3500-4-0x0000000002500000-0x0000000002516000-memory.dmp

memory/1488-5-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E24.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/3048-16-0x0000000003820000-0x00000000039DB000-memory.dmp

memory/3048-17-0x0000000003AE0000-0x0000000003C97000-memory.dmp

memory/536-20-0x0000000000400000-0x0000000000848000-memory.dmp

memory/536-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/536-18-0x0000000000400000-0x0000000000848000-memory.dmp

memory/536-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/536-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/536-24-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B324.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

memory/4312-33-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/4312-34-0x0000000000170000-0x0000000000C1D000-memory.dmp

memory/4312-35-0x00000000010C0000-0x00000000010C1000-memory.dmp

memory/4312-36-0x00000000010F0000-0x00000000010F1000-memory.dmp

memory/4312-37-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/4312-38-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/4312-39-0x0000000002C90000-0x0000000002C91000-memory.dmp

memory/4312-40-0x0000000002CA0000-0x0000000002CA1000-memory.dmp

memory/4312-41-0x0000000000170000-0x0000000000C1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B5D5.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/4312-48-0x0000000002CB0000-0x0000000002CE2000-memory.dmp

memory/4312-49-0x0000000002CB0000-0x0000000002CE2000-memory.dmp

memory/4312-50-0x0000000002CB0000-0x0000000002CE2000-memory.dmp

memory/4312-52-0x0000000002CB0000-0x0000000002CE2000-memory.dmp

memory/4140-51-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/4312-53-0x0000000002CB0000-0x0000000002CE2000-memory.dmp

memory/4140-55-0x00000000036B0000-0x000000000371B000-memory.dmp

memory/4312-54-0x0000000002CB0000-0x0000000002CE2000-memory.dmp

memory/4140-56-0x0000000001C10000-0x0000000001D10000-memory.dmp

memory/4140-57-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BA1B.exe

MD5 8b0b0943877aa89cf021d5d5e2cbb1aa
SHA1 7a64ea593c231fb4b1d7c584980a6650960ac32b
SHA256 b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
SHA512 d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc

memory/4008-62-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp

MD5 a1b45df2ed6b73416fdf10a62a69f8f0
SHA1 053d566b3d1d4ec47d4dff670611a20802b1a366
SHA256 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512 bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

C:\Users\Admin\AppData\Local\Temp\is-LTQMV.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-LTQMV.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

memory/4248-69-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/536-105-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2304-106-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 5c64ecde29da99c3f8e2fb087d86873e
SHA1 a9f30fcb14242d577b36eef78071c100499fbf99
SHA256 a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261
SHA512 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

memory/2304-107-0x0000000000400000-0x0000000000700000-memory.dmp

memory/536-111-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2304-110-0x0000000000400000-0x0000000000700000-memory.dmp

memory/2976-114-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4312-115-0x0000000000170000-0x0000000000C1D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC6C.exe

MD5 d5219a13a253519a4aa5f3da08fc27ba
SHA1 f2576901363216bcec493d91174714da2c7e93b7
SHA256 148bd8c4001b8863bf2e42d22c163f271e524a189ae921335b8958a29c57bc2e
SHA512 d59f36dd1d0fa5c1815f30f208ae4987c89f676c52112b093013aa402bca44ce1f9b9571abb42a176f8d434ae8a2b71a7bd1c058f2a5254be1082d11b99b9f38

C:\Users\Admin\AppData\Local\Temp\CC6C.exe

MD5 9a8ced484319575a23b23e72ef064368
SHA1 630123e785da8b196387dd67444bb2153f71c054
SHA256 2fdc3d510975484e43a2e755f922423b99eb6bcaf387490364fa3cecdb4da8cf
SHA512 0500b0cdb012d01e23fbefe2ed2b2c80644d496565ef608fe518b82f65aeb4461f9ad8f4d558b8f3913c739d8fa068e64b35a0dab0871855eb33b50696184336

memory/536-122-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4292-123-0x0000000000110000-0x00000000009C6000-memory.dmp

memory/4292-124-0x00000000730C0000-0x0000000073870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d847dbfee9bfc8426168aad888ede9bd
SHA1 f8b60258c711d19ea1d5413a3aee21262d8b8db7
SHA256 fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07
SHA512 4c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 125dc72f7394d316e83ed60f8f0e8bcf
SHA1 b91481003edf4ae53c0647c60c1e5fb90d1fc556
SHA256 851a22dd8d0f7645b50a5448b6515540ec5adbebdf73adeea24914ea56543c8c
SHA512 0ca367c13a52e2e5b25b94fa81c73e3d6bf5f2a8e6bdf61e5492d493cbd0789a26ab80fdfb81d6c3bde2b947487374badb881a06a4981c420de3873e52dc7fff

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8ad403ae8cf15c720dc1689b03c0b14e
SHA1 613000bf380626170aecd8c41a4f5f24e38c81d0
SHA256 fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f
SHA512 20ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 6e94be834388b59641369a604bd1b79c
SHA1 7a1cddd9a66c151f33d89d925c29e33ce774756e
SHA256 98dddaa1f0cee8eda930283954a5e74c6d35b6ed9b4733a9e2cfe384ab6450d3
SHA512 89c769a1e46bb20746c8b99bc8a2752f39353455f4bda7a03780069002a2edbf4ee8803d493bb5991feaac6f364703cfd4d41064f6140cc65c632b89b960becf

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 056c2a1b8518a809d87d1e20b6c44627
SHA1 9179a74d0717bc42e27ce11515a88ebdbe3513b4
SHA256 758c179987837398a9cd7418e7f451387b62304bf13544005c433c16843a1f85
SHA512 d9afb3cf7619cf615a31f9edec8b06e302788124bdde43508c27401e252667851bc8f513c990baeb1166c770c69cef913c41f5e59df37f309f352271d75ac629

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 0b5ed34f6d958857a8aed0c090358ff4
SHA1 5954283ec26e51f322593e53b6b32e3f70d43ac3
SHA256 4301f0bd33640a1b767e4d605bbbaf78567091e51019f132fb06558127f4acb3
SHA512 2bec28c4eeba2f75b9a5280c457fb1220d13d829905b6f0bac8fcd64bee791557cc38e38610f5e9a3478ad0a76d9d9a3bd36f3496ad1e3785376df7140ef8c9c

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 2894bac8eef6977463a9b6b2b4ebfb45
SHA1 24e371157c3114cd29a54cd635ddb884046a3f6b
SHA256 d880568ca69cbd902df113d63331abce86cc5f454ceadac09c5cee53942a5762
SHA512 903c63b84eb3f5c8dabe8e95388779fb50408eb58f80c8fdbfaec363fdaaff921089d00c117636304eaa2602c76ed53667472c6a983e9fcfd19d1b8b103a92a6

memory/4292-165-0x00000000730C0000-0x0000000073870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 82cdecfada1f99d8d61ecbafba26dd3c
SHA1 c24e2cfa6418272cb219ed17e8b1da353829ec6d
SHA256 1a59a91c1991ac5d8a3dd0c136a95d714244ee8687af7cfcb981b4d0a821e979
SHA512 e2e3080d59517633f6dff6d3d23fc027758e75d0c9fc9be86a73e3bb56018e7c25880e0373790ab549d433333563df8a160e822eaf5b93357a96a8efd9775674

C:\Users\Admin\AppData\Local\Temp\nsuD283.tmp\INetC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

memory/4260-172-0x0000000000980000-0x0000000000981000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsuD283.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3928-180-0x0000000002970000-0x0000000002D70000-memory.dmp

memory/4140-181-0x0000000001C10000-0x0000000001D10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nssD880.tmp

MD5 da812d63d6637fbc245339e746ccf1f9
SHA1 1d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA256 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA512 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

memory/4140-188-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/3928-189-0x0000000002D70000-0x000000000365B000-memory.dmp

memory/2908-190-0x0000000003650000-0x0000000003677000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DC8A.exe

MD5 b2c14d5c21130dc795b521206c0b97d4
SHA1 3cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256 ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512 bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

memory/2908-196-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/780-198-0x0000000001B80000-0x0000000001B8B000-memory.dmp

memory/780-199-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/3928-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4008-202-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2908-201-0x0000000001C70000-0x0000000001D70000-memory.dmp

memory/780-203-0x0000000001CF0000-0x0000000001DF0000-memory.dmp

memory/4248-205-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/3208-206-0x0000000005130000-0x0000000005166000-memory.dmp

memory/3208-208-0x0000000072BD0000-0x0000000073380000-memory.dmp

memory/3208-209-0x0000000005270000-0x0000000005280000-memory.dmp

memory/3208-207-0x00000000058B0000-0x0000000005ED8000-memory.dmp

memory/3208-210-0x0000000005270000-0x0000000005280000-memory.dmp

memory/3208-212-0x0000000005630000-0x0000000005652000-memory.dmp

memory/3208-213-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/3208-215-0x00000000060C0000-0x0000000006126000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qpfuad5.lyz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3208-225-0x0000000006230000-0x0000000006584000-memory.dmp

memory/3208-226-0x0000000006710000-0x000000000672E000-memory.dmp

memory/3208-227-0x0000000006750000-0x000000000679C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 7ac70ea02e81ae10b763bf91cfe9f251
SHA1 a45aef65a225f69a5515013288199c1810f7f16e
SHA256 8812aa6fbe7e2bb32bf20a0172222e428f9d1217587e8ebe74ba428d0451a022
SHA512 4c4f1c93f7c63655d91e034dd0677a1fdbb1038eb07996f141ed8ba06a8ba3bc9b095017308705a6b4492374c27491f9818bb4117d91ac6c449d2180190d79a5

C:\Users\Admin\AppData\Local\Temp\E5E2.dll

MD5 f469c5aba9b2d57a2479f8d5805390d1
SHA1 8b006c702ef7d6b96c8bf2c60ca0aa1308c2ba4e
SHA256 3abc70b837ad8c2d4859e381d49be3261531f0008c3c34f393b0b06ae2eec2f6
SHA512 3027232cd103bde045a38fc5dce1365f80fa5446d1ef779909232e2be1ed33488d4b29b4083f7f2b93ca9aefe937d3ce26234bffcdca8a3e184abbd6a5daf24a

memory/1404-235-0x0000000010000000-0x0000000010202000-memory.dmp

memory/4248-236-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2976-239-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E5E2.dll

MD5 9b1697d40dfd386fdd7e9327844f301a
SHA1 e75defb119e2c7b7d3f75ab70a100ec504af5ebf
SHA256 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d
SHA512 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69

memory/1404-242-0x00000000005A0000-0x00000000005A6000-memory.dmp

memory/2908-238-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3208-252-0x0000000006C70000-0x0000000006CB4000-memory.dmp

memory/3208-272-0x0000000007A50000-0x0000000007AC6000-memory.dmp

memory/3208-284-0x0000000008150000-0x00000000087CA000-memory.dmp

memory/3208-285-0x0000000007AD0000-0x0000000007AEA000-memory.dmp

memory/3500-295-0x0000000002610000-0x0000000002626000-memory.dmp

memory/780-297-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/3208-302-0x00000000706E0000-0x000000007072C000-memory.dmp

memory/2976-301-0x0000000000400000-0x0000000000700000-memory.dmp

memory/3208-300-0x0000000007C90000-0x0000000007CC2000-memory.dmp

memory/536-299-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3208-303-0x000000007F2C0000-0x000000007F2D0000-memory.dmp

memory/3208-304-0x0000000070840000-0x0000000070B94000-memory.dmp

memory/3208-314-0x0000000007CD0000-0x0000000007CEE000-memory.dmp

memory/3208-318-0x0000000007CF0000-0x0000000007D93000-memory.dmp

memory/3208-319-0x0000000007DE0000-0x0000000007DEA000-memory.dmp

memory/1404-326-0x00000000024C0000-0x00000000025E8000-memory.dmp

memory/3208-327-0x0000000072BD0000-0x0000000073380000-memory.dmp

memory/1404-331-0x00000000025F0000-0x00000000026FD000-memory.dmp

memory/1404-334-0x00000000025F0000-0x00000000026FD000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 c2880aa35138e7b312eafd93bb636f06
SHA1 97230828569eff070bc295674944752a4a427797
SHA256 323b7760cfdcd4ba75d280f7bcd0d2ee0f749e6965138860d5276f8865ab46a6
SHA512 c5275422ecff50c3b56aa5553f8061fc647c773efb1c87e36e844b8fdfdc9db04f23ce72ba2e2b5641336c659c5b9a932e8fdc3428e4d6e1aa3dbf2193d56233

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 630dfa44d79eae6e77011c43d36944af
SHA1 0b3fb8ed546593cd92b6128761edbffad633ae81
SHA256 806fae64d18d87b7d9829ef0d3417a39c95ac0e52b9f88725439d602265eb0ed
SHA512 bb1aa89c27c751c6e1b4056a3dc73b6804ba19100cf0f6dfdfebac783931cf5d7d06961bf94997cd3ee8396efb33d143883b0b77af402e2ac5f6106b36c74248

memory/3928-350-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4260-360-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/2908-361-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b