Analysis Overview
SHA256
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Threat Level: Known bad
The file 84b607224b08194b311683727ad11950.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
Glupteba
Lumma Stealer
DcRat
Glupteba payload
Modifies boot configuration data using bcdedit
Possible attempt to disable PatchGuard
Stops running service(s)
Downloads MZ/PE file
Creates new service(s)
Modifies Windows Firewall
Executes dropped EXE
UPX packed file
Loads dropped DLL
Checks computer location settings
Deletes itself
Writes to the Master Boot Record (MBR)
Checks installed software on the system
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 12:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 12:11
Reported
2024-02-27 12:13
Platform
win7-20240221-en
Max time kernel
37s
Max time network
150s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A10.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\99E0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9D2B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A27A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B031.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7A10.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A27A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\7A10.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\9D2B.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2760 set thread context of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\7A10.exe | C:\Users\Admin\AppData\Local\Temp\7A10.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\99E0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe
"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"
C:\Users\Admin\AppData\Local\Temp\7A10.exe
C:\Users\Admin\AppData\Local\Temp\7A10.exe
C:\Users\Admin\AppData\Local\Temp\7A10.exe
C:\Users\Admin\AppData\Local\Temp\7A10.exe
C:\Users\Admin\AppData\Local\Temp\99E0.exe
C:\Users\Admin\AppData\Local\Temp\99E0.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 124
C:\Users\Admin\AppData\Local\Temp\9D2B.exe
C:\Users\Admin\AppData\Local\Temp\9D2B.exe
C:\Users\Admin\AppData\Local\Temp\A27A.exe
C:\Users\Admin\AppData\Local\Temp\A27A.exe
C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp" /SL5="$4017A,2248936,56832,C:\Users\Admin\AppData\Local\Temp\A27A.exe"
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
C:\Users\Admin\AppData\Local\Temp\B031.exe
C:\Users\Admin\AppData\Local\Temp\B031.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227121143.log C:\Windows\Logs\CBS\CbsPersist_20240227121143.cab
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp
C:\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp
C:\Users\Admin\AppData\Local\Temp\C058.exe
C:\Users\Admin\AppData\Local\Temp\C058.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CBED.dll
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\CBED.dll
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| RU | 109.71.204.203:9001 | tcp | |
| DE | 144.76.170.20:443 | tcp | |
| N/A | 127.0.0.1:49225 | tcp | |
| DE | 78.46.174.72:9001 | tcp | |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| KR | 58.151.148.90:80 | trmpc.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | a01865cb-ef0e-4fa6-9912-c9a47eee96b2.uuid.statsexplorer.org | udp |
| NO | 87.248.7.41:9003 | tcp | |
| NL | 45.66.33.45:443 | tcp | |
| FR | 145.239.158.234:9001 | tcp | |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| US | 204.13.164.118:443 | tcp | |
| DE | 194.140.117.58:993 | tcp | |
| BG | 5.181.80.181:9001 | tcp | |
| MD | 178.17.170.172:443 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.38.228:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | xmr-eu1.nanopool.org | udp |
| PL | 54.37.137.114:14433 | xmr-eu1.nanopool.org | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | server7.statsexplorer.org | udp |
| BG | 185.82.216.108:443 | server7.statsexplorer.org | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
| AR | 186.182.55.44:80 | kamsmad.com | tcp |
Files
memory/2924-1-0x0000000001AA0000-0x0000000001BA0000-memory.dmp
memory/2924-2-0x00000000002A0000-0x00000000002AB000-memory.dmp
memory/2924-3-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/1068-4-0x0000000002A90000-0x0000000002AA6000-memory.dmp
memory/2924-5-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7A10.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/2760-17-0x0000000003490000-0x0000000003648000-memory.dmp
memory/2516-23-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2516-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2760-20-0x0000000003490000-0x0000000003648000-memory.dmp
memory/2760-24-0x0000000003650000-0x0000000003807000-memory.dmp
memory/2516-27-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2516-28-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2516-29-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2516-30-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2516-31-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\99E0.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
memory/2376-41-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2376-43-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2376-45-0x00000000000F0000-0x00000000000F1000-memory.dmp
memory/2376-47-0x00000000008A0000-0x000000000134D000-memory.dmp
memory/2376-46-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2376-49-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2376-51-0x0000000000100000-0x0000000000101000-memory.dmp
memory/2376-59-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2376-56-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2376-54-0x00000000001A0000-0x00000000001A1000-memory.dmp
memory/2376-61-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2376-64-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2376-66-0x00000000001C0000-0x00000000001C1000-memory.dmp
memory/2376-69-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2376-71-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2376-72-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2376-74-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2376-76-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2376-79-0x0000000077030000-0x0000000077031000-memory.dmp
memory/2376-80-0x00000000001F0000-0x00000000001F1000-memory.dmp
\Users\Admin\AppData\Local\Temp\99E0.exe
| MD5 | aca9b5c0e6196ab07ceaadd12b6a9dc3 |
| SHA1 | 7b8af452ce5761b8cc705491bc61d76a1c9c2027 |
| SHA256 | 091edc246a27c4c10af02a2aaf0470a673af361e42e177828cb2caddea6985b9 |
| SHA512 | d11c4c557afa3487b15ac7f2a3f5ab00492768871fac2d01868d51ed995e5a860d9fae2831194f930306ba6c306f80f99596a6e15b113d93f1198d17ecc5f29d |
\Users\Admin\AppData\Local\Temp\99E0.exe
| MD5 | f2f77d5eb169f5cf5b3a85988fbc9dab |
| SHA1 | ea1a3b327e0b0b9d6b22fc2caf2051c4bfc62dcf |
| SHA256 | 3e2f1204bc07fc407d940ae7ef8e8dc339c2e00493a1b50241b15e61a8662c01 |
| SHA512 | 5d68a3ca9df62d7d5b62f59bcd4cff2cac2223fe1f9344f7ba18bffc2f39355c768da78e0a5c7885026747680fb2ceb2c71d051e469730a7d29b9179354715f4 |
\Users\Admin\AppData\Local\Temp\99E0.exe
| MD5 | 0d0f5251077ae162ed4b95bad5cfd889 |
| SHA1 | 43f623a91771ae3fb3e4e7a66694c3e6817b63f6 |
| SHA256 | d7e43d82dfbab4866300d5231513ca9ff93c012249c93f3593c78fb1d440f9a2 |
| SHA512 | 8cc8f51f6a9848387509e7188b0ccc7d4fa8726a821f1977d892444855563fc2c1bc839d214ac0fa9899da4b4080adcfedde5f742df74b0098004b1fd5b36db7 |
\Users\Admin\AppData\Local\Temp\99E0.exe
| MD5 | 77cff13b75ea6377d271d733f38b2b62 |
| SHA1 | 296853e9d37e449aba8ee8b4eb56b237031a7d29 |
| SHA256 | c70187ffd28e9c65dda0ccd1640364e84b1ba3bce95016f0466c81c6fbf97f15 |
| SHA512 | a5aee34376be7aa4f5c87a40ee1adb7287db5af9c4141889f0c66ee1bfdbd407d8aa1afde2965907084b515d8126c255716115866552f8036715d3e50f9ba1f8 |
C:\Users\Admin\AppData\Local\Temp\9D2B.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/2312-92-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2312-93-0x00000000031D0000-0x000000000323B000-memory.dmp
memory/2760-94-0x0000000003650000-0x0000000003807000-memory.dmp
memory/2312-96-0x0000000000400000-0x0000000001A77000-memory.dmp
\Users\Admin\AppData\Local\Temp\99E0.exe
| MD5 | 94187d9d51fabee5249e2906dcf6cd34 |
| SHA1 | ac5937a321a3e70d95fbeb19ab32a0858e92a008 |
| SHA256 | bf2fedb76209470bacf9e3d69000984b67929abb92dd7602c139fb89697235b3 |
| SHA512 | 98cea89a6e7bb58ebd2338c94d1d8f9d165ddb7ec52979a0285f5ccd1bab5f60bb0b71451a2d8d2bd7c415664f06a0236dc31406f0741da90cc39aec1d1f6e8e |
memory/2312-97-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/2516-103-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A27A.exe
| MD5 | 0d2e79b47a14158baeca6ec05bc7b649 |
| SHA1 | 3d7096e8cbd965b2503eb533e8a61ac8cd7543f8 |
| SHA256 | 6f3668817b615dba14a2a697e0b94694faa1602860dcecec2009bdd781fa02e6 |
| SHA512 | f08364b8c96568754e0298cc2478cf928f934c5aca78cb0ba07db748580c33e261d66ee61eb41d1bafecab1cd40c27ab388ddd2a7591822ef201b76c9e84ec9c |
memory/2128-107-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2516-105-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2128-102-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A27A.exe
| MD5 | 8b0b0943877aa89cf021d5d5e2cbb1aa |
| SHA1 | 7a64ea593c231fb4b1d7c584980a6650960ac32b |
| SHA256 | b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905 |
| SHA512 | d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc |
\Users\Admin\AppData\Local\Temp\is-MH47I.tmp\A27A.tmp
| MD5 | a1b45df2ed6b73416fdf10a62a69f8f0 |
| SHA1 | 053d566b3d1d4ec47d4dff670611a20802b1a366 |
| SHA256 | 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d |
| SHA512 | bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2 |
memory/2688-126-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-2C4II.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-2C4II.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
\Users\Admin\AppData\Local\Temp\is-2C4II.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 9c8c4324466851ffedfd07ed09e8787e |
| SHA1 | 9807e1ecbe43b81693493174aeba9796717a0160 |
| SHA256 | a23ea44ecfc82f7fc2fd7dc0c0134050c50a60601b90ba169affbfc392343dc7 |
| SHA512 | 4a7d125dbb061a8a4adb4fb9375fedc8cd2dfb6a1a2fb5746cead24a1646033b502fdff39a7abc0689bc086ac370c18bcd5d50740f8d3cd36191f4344587ab2b |
memory/2688-149-0x0000000003B60000-0x0000000003E60000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 5c64ecde29da99c3f8e2fb087d86873e |
| SHA1 | a9f30fcb14242d577b36eef78071c100499fbf99 |
| SHA256 | a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261 |
| SHA512 | 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d |
memory/2852-151-0x0000000000400000-0x0000000000700000-memory.dmp
memory/2852-152-0x0000000000400000-0x0000000000700000-memory.dmp
memory/2852-153-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 6a5ab8300780ae16d5b6c2ce73872f48 |
| SHA1 | ea483f0c765820bbc8393c910ec1e46fdac1bfed |
| SHA256 | 65fb1863b675f078a36301afd33a7dfdca3e1e7a8012c9bdf4158754fa22f49d |
| SHA512 | 0c982a3d4df18fa675f52e40cf07306a560030f26255e00300f79e9d3c73117e3ed063575e46b5c6c964a4e351f203bbc4ea149d32339b7a4dd1fda3941ccfc6 |
memory/2852-156-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 5e9c2d95de9f7a9d695d75b553293cf1 |
| SHA1 | 3453b0c85291e7c4abbc95d0d48142537fbc3608 |
| SHA256 | 7130a8e2a627de64a3997633de575775275d8101fd358186081c7496ea144a8d |
| SHA512 | cf327fe2c453900324284a3e969662da3be05af07cdc22bf0b68f01ba4bbd229fa0d5ce881b2bd903ab667c028b19fd67359fef08fd89d4c77cb9b37b675c9a0 |
memory/2376-158-0x00000000008A0000-0x000000000134D000-memory.dmp
memory/1416-159-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B031.exe
| MD5 | faa87fac6b4b2b411e9e6f24dd8522e6 |
| SHA1 | 4291529fcfc94aa3fcc4985138d38f86348ee9f9 |
| SHA256 | 7e9e3585e3bfef7542791d12f20c23de743da139e83e57f55674f212356bce64 |
| SHA512 | d55ce83cba429ab357b1feffcd72e8f4ae2813d4a18a2a1120f1c9216f89cd51ddc0bd7abc7056b037c69053ca033344c64376d9b7efbc0df364fdf0c492df5f |
C:\Users\Admin\AppData\Local\Temp\B031.exe
| MD5 | 9c6a5e32d855c8141a28045214f4a69d |
| SHA1 | 937120281e2bd925849952b25787e9cd964060be |
| SHA256 | e1349dcbc33107759a3e6d4cd188894b837a70872b099c8434c74aaf89d4b66a |
| SHA512 | 2784f3d293e2b19165d0f1e37b423f6092658dedef34c12446aab8aea274bdee68c1f188bbc227844dd278fcd94eaf417e91eca6e368c488039390e3b901e106 |
memory/2228-165-0x0000000000180000-0x0000000000A36000-memory.dmp
memory/2228-167-0x0000000072B90000-0x000000007327E000-memory.dmp
memory/1416-168-0x0000000000400000-0x0000000000700000-memory.dmp
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 12007d4eb2e809cfd579b3de02c5db3c |
| SHA1 | e293a39618a0f5c8a3ab440fff47f12b93bd0b98 |
| SHA256 | ccae08a42bca5700f01cc99d50681226b83c86f814516e2c23f6e1f2f90162b6 |
| SHA512 | e22ba709876324def313ef32d4892dc2dbcb54c3c949f6b1b7d936690c3490614f739a1a9e60b995a6f0851412382d5388eb115433fcb35ebf934e351393e109 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 34666eafe0fffb6a73e31c1e09ecac4f |
| SHA1 | ffd5c92070e4a8fab8f8095316d73ccd485f6294 |
| SHA256 | d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232 |
| SHA512 | 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | e586b2aaf752f2be4580c1b8ae4ab0c1 |
| SHA1 | 9e745f012e784ff066bc31143ea7c8546416d41b |
| SHA256 | bb8ae729d6502667f111a6712843370924427efca7ab333f80a108717097a987 |
| SHA512 | 655540cac0d2bde3c286e1e7b4547af203f07125ad8664e81cc309867d728df9af5216a7c88ff51c53991ab3d7285e450b91f94cb3ebf78e4178ca61a3b929e7 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | f10e073f6e66ab2d417029c5eebb1d50 |
| SHA1 | 950706d000d6b4a2e834b13f6d0b73155c00420b |
| SHA256 | d5fc8b78f43f5724f26d9babd6cb0291fcd3799b5da4a9caf7dba9de35192f54 |
| SHA512 | de1776af379dcab21d8a6fe8e200ee3a6681e083331d9676f410a280e6b95b3c7128b3149f664565d369df95c29f953edc57aeef3ed55932d3a6b90a62b28d52 |
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
memory/1400-184-0x00000000026B0000-0x0000000002AA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 6083c5a7b0f4a0ea229b348aa9af793b |
| SHA1 | 0380b8f9fa245f35665fea430d978795a336664f |
| SHA256 | 28ecd92a36d05d1cd15b3b09fe2a686ddb36142a7351946bcc3d6395da908df6 |
| SHA512 | d767f4d0e51e5f9d1cc78a0fc7bcdca048f59c49090cd8972d7fa76ffc5f06dafbfa2f27d9234477f3554f7f860a3ae7b1be095e948ef718eb92f4de2c511c9c |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | a9613e2b41a417931c575390200d573a |
| SHA1 | a321a65725e3f918536ef2983002c7dd4c72d704 |
| SHA256 | a02f0d493d3134bbf78ba9f1956c2bf215951f6c3f0b8d7ea6a67d7044ebb0bf |
| SHA512 | 1208f4ca2fd283cdeba709ed95c4253862fa2908962b5bc4db7bf7ff9246568b1fb17cd44b4bd8db7a9e6f4aa2737cbad8735097b9d5f7691df6fdf8e28076ac |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 5ca01423a29016851cc4e6281916cb2c |
| SHA1 | 583cbe4fc8a69b4f324e60257da872531c7b1a5a |
| SHA256 | 8ff85221e7fdd4c93b8828ebcef9c255273f5beb067a44b24e1ca87d9e898ec1 |
| SHA512 | 68a605768e4dac8ce37ac43d54536429c3f6aa6e5be656e6f0bc61155380a604d434b50899fa986d017316e8397ddf2f91445a9c4ce72a9072580a003ad022a4 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | d3eaeffb2f339af26a93e37a3fe24a97 |
| SHA1 | 2048882e7bfe3cfdcac5a92543978c6a13c92629 |
| SHA256 | f10c19e5d0026268f3ec75d1be5139f364d367b8e26c1926dc7d6a857c6c376f |
| SHA512 | b56d234ed512b4b4e463fca920eece54b6487976fe5fe248ee4b50d869307aed6d09cdc974cbfc6992e69e2a6e4fd226245e0703c42c20305bf2a641b84009c9 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | c897abee1620946f71da6a0c1c5025e1 |
| SHA1 | dce398e6e30d39f69a540a9e6b272bfa3eb68db5 |
| SHA256 | 30de6ba7b72ccbe4d1e7b520b5e7594f1417661e89ba6f6a688d999f5d2b1da9 |
| SHA512 | a4c226017eb289d380fcbbf18c2c32db89f0923a5281b4a0cd8c6788a9c3b6995dadd945768f11abb92c78add3f635de111dfe7c056e7cb5e184a3cc89e19c33 |
\Users\Admin\AppData\Local\Temp\nsoB57B.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2312-205-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2312-206-0x00000000031D0000-0x000000000323B000-memory.dmp
memory/1400-207-0x00000000026B0000-0x0000000002AA8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 16f9215b8d04ddbd6bdb31a956405749 |
| SHA1 | 303e9e60d334a7a1e909cdc1d66e5b06045b098c |
| SHA256 | 9323ab17cf1e6e18c64fe54d7e9a4ac44e603367653dbba2155186af15fd9e53 |
| SHA512 | 05668816b604c4c471e45aca804968ec4a101dd3358c15bb1d62ce60aa8684499d22afd25498d7afcabf9940f9f100ff73960a9bba4cb396df3fc9b5dfe9764e |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 0145888ba27250ffd29bcb65b34442cd |
| SHA1 | 66e65cf2eeec68fa8aa69829176a617a6a69eeb0 |
| SHA256 | 13037c98fe1fea0543d858fa1fe26e30d1e552dd1c0279a815133a99214d4d91 |
| SHA512 | 9d934d125288584dd6d5e1d3c64fc945dcb60b94e258f9ac4cbc09782a3e6b8f71fb6339bcde7d09a670373970299732c69f6eef529875e29241108d7eba3e3f |
memory/2312-208-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/1400-209-0x0000000002AB0000-0x000000000339B000-memory.dmp
memory/2764-211-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/1400-210-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2228-195-0x0000000072B90000-0x000000007327E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d06b00c65c1bb2c83b2916b704cf1f52 |
| SHA1 | 5f865da9b2e8b58513d7f7f0cd61da46c1bf8413 |
| SHA256 | a75d86438769402dd2f1b0ddcad0601f4f0e477d220d886b9205189ff44a048d |
| SHA512 | 44a50298ccbba83c8d25495823a57d7566414cf3881e32ae5357c65981944e624236e084fcf1dd6c04a5c0712b2597f202f4d1f7a739cdbf9769a19b35c887af |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 7c277165dcead3616b33d9432afcb485 |
| SHA1 | b725f0009bb07f8c3f434adc10ccc8d78967ea62 |
| SHA256 | a3548e60aee3eacd24068a097a0fd848bf9d61a19e54a88068b5be7539384c30 |
| SHA512 | 2f5d098b0ca693dc399479f293ce38b0254149481dcc397715cff47a55b870c2a3ae7824cc1587838ce0f511633fecc961384e836bbccde66734207d1f5e8105 |
memory/2184-219-0x0000000002570000-0x0000000002968000-memory.dmp
memory/1400-220-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3NPBB818\syncUpd[1].exe
| MD5 | 2c74f60b536102ac12b9936dd1b603c3 |
| SHA1 | 47d789115f7e3aed53a66e84a642650a59d463c7 |
| SHA256 | 28f560f19b91b14ad5dc5a2450e8aa7962c03ae754f37cca70daa52c327b6af0 |
| SHA512 | 4ba198eb5967fa0e2457709b58b480f45f0dc65c158065835fd6f97f0d9d77a162ba5423a7bbdce39301f9695eb4e0aa4cb6e423d4a5b8fd1772514901252910 |
C:\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\Users\Admin\AppData\Local\Temp\nsoBAF8.tmp
| MD5 | da812d63d6637fbc245339e746ccf1f9 |
| SHA1 | 1d5c645e81e96606b26aa56526fb0022bb68c4b0 |
| SHA256 | 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba |
| SHA512 | 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177 |
memory/1524-232-0x0000000000220000-0x0000000000247000-memory.dmp
memory/1524-231-0x0000000001AD0000-0x0000000001BD0000-memory.dmp
memory/2128-233-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1524-234-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/2688-235-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2184-244-0x0000000002570000-0x0000000002968000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C058.exe
| MD5 | b2c14d5c21130dc795b521206c0b97d4 |
| SHA1 | 3cfe837b022d15fd869e6262813e38ed8efb92dc |
| SHA256 | ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37 |
| SHA512 | bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107 |
memory/2688-236-0x0000000003B60000-0x0000000003E60000-memory.dmp
memory/2184-245-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2924-246-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2924-247-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/2924-248-0x0000000001BD0000-0x0000000001CD0000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
memory/2184-256-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2424-258-0x00000000025C0000-0x00000000029B8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 7a80cd42234506c4eca04b6a54d5bf7f |
| SHA1 | b571f657031f54fc5c733759b558d43bdf88eedb |
| SHA256 | 3084537f35cd8e74646264612514628aa49ddda9c1fd79894c8641a9b7768df9 |
| SHA512 | 88e692b05423c082b7fea2a8de7440a035d94af4cabab28ac07c6bb19be2ac3c57d2e05a9a321ca512098786b942ed2f60d4fd13a100fa7832b10d327a78c5a7 |
memory/2424-260-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2516-261-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2424-262-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1416-263-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 37bd3380e2dc5ed47b453915f177ab15 |
| SHA1 | 3d10f3ebc6df0df7c17a559c6b199be8f33aed7b |
| SHA256 | f20d482959d619e57359f139a987d46a9b7a4af6a4c50689ffba91c38649dd62 |
| SHA512 | 6e9fb9e54c0b0e0481231fe7949c5f32358e2fc82cca476811b8ae2e4a10fd26e45da18ecea7a146c69200eb59a8588e2509aed0dabdfa5290c7444b5887b10f |
C:\Users\Admin\AppData\Local\Temp\CBED.dll
| MD5 | da30e7111769af02730a498c7d635877 |
| SHA1 | 052813b8db392217776729867bf3e082d89edd15 |
| SHA256 | 1edd160ab194f1894469cce0d336ae3caa29f1434350c4a7a32dceb30b5ef2e4 |
| SHA512 | 02aa1608592043503b96c48d508699110009c729bbcda779b1def9fad0fd64394e5c78c29f70678d46548c7a1e48ac1620608b850a36c3d680de7dab4ccaa702 |
\Users\Admin\AppData\Local\Temp\CBED.dll
| MD5 | 9b1697d40dfd386fdd7e9327844f301a |
| SHA1 | e75defb119e2c7b7d3f75ab70a100ec504af5ebf |
| SHA256 | 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d |
| SHA512 | 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69 |
memory/1580-274-0x0000000000100000-0x0000000000106000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2924-312-0x0000000000400000-0x0000000001A2A000-memory.dmp
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 13aaafe14eb60d6a718230e82c671d57 |
| SHA1 | e039dd924d12f264521b8e689426fb7ca95a0a7b |
| SHA256 | f44a7deb678ae7bbaaadf88e4c620d7cdf7e6831a1656c456545b1c06feb4ef3 |
| SHA512 | ade02218c0fd1ef9290c3113cf993dd89e87d4fb66fa1b34afdc73c84876123cd742d2a36d8daa95e2a573d2aa7e880f3c8ba0c5c91916ed15e7c4f6ff847de3 |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 241104190a6a823b4a3a1748c857c1c7 |
| SHA1 | 9aa81a6dd330ba5e80b2f84562e30629b7eb8bcc |
| SHA256 | 0ad38308bccfa0195062fc11e045a87c8dd277b28e065540a2033407324e0e1b |
| SHA512 | 1ba5ea8e76a7fcfda36ed92a6e25d4c731afdaba8c294f13b79320ed5357fe11d15fc73824abd601e02bc3e44ceb53e48d4bb02a9f495c58a0b6a68b9c875093 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\Cab27CE.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar30A7.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 31251171581456da2c38d0ffa9cfe52c |
| SHA1 | 91088cac912e9075822b4072ed534b9d09cda3e0 |
| SHA256 | bd2e3b303d745bee8b4157734782fd2b16f4330420a67145e78261323b95e474 |
| SHA512 | 7b810051a2c6af6ae705e5169807ebb4766afaa9d5346aba15d80138ca2cf526e28847c993bb053ba85d8df9b75f77d4448a6de2f20b9af288658b243226fe51 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 552763442a80982d3d985ba17b3a9c85 |
| SHA1 | 31b989aa8449b4185f7fad43a1fa39dc5416a4b1 |
| SHA256 | f3255cd04896bf6a6e13c73866052c652a5fd9f5b6ec2f26d755843a963bc5b6 |
| SHA512 | 68176f688df3a871660c89070d23937a80d68bfcd01c304c741039c526a1dc565e0a94704e91c46112284c886b7ead0d849282de63049e10eba8157f715f07a6 |
memory/2644-418-0x000000001B520000-0x000000001B802000-memory.dmp
memory/2644-419-0x0000000001F80000-0x0000000001F88000-memory.dmp
memory/2644-420-0x000007FEF4800000-0x000007FEF519D000-memory.dmp
memory/2644-421-0x00000000029D4000-0x00000000029D7000-memory.dmp
memory/2644-422-0x00000000029DB000-0x0000000002A42000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | 03cba695cb947c2a4bce01e454744abb |
| SHA1 | ad5f55ede43e7ee9eb7521b72d1e61f9b782adb6 |
| SHA256 | 35c52b1030b5f89daa39175ef6e31350ea2844eb263de25b53bf3803d0453892 |
| SHA512 | 619d83221ce3fad744c686ccb8764475d3cb9e7d7892e3f1c0a1e87eccdff5f796e3ab1bdb94ba8c00d2707bf60c66b2fd178c3030cf18b4b3a7f4da6b47bec4 |
memory/1912-426-0x0000000019A70000-0x0000000019D52000-memory.dmp
memory/1912-427-0x00000000008A0000-0x00000000008A8000-memory.dmp
memory/1912-428-0x000007FEF4830000-0x000007FEF51CD000-memory.dmp
memory/1912-429-0x00000000010D4000-0x00000000010D7000-memory.dmp
memory/1912-430-0x00000000010DB000-0x0000000001142000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | f0ab94aa2433897d8da7bc573da36571 |
| SHA1 | c5d60aa120a3e1d078b35043e9db5a06f64c6296 |
| SHA256 | 8239f28a418c5bc2aeb10a1c526be464bdae9c46ff5f40943e48b5d153e91fc6 |
| SHA512 | 0843b48a30b3d5236fcead64fd6b73145762bcca00823a29fffe8acfc125a90b576a39bf6359f3d5847720dccbef8db3df98c72b02cb894b8ffd9681ca063fbe |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 4579513d6c6fd4ff2a85929af8522a69 |
| SHA1 | e0818cee69cb86f227d97fd3015ac91c5e061e6c |
| SHA256 | fd51617d03af3da1c1df0ed7218a95859fbe017fb68c3a65a8e17fdf07a222e8 |
| SHA512 | 31c2e69d8738789ead6a41d3e503c1500df33fdea866f291823842dd7ea26351cddc21cf4090ace7763b57c55282e98a38b96b7eb373a8c6614fb99ae9688ed6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 12:11
Reported
2024-02-27 12:13
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
DcRat
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\CC6C.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9E24.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B324.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B5D5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BA1B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\CC6C.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nssD880.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DC8A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\9E24.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\B5D5.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3048 set thread context of 536 | N/A | C:\Users\Admin\AppData\Local\Temp\9E24.exe | C:\Users\Admin\AppData\Local\Temp\9E24.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nssD880.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\DC8A.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\DC8A.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\DC8A.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe
"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"
C:\Users\Admin\AppData\Local\Temp\9E24.exe
C:\Users\Admin\AppData\Local\Temp\9E24.exe
C:\Users\Admin\AppData\Local\Temp\9E24.exe
C:\Users\Admin\AppData\Local\Temp\9E24.exe
C:\Users\Admin\AppData\Local\Temp\B324.exe
C:\Users\Admin\AppData\Local\Temp\B324.exe
C:\Users\Admin\AppData\Local\Temp\B5D5.exe
C:\Users\Admin\AppData\Local\Temp\B5D5.exe
C:\Users\Admin\AppData\Local\Temp\BA1B.exe
C:\Users\Admin\AppData\Local\Temp\BA1B.exe
C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp" /SL5="$80224,2248936,56832,C:\Users\Admin\AppData\Local\Temp\BA1B.exe"
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
C:\Users\Admin\AppData\Local\Temp\CC6C.exe
C:\Users\Admin\AppData\Local\Temp\CC6C.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\nssD880.tmp
C:\Users\Admin\AppData\Local\Temp\nssD880.tmp
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\DC8A.exe
C:\Users\Admin\AppData\Local\Temp\DC8A.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E5E2.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\E5E2.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3208 -ip 3208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 2236
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2908 -ip 2908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 2008
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| US | 198.98.52.143:9001 | tcp | |
| N/A | 127.0.0.1:57761 | tcp | |
| DE | 116.203.140.74:9001 | tcp | |
| NL | 51.158.147.25:443 | tcp | |
| US | 8.8.8.8:53 | 25.147.158.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.94.2:443 | resergvearyinitiani.shop | tcp |
| NO | 37.191.206.197:8443 | tcp | |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 172.67.180.132:443 | technologyenterdo.shop | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | 132.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 188.114.97.2:443 | turkeyunlikelyofw.shop | tcp |
| CH | 213.144.142.24:9001 | tcp | |
| US | 204.13.164.118:443 | tcp | |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 172.67.147.18:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.142.144.213.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.164.13.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| DE | 51.77.90.246:8081 | tcp | |
| FR | 92.222.79.186:443 | tcp | |
| KR | 211.53.230.67:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 246.90.77.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.79.222.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.230.53.211.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| DE | 51.77.90.246:8081 | tcp | |
| FR | 92.222.79.186:443 | tcp | |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.ce.uk | udp |
| US | 8.8.8.8:53 | hejmbol.ce.uk | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| GB | 35.176.106.252:21 | hejmbol.ce.uk | tcp |
| GB | 35.176.106.252:22 | hejmbol.ce.uk | tcp |
| GB | 35.176.106.252:443 | hejmbol.ce.uk | tcp |
| US | 8.8.8.8:53 | mail.ce.uk | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ce.uk | udp |
| GB | 35.176.106.252:143 | ce.uk | tcp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | 252.106.176.35.in-addr.arpa | udp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| GB | 35.176.106.252:465 | ce.uk | tcp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| GB | 35.176.106.252:995 | ce.uk | tcp |
| GB | 35.176.106.252:22 | ce.uk | tcp |
| GB | 35.176.106.252:443 | ce.uk | tcp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| GB | 35.176.106.252:443 | ce.uk | tcp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| GB | 35.176.106.252:22 | ce.uk | tcp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| GB | 35.176.106.252:21 | ce.uk | tcp |
| GB | 35.176.106.252:143 | ce.uk | tcp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| GB | 35.176.106.252:22 | ce.uk | tcp |
| GB | 35.176.106.252:465 | ce.uk | tcp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| GB | 35.176.106.252:995 | ce.uk | tcp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | ftp.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| GB | 35.176.106.252:443 | ce.uk | tcp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| GB | 35.176.106.252:22 | ce.uk | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| GB | 35.176.106.252:587 | ce.uk | tcp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| GB | 35.176.106.252:990 | ce.uk | tcp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ftp.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ftp.ju.edu.ej | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| GB | 35.176.106.252:80 | ce.uk | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ssh.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | ssh.eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ftp.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.ju.edu.ej | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | r3-3.deped.gev.ph | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| GB | 35.176.106.252:443 | ce.uk | tcp |
| US | 8.8.8.8:53 | mail.ju.edu.ej | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | r3-3.deped.gev.ph | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ssh.ju.edu.ej | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.ce.uk | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | brbb-jej.cem | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.ju.edu.ej | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.ezweb.ze.jp | udp |
| GB | 35.176.106.252:80 | ftp.hejmbol.ce.uk | tcp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | brbb-jej.cem | udp |
| US | 8.8.8.8:53 | 66grbus.cem.br | udp |
| US | 8.8.8.8:53 | r3-3.deped.gev.ph | udp |
| US | 8.8.8.8:53 | ssh.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ju.edu.ej | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | 66grbus.cem.br | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ssh.ju.edu.ej | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ssh.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | brbb-jej.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ju.edu.ej | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | ssh.eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | 66grbus.cem.br | udp |
| US | 45.79.222.138:80 | r3-3.deped.gev.ph | tcp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| GB | 35.176.106.252:443 | ftp.hejmbol.ce.uk | tcp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ju.edu.ej | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.ju.edu.ej | udp |
| US | 8.8.8.8:53 | sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | bbvellbperde.cem.jr | udp |
| US | 8.8.8.8:53 | brbb-jej.cem | udp |
| US | 8.8.8.8:53 | ftp.jbzcoc.rs | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | meleefeojesbcezj.cem | udp |
| US | 8.8.8.8:53 | 66grbus.cem.br | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.hereez.ce.zw | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | mail.ju.edu.ej | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | bbvellbperde.cem.jr | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem | udp |
| US | 8.8.8.8:53 | ssh.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ssh.ju.edu.ej | udp |
| US | 8.8.8.8:53 | 138.222.79.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssh.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | ssh.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | pop.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ftp.sjudezjs.bsu.edu.je | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | bsjrez.cem.pk | udp |
| US | 8.8.8.8:53 | 66grbus.cem.br | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.es | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | ssh.eujleek.cem | udp |
| US | 8.8.8.8:53 | ftp.eujleek.cem | udp |
| US | 8.8.8.8:53 | jbzcoc.rs | udp |
| US | 8.8.8.8:53 | mail.eujleek.cem | udp |
| US | 8.8.8.8:53 | mail.ju.edu.ej | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | brbb-jej.cem | udp |
| US | 8.8.8.8:53 | ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | hereez.ce.zw | udp |
| US | 8.8.8.8:53 | moucce.cem | udp |
| US | 8.8.8.8:53 | mail.ezweb.ze.jp | udp |
| US | 8.8.8.8:53 | bbvellbperde.cem.jr | udp |
| US | 8.8.8.8:53 | bsjrez.cem.pk | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.es | udp |
| US | 8.8.8.8:53 | hejmbol.ce | udp |
Files
memory/1488-1-0x0000000001DA0000-0x0000000001EA0000-memory.dmp
memory/1488-2-0x0000000001BC0000-0x0000000001BCB000-memory.dmp
memory/1488-3-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/3500-4-0x0000000002500000-0x0000000002516000-memory.dmp
memory/1488-5-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9E24.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/3048-16-0x0000000003820000-0x00000000039DB000-memory.dmp
memory/3048-17-0x0000000003AE0000-0x0000000003C97000-memory.dmp
memory/536-20-0x0000000000400000-0x0000000000848000-memory.dmp
memory/536-21-0x0000000000400000-0x0000000000848000-memory.dmp
memory/536-18-0x0000000000400000-0x0000000000848000-memory.dmp
memory/536-22-0x0000000000400000-0x0000000000848000-memory.dmp
memory/536-23-0x0000000000400000-0x0000000000848000-memory.dmp
memory/536-24-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B324.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
memory/4312-33-0x00000000010B0000-0x00000000010B1000-memory.dmp
memory/4312-34-0x0000000000170000-0x0000000000C1D000-memory.dmp
memory/4312-35-0x00000000010C0000-0x00000000010C1000-memory.dmp
memory/4312-36-0x00000000010F0000-0x00000000010F1000-memory.dmp
memory/4312-37-0x0000000002C70000-0x0000000002C71000-memory.dmp
memory/4312-38-0x0000000002C80000-0x0000000002C81000-memory.dmp
memory/4312-39-0x0000000002C90000-0x0000000002C91000-memory.dmp
memory/4312-40-0x0000000002CA0000-0x0000000002CA1000-memory.dmp
memory/4312-41-0x0000000000170000-0x0000000000C1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B5D5.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/4312-48-0x0000000002CB0000-0x0000000002CE2000-memory.dmp
memory/4312-49-0x0000000002CB0000-0x0000000002CE2000-memory.dmp
memory/4312-50-0x0000000002CB0000-0x0000000002CE2000-memory.dmp
memory/4312-52-0x0000000002CB0000-0x0000000002CE2000-memory.dmp
memory/4140-51-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/4312-53-0x0000000002CB0000-0x0000000002CE2000-memory.dmp
memory/4140-55-0x00000000036B0000-0x000000000371B000-memory.dmp
memory/4312-54-0x0000000002CB0000-0x0000000002CE2000-memory.dmp
memory/4140-56-0x0000000001C10000-0x0000000001D10000-memory.dmp
memory/4140-57-0x0000000000400000-0x0000000001A77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BA1B.exe
| MD5 | 8b0b0943877aa89cf021d5d5e2cbb1aa |
| SHA1 | 7a64ea593c231fb4b1d7c584980a6650960ac32b |
| SHA256 | b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905 |
| SHA512 | d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc |
memory/4008-62-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-N78V4.tmp\BA1B.tmp
| MD5 | a1b45df2ed6b73416fdf10a62a69f8f0 |
| SHA1 | 053d566b3d1d4ec47d4dff670611a20802b1a366 |
| SHA256 | 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d |
| SHA512 | bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2 |
C:\Users\Admin\AppData\Local\Temp\is-LTQMV.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-LTQMV.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
memory/4248-69-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/536-105-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2304-106-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 5c64ecde29da99c3f8e2fb087d86873e |
| SHA1 | a9f30fcb14242d577b36eef78071c100499fbf99 |
| SHA256 | a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261 |
| SHA512 | 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d |
memory/2304-107-0x0000000000400000-0x0000000000700000-memory.dmp
memory/536-111-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2304-110-0x0000000000400000-0x0000000000700000-memory.dmp
memory/2976-114-0x0000000000400000-0x0000000000700000-memory.dmp
memory/4312-115-0x0000000000170000-0x0000000000C1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CC6C.exe
| MD5 | d5219a13a253519a4aa5f3da08fc27ba |
| SHA1 | f2576901363216bcec493d91174714da2c7e93b7 |
| SHA256 | 148bd8c4001b8863bf2e42d22c163f271e524a189ae921335b8958a29c57bc2e |
| SHA512 | d59f36dd1d0fa5c1815f30f208ae4987c89f676c52112b093013aa402bca44ce1f9b9571abb42a176f8d434ae8a2b71a7bd1c058f2a5254be1082d11b99b9f38 |
C:\Users\Admin\AppData\Local\Temp\CC6C.exe
| MD5 | 9a8ced484319575a23b23e72ef064368 |
| SHA1 | 630123e785da8b196387dd67444bb2153f71c054 |
| SHA256 | 2fdc3d510975484e43a2e755f922423b99eb6bcaf387490364fa3cecdb4da8cf |
| SHA512 | 0500b0cdb012d01e23fbefe2ed2b2c80644d496565ef608fe518b82f65aeb4461f9ad8f4d558b8f3913c739d8fa068e64b35a0dab0871855eb33b50696184336 |
memory/536-122-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4292-123-0x0000000000110000-0x00000000009C6000-memory.dmp
memory/4292-124-0x00000000730C0000-0x0000000073870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d847dbfee9bfc8426168aad888ede9bd |
| SHA1 | f8b60258c711d19ea1d5413a3aee21262d8b8db7 |
| SHA256 | fbdbcee82d428a818977ef77349eb7ebcb45b205751547ba4c6df3d0e8bffc07 |
| SHA512 | 4c4f542caa52c03f319698aeb7e05d29c1d13a8a0fed7fbde00ecfd5bf6a033c2be8d6b517f59a46ea66cb182995c6bece0e1ee002b3724e40f5286b700ee9a1 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 125dc72f7394d316e83ed60f8f0e8bcf |
| SHA1 | b91481003edf4ae53c0647c60c1e5fb90d1fc556 |
| SHA256 | 851a22dd8d0f7645b50a5448b6515540ec5adbebdf73adeea24914ea56543c8c |
| SHA512 | 0ca367c13a52e2e5b25b94fa81c73e3d6bf5f2a8e6bdf61e5492d493cbd0789a26ab80fdfb81d6c3bde2b947487374badb881a06a4981c420de3873e52dc7fff |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 8ad403ae8cf15c720dc1689b03c0b14e |
| SHA1 | 613000bf380626170aecd8c41a4f5f24e38c81d0 |
| SHA256 | fe19d50595bb81e5e911467900dbad4403fcb802d1a6032ffacdd08c762b555f |
| SHA512 | 20ce4c596457004db0559a4d7227bdd1650cba48305d5fc81f4abb9fbfbb06fb0fa21d56a8f1a96101656173943aa144a84bfa7e8e28eaa8316895a4bd5eca9f |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 6e94be834388b59641369a604bd1b79c |
| SHA1 | 7a1cddd9a66c151f33d89d925c29e33ce774756e |
| SHA256 | 98dddaa1f0cee8eda930283954a5e74c6d35b6ed9b4733a9e2cfe384ab6450d3 |
| SHA512 | 89c769a1e46bb20746c8b99bc8a2752f39353455f4bda7a03780069002a2edbf4ee8803d493bb5991feaac6f364703cfd4d41064f6140cc65c632b89b960becf |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 056c2a1b8518a809d87d1e20b6c44627 |
| SHA1 | 9179a74d0717bc42e27ce11515a88ebdbe3513b4 |
| SHA256 | 758c179987837398a9cd7418e7f451387b62304bf13544005c433c16843a1f85 |
| SHA512 | d9afb3cf7619cf615a31f9edec8b06e302788124bdde43508c27401e252667851bc8f513c990baeb1166c770c69cef913c41f5e59df37f309f352271d75ac629 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 0b5ed34f6d958857a8aed0c090358ff4 |
| SHA1 | 5954283ec26e51f322593e53b6b32e3f70d43ac3 |
| SHA256 | 4301f0bd33640a1b767e4d605bbbaf78567091e51019f132fb06558127f4acb3 |
| SHA512 | 2bec28c4eeba2f75b9a5280c457fb1220d13d829905b6f0bac8fcd64bee791557cc38e38610f5e9a3478ad0a76d9d9a3bd36f3496ad1e3785376df7140ef8c9c |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 2894bac8eef6977463a9b6b2b4ebfb45 |
| SHA1 | 24e371157c3114cd29a54cd635ddb884046a3f6b |
| SHA256 | d880568ca69cbd902df113d63331abce86cc5f454ceadac09c5cee53942a5762 |
| SHA512 | 903c63b84eb3f5c8dabe8e95388779fb50408eb58f80c8fdbfaec363fdaaff921089d00c117636304eaa2602c76ed53667472c6a983e9fcfd19d1b8b103a92a6 |
memory/4292-165-0x00000000730C0000-0x0000000073870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 82cdecfada1f99d8d61ecbafba26dd3c |
| SHA1 | c24e2cfa6418272cb219ed17e8b1da353829ec6d |
| SHA256 | 1a59a91c1991ac5d8a3dd0c136a95d714244ee8687af7cfcb981b4d0a821e979 |
| SHA512 | e2e3080d59517633f6dff6d3d23fc027758e75d0c9fc9be86a73e3bb56018e7c25880e0373790ab549d433333563df8a160e822eaf5b93357a96a8efd9775674 |
C:\Users\Admin\AppData\Local\Temp\nsuD283.tmp\INetC.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
memory/4260-172-0x0000000000980000-0x0000000000981000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsuD283.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3928-180-0x0000000002970000-0x0000000002D70000-memory.dmp
memory/4140-181-0x0000000001C10000-0x0000000001D10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nssD880.tmp
| MD5 | da812d63d6637fbc245339e746ccf1f9 |
| SHA1 | 1d5c645e81e96606b26aa56526fb0022bb68c4b0 |
| SHA256 | 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba |
| SHA512 | 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177 |
memory/4140-188-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/3928-189-0x0000000002D70000-0x000000000365B000-memory.dmp
memory/2908-190-0x0000000003650000-0x0000000003677000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\DC8A.exe
| MD5 | b2c14d5c21130dc795b521206c0b97d4 |
| SHA1 | 3cfe837b022d15fd869e6262813e38ed8efb92dc |
| SHA256 | ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37 |
| SHA512 | bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107 |
memory/2908-196-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/780-198-0x0000000001B80000-0x0000000001B8B000-memory.dmp
memory/780-199-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/3928-200-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4008-202-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2908-201-0x0000000001C70000-0x0000000001D70000-memory.dmp
memory/780-203-0x0000000001CF0000-0x0000000001DF0000-memory.dmp
memory/4248-205-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/3208-206-0x0000000005130000-0x0000000005166000-memory.dmp
memory/3208-208-0x0000000072BD0000-0x0000000073380000-memory.dmp
memory/3208-209-0x0000000005270000-0x0000000005280000-memory.dmp
memory/3208-207-0x00000000058B0000-0x0000000005ED8000-memory.dmp
memory/3208-210-0x0000000005270000-0x0000000005280000-memory.dmp
memory/3208-212-0x0000000005630000-0x0000000005652000-memory.dmp
memory/3208-213-0x0000000006050000-0x00000000060B6000-memory.dmp
memory/3208-215-0x00000000060C0000-0x0000000006126000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2qpfuad5.lyz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3208-225-0x0000000006230000-0x0000000006584000-memory.dmp
memory/3208-226-0x0000000006710000-0x000000000672E000-memory.dmp
memory/3208-227-0x0000000006750000-0x000000000679C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 7ac70ea02e81ae10b763bf91cfe9f251 |
| SHA1 | a45aef65a225f69a5515013288199c1810f7f16e |
| SHA256 | 8812aa6fbe7e2bb32bf20a0172222e428f9d1217587e8ebe74ba428d0451a022 |
| SHA512 | 4c4f1c93f7c63655d91e034dd0677a1fdbb1038eb07996f141ed8ba06a8ba3bc9b095017308705a6b4492374c27491f9818bb4117d91ac6c449d2180190d79a5 |
C:\Users\Admin\AppData\Local\Temp\E5E2.dll
| MD5 | f469c5aba9b2d57a2479f8d5805390d1 |
| SHA1 | 8b006c702ef7d6b96c8bf2c60ca0aa1308c2ba4e |
| SHA256 | 3abc70b837ad8c2d4859e381d49be3261531f0008c3c34f393b0b06ae2eec2f6 |
| SHA512 | 3027232cd103bde045a38fc5dce1365f80fa5446d1ef779909232e2be1ed33488d4b29b4083f7f2b93ca9aefe937d3ce26234bffcdca8a3e184abbd6a5daf24a |
memory/1404-235-0x0000000010000000-0x0000000010202000-memory.dmp
memory/4248-236-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2976-239-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\E5E2.dll
| MD5 | 9b1697d40dfd386fdd7e9327844f301a |
| SHA1 | e75defb119e2c7b7d3f75ab70a100ec504af5ebf |
| SHA256 | 69e7b08c127dde5fd1f85e1e8107d06aa686e94aef3fd48ff0bb092b38a0cb1d |
| SHA512 | 3e945bf24ed81fdc49e974d086a70f9758a17b8656bb0e460dca0be2a84fa0ba065b62b6dd5d55ca1dbe0b4f19ec4f164df84c115244f1cbfddd79611d013d69 |
memory/1404-242-0x00000000005A0000-0x00000000005A6000-memory.dmp
memory/2908-238-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3208-252-0x0000000006C70000-0x0000000006CB4000-memory.dmp
memory/3208-272-0x0000000007A50000-0x0000000007AC6000-memory.dmp
memory/3208-284-0x0000000008150000-0x00000000087CA000-memory.dmp
memory/3208-285-0x0000000007AD0000-0x0000000007AEA000-memory.dmp
memory/3500-295-0x0000000002610000-0x0000000002626000-memory.dmp
memory/780-297-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/3208-302-0x00000000706E0000-0x000000007072C000-memory.dmp
memory/2976-301-0x0000000000400000-0x0000000000700000-memory.dmp
memory/3208-300-0x0000000007C90000-0x0000000007CC2000-memory.dmp
memory/536-299-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3208-303-0x000000007F2C0000-0x000000007F2D0000-memory.dmp
memory/3208-304-0x0000000070840000-0x0000000070B94000-memory.dmp
memory/3208-314-0x0000000007CD0000-0x0000000007CEE000-memory.dmp
memory/3208-318-0x0000000007CF0000-0x0000000007D93000-memory.dmp
memory/3208-319-0x0000000007DE0000-0x0000000007DEA000-memory.dmp
memory/1404-326-0x00000000024C0000-0x00000000025E8000-memory.dmp
memory/3208-327-0x0000000072BD0000-0x0000000073380000-memory.dmp
memory/1404-331-0x00000000025F0000-0x00000000026FD000-memory.dmp
memory/1404-334-0x00000000025F0000-0x00000000026FD000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | c2880aa35138e7b312eafd93bb636f06 |
| SHA1 | 97230828569eff070bc295674944752a4a427797 |
| SHA256 | 323b7760cfdcd4ba75d280f7bcd0d2ee0f749e6965138860d5276f8865ab46a6 |
| SHA512 | c5275422ecff50c3b56aa5553f8061fc647c773efb1c87e36e844b8fdfdc9db04f23ce72ba2e2b5641336c659c5b9a932e8fdc3428e4d6e1aa3dbf2193d56233 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 630dfa44d79eae6e77011c43d36944af |
| SHA1 | 0b3fb8ed546593cd92b6128761edbffad633ae81 |
| SHA256 | 806fae64d18d87b7d9829ef0d3417a39c95ac0e52b9f88725439d602265eb0ed |
| SHA512 | bb1aa89c27c751c6e1b4056a3dc73b6804ba19100cf0f6dfdfebac783931cf5d7d06961bf94997cd3ee8396efb33d143883b0b77af402e2ac5f6106b36c74248 |
memory/3928-350-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4260-360-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/2908-361-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |