Analysis Overview
SHA256
01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Threat Level: Known bad
The file 84b607224b08194b311683727ad11950.exe was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Glupteba payload
DcRat
Glupteba
SmokeLoader
Downloads MZ/PE file
Creates new service(s)
Modifies Windows Firewall
Stops running service(s)
Deletes itself
Checks computer location settings
Executes dropped EXE
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
Loads dropped DLL
Manipulates WinMonFS driver.
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Writes to the Master Boot Record (MBR)
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of UnmapMainImage
Checks SCSI registry key(s)
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Modifies data under HKEY_USERS
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 12:14
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 12:14
Reported
2024-02-27 12:16
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
DcRat
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\9E63.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
SmokeLoader
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8D9.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\9E63.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\C584.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FourthX.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\windefender.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1784 set thread context of 3496 | N/A | C:\Users\Admin\AppData\Local\Temp\9E63.exe | C:\Users\Admin\AppData\Local\Temp\9E63.exe |
| PID 1704 set thread context of 4416 | N/A | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | C:\Windows\system32\conhost.exe |
| PID 1704 set thread context of 4524 | N/A | C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe | C:\Windows\explorer.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3A5A.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3A5A.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\3A5A.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3A5A.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe
"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"
C:\Users\Admin\AppData\Local\Temp\9E63.exe
C:\Users\Admin\AppData\Local\Temp\9E63.exe
C:\Users\Admin\AppData\Local\Temp\9E63.exe
C:\Users\Admin\AppData\Local\Temp\9E63.exe
C:\Users\Admin\AppData\Local\Temp\C0A1.exe
C:\Users\Admin\AppData\Local\Temp\C0A1.exe
C:\Users\Admin\AppData\Local\Temp\C584.exe
C:\Users\Admin\AppData\Local\Temp\C584.exe
C:\Users\Admin\AppData\Local\Temp\CBEE.exe
C:\Users\Admin\AppData\Local\Temp\CBEE.exe
C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp
"C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp" /SL5="$E0058,2248936,56832,C:\Users\Admin\AppData\Local\Temp\CBEE.exe"
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
C:\Users\Admin\AppData\Local\Temp\8D9.exe
C:\Users\Admin\AppData\Local\Temp\8D9.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\3A5A.exe
C:\Users\Admin\AppData\Local\Temp\3A5A.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1896 -ip 1896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2516
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4108 -ip 4108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 748
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\516D.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\516D.dll
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1464 -ip 1464
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 2448
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UTIXDCVF"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | 120.85.215.91.in-addr.arpa | udp |
| N/A | 127.0.0.1:52103 | tcp | |
| NO | 87.248.7.41:9003 | tcp | |
| CA | 24.150.204.225:9003 | tcp | |
| FR | 62.210.123.24:443 | tcp | |
| US | 8.8.8.8:53 | 24.123.210.62.in-addr.arpa | udp |
| GB | 142.202.51.68:9001 | tcp | |
| BG | 46.10.211.74:22612 | tcp | |
| US | 8.8.8.8:53 | 68.51.202.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.211.10.46.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 8.8.8.8:53 | resergvearyinitiani.shop | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| US | 172.67.217.100:443 | resergvearyinitiani.shop | tcp |
| US | 8.8.8.8:53 | 103.29.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.217.67.172.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | technologyenterdo.shop | udp |
| US | 104.21.80.118:443 | technologyenterdo.shop | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 118.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lighterepisodeheighte.fun | udp |
| US | 8.8.8.8:53 | problemregardybuiwo.fun | udp |
| US | 8.8.8.8:53 | detectordiscusser.shop | udp |
| US | 172.67.195.126:443 | detectordiscusser.shop | tcp |
| US | 8.8.8.8:53 | edurestunningcrackyow.fun | udp |
| US | 8.8.8.8:53 | pooreveningfuseor.pw | udp |
| US | 8.8.8.8:53 | turkeyunlikelyofw.shop | udp |
| US | 188.114.97.2:443 | turkeyunlikelyofw.shop | tcp |
| US | 8.8.8.8:53 | 126.195.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | associationokeo.shop | udp |
| US | 104.21.10.242:443 | associationokeo.shop | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.10.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| PA | 200.46.202.73:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | 73.202.46.200.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.191.110.104.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| BG | 46.10.211.74:22612 | tcp | |
| GB | 142.202.51.68:9001 | tcp | |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kamsmad.com | udp |
| US | 8.8.8.8:53 | 88681770-3901-4da8-8a96-905000c85241.uuid.statsexplorer.org | udp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | 116.75.156.187.in-addr.arpa | udp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| MX | 187.156.75.116:80 | kamsmad.com | tcp |
| US | 8.8.8.8:53 | xmr-eu2.nanopool.org | udp |
| FR | 163.172.171.111:14433 | xmr-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.34.170:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 170.34.67.172.in-addr.arpa | udp |
| N/A | 127.0.0.1:32472 | tcp | |
| US | 8.8.8.8:53 | server4.statsexplorer.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| CH | 172.217.210.127:19302 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | carsalessystem.com | udp |
| US | 104.21.94.82:443 | carsalessystem.com | tcp |
| US | 8.8.8.8:53 | 127.210.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.94.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| BG | 185.82.216.108:443 | server4.statsexplorer.org | tcp |
Files
memory/4220-1-0x0000000001CE0000-0x0000000001DE0000-memory.dmp
memory/4220-2-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/4220-3-0x0000000001CD0000-0x0000000001CDB000-memory.dmp
memory/3352-4-0x00000000025C0000-0x00000000025D6000-memory.dmp
memory/4220-5-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9E63.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/1784-16-0x0000000003900000-0x0000000003ABC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\9E63.exe
| MD5 | 1ae586467ea8583bac04590fac52c7f2 |
| SHA1 | 0e8169c6ab99805b2b43b4fcebf4910a716bd04a |
| SHA256 | 929fef5c32cc87661cbf730342470b9244af91544f3749826c52d2c2cd47ffea |
| SHA512 | d3bbf50c637adefe84721318510f5c6a14f469ee0ca0bb74df1a14807aa65d568f879e4dd60d6941bc75fdbc08a5e204902453d56c9212912835f60c8ed18233 |
memory/3496-20-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1784-18-0x0000000003AC0000-0x0000000003C77000-memory.dmp
memory/3496-21-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3496-17-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3496-22-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3496-23-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3496-24-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 09cc191faf62ec87441c04cd853644a7 |
| SHA1 | a0ced79bdf965194c3ecaa156818d38acccdc27a |
| SHA256 | ae9e9ca3bae01804f232d93370d42bd4cf7dbfa30e809d4e91ce9d977c49b1a8 |
| SHA512 | 8728e67a2ac66df79c040c6eb16d2777f98a70baf9b2c0f25892b671169efbb94b06ec2548be050608deda0ecad97016d98b9cfbce4165d1efc3faa98cbb13fa |
C:\Users\Admin\AppData\Local\Temp\C0A1.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
memory/4244-41-0x0000000001B70000-0x0000000001B71000-memory.dmp
memory/4244-43-0x0000000000FD0000-0x0000000001A7D000-memory.dmp
memory/4244-42-0x0000000001B80000-0x0000000001B81000-memory.dmp
memory/4244-45-0x0000000001BC0000-0x0000000001BC1000-memory.dmp
memory/4244-44-0x0000000001BB0000-0x0000000001BB1000-memory.dmp
memory/4244-46-0x0000000001BD0000-0x0000000001BD1000-memory.dmp
memory/4244-47-0x0000000001BE0000-0x0000000001BE1000-memory.dmp
memory/4244-48-0x0000000001BF0000-0x0000000001BF1000-memory.dmp
memory/4244-51-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
memory/4244-53-0x0000000001ED0000-0x0000000001ED1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C584.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/4244-60-0x0000000001ED0000-0x0000000001F02000-memory.dmp
memory/4244-59-0x0000000001ED0000-0x0000000001F02000-memory.dmp
memory/3616-61-0x00000000036B0000-0x000000000371B000-memory.dmp
memory/4244-57-0x0000000001ED0000-0x0000000001F02000-memory.dmp
memory/3616-62-0x0000000001B10000-0x0000000001C10000-memory.dmp
memory/3616-63-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/3496-65-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3616-64-0x0000000000400000-0x0000000001A77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CBEE.exe
| MD5 | 6b1a309c609a892cc6f19a61f3ec7a28 |
| SHA1 | 4a99ae82573addac9055915e65b6475931825a3e |
| SHA256 | 5dddcc5de1a79d8d40b4a02ccea49913292bea3be52b51fdf5f14ebb97fdd776 |
| SHA512 | c777ceda6a002785f9670b0af85c3f273436e262dd60290c909124d57974eb139a1b40acd34b7a5c4d840ea7a2aa2de76898a240443a44e506b75ae867c8dfc0 |
C:\Users\Admin\AppData\Local\Temp\CBEE.exe
| MD5 | 66db0d066c82c233d7503d6a50fe91ad |
| SHA1 | 823a20e83d3a4f61ced3c2f7f6aa634eb25348e0 |
| SHA256 | d0b2ba7afa9e94cbd574d1a6d386569ab12c12faa9c85ba9f1df0378e405b410 |
| SHA512 | 49cce41f42159e1744ee90f8ff89548c3c9cf2492cfca2b5dae967394260ee5fec250572dae6fa6640c074fc8808cd7ac397c1f2a7800dc81956a3c0639a5b5a |
memory/1756-70-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp
| MD5 | a1b45df2ed6b73416fdf10a62a69f8f0 |
| SHA1 | 053d566b3d1d4ec47d4dff670611a20802b1a366 |
| SHA256 | 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d |
| SHA512 | bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2 |
memory/3496-91-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3004-92-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-QO84F.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\AppData\Local\Temp\is-QO84F.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 5c64ecde29da99c3f8e2fb087d86873e |
| SHA1 | a9f30fcb14242d577b36eef78071c100499fbf99 |
| SHA256 | a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261 |
| SHA512 | 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d |
memory/3496-114-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3184-115-0x0000000000400000-0x0000000000700000-memory.dmp
memory/3184-116-0x0000000000400000-0x0000000000700000-memory.dmp
memory/3184-119-0x0000000000400000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | b908d82e948139ac68759da744a75ce3 |
| SHA1 | a91fa6b2d2f0e66448f9a6f293f037cfe180a1ec |
| SHA256 | ff30431ceb865068054a789fa03b40f905083c27c26191865a6912ec653c72a0 |
| SHA512 | f762e4c32ea157a4d99e7e33ef0ea776ca090fb7068e73d5bbb582d6c86383de797aa03aed53f19e576889c3e59955a8ebeaffecb335d8879754760f4dc8c4d1 |
memory/4244-123-0x0000000000FD0000-0x0000000001A7D000-memory.dmp
memory/2628-122-0x0000000000400000-0x0000000000700000-memory.dmp
memory/2628-125-0x0000000000400000-0x0000000000700000-memory.dmp
memory/3496-126-0x0000000000400000-0x0000000000848000-memory.dmp
memory/3616-127-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/1756-128-0x0000000000400000-0x0000000000414000-memory.dmp
memory/3616-129-0x00000000036B0000-0x000000000371B000-memory.dmp
memory/3004-130-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2628-132-0x0000000000400000-0x0000000000700000-memory.dmp
memory/3616-133-0x0000000001B10000-0x0000000001C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\8D9.exe
| MD5 | ceae65ee17ff158877706edfe2171501 |
| SHA1 | b1f807080da9c25393c85f5d57105090f5629500 |
| SHA256 | 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49 |
| SHA512 | 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b |
memory/3228-138-0x0000000073480000-0x0000000073C30000-memory.dmp
memory/3228-139-0x0000000000830000-0x00000000010E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | d122f827c4fc73f9a06d7f6f2d08cd95 |
| SHA1 | cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5 |
| SHA256 | b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc |
| SHA512 | 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | 28b72e7425d6d224c060d3cf439c668c |
| SHA1 | a0a14c90e32e1ffd82558f044c351ad785e4dcd8 |
| SHA256 | 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98 |
| SHA512 | 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | a5f70019477726fdf048623738b725ce |
| SHA1 | 2432e57e28133351453973cc3c01486966edbac2 |
| SHA256 | af07b04729c48194245c4c2920cc84470f830c63715c535b7ab24979923fa032 |
| SHA512 | bd882312cf4a2b62b6155620f84493d35418dcaac735b0ecfea22fa89c788bc219974b62175514aaae143aef2a9db7a66d2cb928284def16695171df7f7c5b2f |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 5ca01423a29016851cc4e6281916cb2c |
| SHA1 | 583cbe4fc8a69b4f324e60257da872531c7b1a5a |
| SHA256 | 8ff85221e7fdd4c93b8828ebcef9c255273f5beb067a44b24e1ca87d9e898ec1 |
| SHA512 | 68a605768e4dac8ce37ac43d54536429c3f6aa6e5be656e6f0bc61155380a604d434b50899fa986d017316e8397ddf2f91445a9c4ce72a9072580a003ad022a4 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 04fcc1fdd58f42e0490e828028e69579 |
| SHA1 | 974b63311a31fcff5451cb98dc4df801e855b4e4 |
| SHA256 | a8fea3f6fe17200d8be207b2bca386e973a636498066594d4cf00e110c37152a |
| SHA512 | 68e805595a3507e7421ae1dd305c63138c33cd2bb553348f8a6fcd9c222413cfd184fe4f67a8151753c74c9912563064e101fe09f1e2e13a7782b8323889581c |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 6c23834bfe6181a0b17575b2ce079cbe |
| SHA1 | 56ef6ff395989cfcc4ec8cad75055f62c8334b3c |
| SHA256 | 3095ebdcbec94aeff052d72e4778ad33b9fdf00a9e294e03143e0f7961c0160f |
| SHA512 | c53324d10c7d335a6c7605a82b79757199d730f941756fc8b9a6a6bda4cdd229b797ac113abee5e5e0d0f676893986c869d54d79eec3070e1629fccb919dca77 |
C:\Users\Admin\AppData\Local\Temp\nsl147E.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/3228-181-0x0000000073480000-0x0000000073C30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | e26f71a0d7c8b755b4df392aa6a9d1ae |
| SHA1 | 60708c86d2ccce39eeebcda381bef38a4c6ac89c |
| SHA256 | a787cf08025716820635f1b5d276c0bc6ccef15b99247b2ee6f3f2cf096b9272 |
| SHA512 | c141ebe852b86b15cdeb8ea8ebadedca7b6be29dbb296aab953e4ca68a3e938a9c60d75f8e70032aed7b9bc9ad38325926ddab253468413af17b76aaa99ebcf3 |
memory/3496-183-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 8887a0315f3e8d2b2a4dc28802b8f215 |
| SHA1 | 09007b67b0bd115956023f6c4df7843bc3347752 |
| SHA256 | 061f0f07c47578bd9ae8a93554b5d304a40be9fd44b328db115b450f9fdf516a |
| SHA512 | cf58efbf119dd223645f02e995842915a4067487f5e9fde839ae013a6e5c4f45b31b2f08f0213d083d9707ba8d2370fdfeec8a8822cdf8a68095d8bd9b12c152 |
memory/3004-187-0x0000000001FC0000-0x0000000001FC1000-memory.dmp
memory/3888-188-0x00000000009D0000-0x00000000009D1000-memory.dmp
memory/4108-196-0x00000000028A0000-0x0000000002CA7000-memory.dmp
memory/4108-197-0x0000000002DB0000-0x000000000369B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
| MD5 | da812d63d6637fbc245339e746ccf1f9 |
| SHA1 | 1d5c645e81e96606b26aa56526fb0022bb68c4b0 |
| SHA256 | 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba |
| SHA512 | 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177 |
memory/2628-204-0x0000000000400000-0x0000000000700000-memory.dmp
memory/4108-205-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1464-206-0x0000000001B70000-0x0000000001B97000-memory.dmp
memory/1464-207-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/1464-210-0x0000000001CA0000-0x0000000001DA0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/1896-212-0x0000000002F70000-0x0000000002FA6000-memory.dmp
memory/1896-213-0x0000000073070000-0x0000000073820000-memory.dmp
memory/2628-214-0x0000000000400000-0x0000000000700000-memory.dmp
memory/1896-215-0x00000000030D0000-0x00000000030E0000-memory.dmp
memory/1896-217-0x0000000005740000-0x0000000005D68000-memory.dmp
memory/1896-216-0x00000000030D0000-0x00000000030E0000-memory.dmp
memory/1896-218-0x0000000005590000-0x00000000055B2000-memory.dmp
memory/1464-219-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1896-221-0x0000000005E60000-0x0000000005EC6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdm5owvo.uka.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1896-232-0x0000000006040000-0x00000000060A6000-memory.dmp
memory/1896-238-0x0000000006120000-0x0000000006474000-memory.dmp
memory/1896-245-0x0000000006550000-0x000000000656E000-memory.dmp
memory/1896-248-0x00000000065A0000-0x00000000065EC000-memory.dmp
memory/1896-275-0x0000000006AC0000-0x0000000006B04000-memory.dmp
memory/1896-276-0x0000000007670000-0x00000000076E6000-memory.dmp
memory/1896-280-0x0000000007F70000-0x00000000085EA000-memory.dmp
memory/1896-281-0x0000000007910000-0x000000000792A000-memory.dmp
memory/4108-285-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1896-286-0x0000000007AD0000-0x0000000007B02000-memory.dmp
memory/1896-288-0x000000007F950000-0x000000007F960000-memory.dmp
memory/1896-287-0x000000006F580000-0x000000006F5CC000-memory.dmp
memory/1896-290-0x000000006F6E0000-0x000000006FA34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3A5A.exe
| MD5 | b2c14d5c21130dc795b521206c0b97d4 |
| SHA1 | 3cfe837b022d15fd869e6262813e38ed8efb92dc |
| SHA256 | ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37 |
| SHA512 | bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107 |
memory/1896-304-0x0000000007B10000-0x0000000007B2E000-memory.dmp
memory/1896-306-0x0000000007B30000-0x0000000007BD3000-memory.dmp
memory/3888-310-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/1896-311-0x0000000007C20000-0x0000000007C2A000-memory.dmp
memory/3496-312-0x0000000000400000-0x0000000000848000-memory.dmp
memory/4504-314-0x0000000001B50000-0x0000000001B5B000-memory.dmp
memory/4504-313-0x0000000001B80000-0x0000000001C80000-memory.dmp
memory/4504-315-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/1896-317-0x0000000073070000-0x0000000073820000-memory.dmp
memory/4108-320-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4108-321-0x0000000002DB0000-0x000000000369B000-memory.dmp
memory/3352-322-0x0000000002480000-0x0000000002496000-memory.dmp
memory/4504-324-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\516D.dll
| MD5 | 286796d0050225040303192dffc1c4ef |
| SHA1 | daef291b3941387fee3ced03d44a4e254dfec217 |
| SHA256 | 1546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24 |
| SHA512 | 04d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8 |
C:\Users\Admin\AppData\Local\Temp\516D.dll
| MD5 | da30e7111769af02730a498c7d635877 |
| SHA1 | 052813b8db392217776729867bf3e082d89edd15 |
| SHA256 | 1edd160ab194f1894469cce0d336ae3caa29f1434350c4a7a32dceb30b5ef2e4 |
| SHA512 | 02aa1608592043503b96c48d508699110009c729bbcda779b1def9fad0fd64394e5c78c29f70678d46548c7a1e48ac1620608b850a36c3d680de7dab4ccaa702 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d2d76c81a044aa0266852ef7d7989fd8 |
| SHA1 | 1244c072957954b05ed6fbe35cb2b1106e59af30 |
| SHA256 | 005da31948ac86589ccd25ee68ee00c2a819f07b51bbb061b0e1699d37547a66 |
| SHA512 | a69f636e55b12348a898eaec42e2ed0c7b9f4370c3510638415f78198155eb253351ae040c8f9b88cdd6cba46587624c55cf3f39c13281a41fd95c2277c3a583 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c5a1cd740f3fccd7c193db7e3a7269fb |
| SHA1 | 85c97899fe1a858d5fa4f563b8d4d7cbdfb6a7c0 |
| SHA256 | 263d5eec2d2c8c8bbea2b82b5e743afdf237d74d8049e3e477830e50404eea74 |
| SHA512 | cb950b5b04a1e68233a3ec1bd2ef7868863a671c041c0dbbcb3981fefb5ab534c5cf421c21a7ff7cad4cbf5ec77d7161e78d5c412b4cb64c8f94b30199ed3b8f |
C:\Windows\rss\csrss.exe
| MD5 | 34666eafe0fffb6a73e31c1e09ecac4f |
| SHA1 | ffd5c92070e4a8fab8f8095316d73ccd485f6294 |
| SHA256 | d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232 |
| SHA512 | 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966 |
C:\Windows\rss\csrss.exe
| MD5 | 6bdb234305778c39ec1121b20dbb5b46 |
| SHA1 | 9397990981227c7b06a4ad4d1a2b030d38fcd6e1 |
| SHA256 | 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b |
| SHA512 | 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f046610a6adeece7f7fd84d060c8cf40 |
| SHA1 | 5f8c6b9c26b9fc572c93289297b561da18a0e262 |
| SHA256 | 3a1db8926423c5e0054875963f992b282220024565eee75e1a1c5483dfec2750 |
| SHA512 | a403a3b5324c197cce732f329340ff9c7b51c33810d3fef9e42a3a76361cb079f6250479ef50d6db9f1ce73ede9752a300d3c9489631ffd1a41e64a7f12c0425 |
C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c926a9f2c66670ae0d75b34af4619902 |
| SHA1 | d7373210bee43e1c7b4d4155236980c62cc84e70 |
| SHA256 | 91a3cd24b8d05588ca9a9524cf49ac498e187949e88ab953249ba8f40c82752c |
| SHA512 | 645176757c3f78e1c968686e8ffb800ed4bf74a6469dd7a7e0b75f039425f70734afdf87ff9209083d4dd8b38dc6734a3cb742443056d04c81e9f83d71212685 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 18670145aa9e64dbc3f60006f981821f |
| SHA1 | d5ee5077959247e5eaa0665c445fc85125c1bf2f |
| SHA256 | fa7a716b5748d8a468af68a784f16926aed492f25a1bcd700404a725ce49245f |
| SHA512 | fc66d9e1987d7fa29ab65896ae4756ddd378deb0595e81f2f39c9717a77c3ec3a7449beae3477849490fa977ea722f410c0c83f0b39a35dfef7d96d896fa764c |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |
C:\Windows\windefender.exe
| MD5 | d480d873c3e1a4c4a90b2452fc1ec666 |
| SHA1 | 3b0657338cbfe497774af2809b9c6bfd64258aef |
| SHA256 | 691faf0177d29d8be9e5f8f3e7c0670066524a491891a0c37f3040d93f4d3657 |
| SHA512 | 2c38936a0d17ac94c5b611d4a54cc75f0a9c9b39630ab2dee028ce14ed8660ce86e8694e46fccbed3f9a74ac9845b4f47d279005845d22bfc42d837e04071929 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 12:14
Reported
2024-02-27 12:16
Platform
win7-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\739A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\739A.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\B3C6.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C1CB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7C5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17F8.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\739A.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C7C5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\739A.exe | N/A |
Checks installed software on the system
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PHYSICALDRIVE0 | C:\Users\Admin\AppData\Local\Temp\C1CB.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2540 set thread context of 2524 | N/A | C:\Users\Admin\AppData\Local\Temp\739A.exe | C:\Users\Admin\AppData\Local\Temp\739A.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\B3C6.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe
"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"
C:\Users\Admin\AppData\Local\Temp\739A.exe
C:\Users\Admin\AppData\Local\Temp\739A.exe
C:\Users\Admin\AppData\Local\Temp\739A.exe
C:\Users\Admin\AppData\Local\Temp\739A.exe
C:\Users\Admin\AppData\Local\Temp\B3C6.exe
C:\Users\Admin\AppData\Local\Temp\B3C6.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 124
C:\Users\Admin\AppData\Local\Temp\C1CB.exe
C:\Users\Admin\AppData\Local\Temp\C1CB.exe
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp" /SL5="$4016E,2248936,56832,C:\Users\Admin\AppData\Local\Temp\C7C5.exe"
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s
C:\Users\Admin\AppData\Local\Temp\17F8.exe
C:\Users\Admin\AppData\Local\Temp\17F8.exe
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\1DB3.exe
C:\Users\Admin\AppData\Local\Temp\1DB3.exe
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227121526.log C:\Windows\Logs\CBS\CbsPersist_20240227121526.cab
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Users\Admin\AppData\Local\Temp\nso26D4.tmp
C:\Users\Admin\AppData\Local\Temp\nso26D4.tmp
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4975.dll
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\4975.dll
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UTIXDCVF"
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 147.92.88.67:9001 | tcp | |
| N/A | 127.0.0.1:49225 | tcp | |
| CA | 167.114.144.152:9002 | tcp | |
| DE | 62.171.180.6:9001 | tcp | |
| CA | 142.44.227.24:9001 | tcp | |
| FI | 65.108.233.166:9001 | tcp | |
| US | 8.8.8.8:53 | joly.bestsup.su | udp |
| US | 104.21.29.103:80 | joly.bestsup.su | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| CA | 142.44.227.24:9001 | tcp | |
| FI | 65.108.233.166:9001 | tcp | |
| N/A | 127.0.0.1:17798 | tcp | |
| N/A | 127.0.0.1:17798 | tcp | |
| N/A | 127.0.0.1:17798 | tcp | |
| US | 8.8.8.8:53 | trmpc.com | udp |
| BA | 185.12.79.25:80 | trmpc.com | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | gbmolb.cem | udp |
| US | 8.8.8.8:53 | redoffmbol.cem | udp |
| US | 8.8.8.8:53 | gbmolb.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | redoffmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | mezkerhbusjechzok.de | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | mezkerhbusjechzok.de | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | mezkerhbusjechzok.de | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | rh-umwelj.de | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | ocleud.cem | udp |
| US | 8.8.8.8:53 | ocleud.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | hejmbol.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemm | udp |
| US | 8.8.8.8:53 | mbol6.chshs.zjpc.edu.jw | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.hejmbol.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | eujleek.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ftp.redoffmbol.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.ybhee.cem | udp |
| US | 8.8.8.8:53 | mail.hejmbol.cem | udp |
| US | 8.8.8.8:53 | gmbol.cemm | udp |
| US | 8.8.8.8:53 | ftp.gbmolb.cem | udp |
| US | 8.8.8.8:53 | mbol6.chshs.zjpc.edu.jw | udp |
| US | 8.8.8.8:53 | ybhee.ce.uk | udp |
| US | 8.8.8.8:53 | ftp.ybhee.cem.jw | udp |
| US | 8.8.8.8:53 | ybhee.ce.uk | udp |
| US | 8.8.8.8:53 | ybhee.ce.uk | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | ybhee.cem | udp |
| US | 8.8.8.8:53 | gmbo.cem | udp |
Files
memory/2340-2-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2340-1-0x0000000001C00000-0x0000000001D00000-memory.dmp
memory/2340-3-0x0000000000400000-0x0000000001A2A000-memory.dmp
memory/1160-4-0x0000000002A10000-0x0000000002A26000-memory.dmp
memory/2340-5-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\739A.exe
| MD5 | 398ab69b1cdc624298fbc00526ea8aca |
| SHA1 | b2c76463ae08bb3a08accfcbf609ec4c2a9c0821 |
| SHA256 | ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be |
| SHA512 | 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739 |
memory/2540-17-0x0000000003600000-0x00000000037B8000-memory.dmp
memory/2540-21-0x0000000003600000-0x00000000037B8000-memory.dmp
memory/2524-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2540-22-0x00000000037C0000-0x0000000003977000-memory.dmp
memory/2524-24-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\739A.exe
| MD5 | e18fb53f7e5ac718c08ca0617ed8f301 |
| SHA1 | a68852d54a7a98882e175a46134c3abc9c6ea662 |
| SHA256 | c9f3d997f3d71783d7012be74a0230a9d4c689132bd4b7466f2d7757368dfa15 |
| SHA512 | b316bbc3eedcecd51da2775d3ca9b22783936354014e920baba7bf9c6c26c1575d84e242710b5eb3050ad853d665ef87062474744ee161155a7f72a5c36d638c |
memory/2524-27-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2524-28-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2524-29-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2524-30-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2524-31-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | 09cc191faf62ec87441c04cd853644a7 |
| SHA1 | a0ced79bdf965194c3ecaa156818d38acccdc27a |
| SHA256 | ae9e9ca3bae01804f232d93370d42bd4cf7dbfa30e809d4e91ce9d977c49b1a8 |
| SHA512 | 8728e67a2ac66df79c040c6eb16d2777f98a70baf9b2c0f25892b671169efbb94b06ec2548be050608deda0ecad97016d98b9cfbce4165d1efc3faa98cbb13fa |
memory/2524-44-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\B3C6.exe
| MD5 | 51a32a41e2ff5d470e4c5433e4e1afd9 |
| SHA1 | 805b9f086e128dca345cfdee2ea3ea25210c88ce |
| SHA256 | 1772682d75c3ec00717ced9a513e89e65e98d9d3774af2b264eb12e8894a82ff |
| SHA512 | 5a34c92cdce2e7e7bd386f193d21ed80ebcf9e2373cdba4c03154534a38b69593b5d8d2bbf4d3128aa5e6dfaad5fb35aa358364f0db25b48b1cb11fe93e4a289 |
C:\Users\Admin\AppData\Local\Temp\B3C6.exe
| MD5 | 98032e01a07b787b4416121c3fdf3ae5 |
| SHA1 | 65c8dc24c8b5d416c1e51105e190c440762069f3 |
| SHA256 | 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7 |
| SHA512 | 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb |
memory/2880-52-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2880-54-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2880-56-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2880-57-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2880-59-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2880-61-0x0000000000140000-0x0000000000141000-memory.dmp
memory/2880-64-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2880-66-0x0000000000160000-0x0000000000161000-memory.dmp
memory/2880-69-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2880-71-0x0000000000170000-0x0000000000171000-memory.dmp
memory/2880-74-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2880-77-0x0000000001000000-0x0000000001AAD000-memory.dmp
memory/2880-76-0x0000000000180000-0x0000000000181000-memory.dmp
memory/2880-80-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2880-82-0x0000000000290000-0x0000000000291000-memory.dmp
memory/2880-83-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2880-85-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2880-87-0x00000000002A0000-0x00000000002A1000-memory.dmp
memory/2880-90-0x0000000077640000-0x0000000077641000-memory.dmp
memory/2524-91-0x0000000000400000-0x0000000000848000-memory.dmp
memory/2880-92-0x00000000002B0000-0x00000000002B1000-memory.dmp
memory/2524-99-0x0000000000400000-0x0000000000848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C1CB.exe
| MD5 | a1b5ee1b9649ab629a7ac257e2392f8d |
| SHA1 | dc1b14b6d57589440fb3021c9e06a3e3191968dc |
| SHA256 | 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65 |
| SHA512 | 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b |
memory/1516-107-0x0000000001B70000-0x0000000001C70000-memory.dmp
memory/2524-108-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1516-109-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/1516-110-0x0000000000320000-0x000000000038B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | ab9d7aa35ceeffa6fced28d3ad80e762 |
| SHA1 | 748b5c2920d88f70d3c98f0454d0ad265598b974 |
| SHA256 | 67b466b12646f4ac2b9338ad1b797061954c036bda7bb703c0f2591b863b181a |
| SHA512 | 71e7cc467f84d1964f56a6ab618745d3e356bda20b48d9e933894edee219cbe666f3677bda08ed42cb1c2f2166b16d65bf17b7c5df6e25c9649249e36ced9e2b |
memory/284-118-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C7C5.exe
| MD5 | 8b0b0943877aa89cf021d5d5e2cbb1aa |
| SHA1 | 7a64ea593c231fb4b1d7c584980a6650960ac32b |
| SHA256 | b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905 |
| SHA512 | d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc |
\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
| MD5 | a1b45df2ed6b73416fdf10a62a69f8f0 |
| SHA1 | 053d566b3d1d4ec47d4dff670611a20802b1a366 |
| SHA256 | 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d |
| SHA512 | bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2 |
\Users\Admin\AppData\Local\Temp\is-KRTKB.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-KRTKB.tmp\_isetup\_isdecmp.dll
| MD5 | 3adaa386b671c2df3bae5b39dc093008 |
| SHA1 | 067cf95fbdb922d81db58432c46930f86d23dded |
| SHA256 | 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38 |
| SHA512 | bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303 |
\Users\Admin\AppData\Local\Temp\is-KRTKB.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/1528-129-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
| MD5 | 5c64ecde29da99c3f8e2fb087d86873e |
| SHA1 | a9f30fcb14242d577b36eef78071c100499fbf99 |
| SHA256 | a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261 |
| SHA512 | 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d |
memory/1528-163-0x0000000003B70000-0x0000000003E70000-memory.dmp
memory/600-164-0x0000000000400000-0x0000000000700000-memory.dmp
memory/600-165-0x0000000000400000-0x0000000000700000-memory.dmp
memory/600-168-0x0000000000400000-0x0000000000700000-memory.dmp
memory/600-169-0x0000000000400000-0x0000000000700000-memory.dmp
memory/620-171-0x0000000000400000-0x0000000000700000-memory.dmp
memory/2880-173-0x0000000001000000-0x0000000001AAD000-memory.dmp
memory/620-174-0x0000000000400000-0x0000000000700000-memory.dmp
memory/2524-184-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1516-185-0x0000000000400000-0x0000000001A77000-memory.dmp
memory/284-186-0x0000000000400000-0x0000000000414000-memory.dmp
memory/1528-187-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/620-188-0x0000000000400000-0x0000000000700000-memory.dmp
memory/1516-189-0x0000000001B70000-0x0000000001C70000-memory.dmp
memory/1528-193-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2524-197-0x0000000000400000-0x0000000000848000-memory.dmp
memory/1528-201-0x0000000003B70000-0x0000000003E70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\17F8.exe
| MD5 | 1a0d35f6effac44e7d2f4937239a7890 |
| SHA1 | 385622db160076834441f34ac0de9b5232ce8a0e |
| SHA256 | 09d59606b061b3996b2c0bc8aebb61d85ed3b28fd5e3ca409e8ab7a13867ebd4 |
| SHA512 | 265a5ff15df1f3852315d769bd2b010fc7460662b190b9d3e8a565a2192eedb0a192b7f0bdd3f1c93496e602bb7a33aae6d0e325f908a162d73038a27364ec1b |
C:\Users\Admin\AppData\Local\Temp\17F8.exe
| MD5 | fee18fad15d6e21df3eaa2c422deb789 |
| SHA1 | f2dd95c6fb0a06ac36ab26d1130a154e3c842cda |
| SHA256 | d9ac9bc239867db3351f51863b2968aeba500ecdfbd6cf88ce0ba601210aeed1 |
| SHA512 | 53606f55fddd0bf1c40fb6db4c3c2332c7f94e22c5a4fb951d6525e71bf3c265cd1eac757434907e281c6dbe53cbbb74bfc56a0692b44cdcbb7d447ca76076f9 |
memory/1552-207-0x00000000733F0000-0x0000000073ADE000-memory.dmp
memory/1552-208-0x0000000001340000-0x0000000001BF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | bbd15ccb6180033558fcef9c26bce2ea |
| SHA1 | f25054b1e3feb30f801faddb463a0701574fb208 |
| SHA256 | 5d3326541b7592a600e5d2439787c466404d3584b3309074ae05e6cff31da99d |
| SHA512 | a7a69b9f97533237a69ca6a411aaa234b0be601b9bc0880849ae80cd10b0130eee1b0504c4b7396792733dcbe23de863cfeb845a0fac1788d47e5a8190b88afb |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c1bda7f8e8b1772aa47c14f24131806a |
| SHA1 | b2b8eaf25b2ef7c85930d5b287e5aff5f189a7af |
| SHA256 | 8b4f23f82d579659a29c0d0e6c0aa5e47469fd080e1ca835ac6b6aa086041c2c |
| SHA512 | f59ddc579c2879bafad38d8f7dc9b4e3652cce4538b0332b096ab6c8c412b251f134e9b69d7bc3e1acf3f170eed22ea4c13318d1ef34f14157db6c3dbaa304aa |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 33b8ba6f4e6cf8d6e5c03d34d23fe31a |
| SHA1 | 99d4bec17b62f738c26521dbebce96b1c65bc675 |
| SHA256 | b279c9930b44a044278a47405617dfe1a2337fde9196cbd8dbeb9f43c70ed41e |
| SHA512 | 9ec1ca744c884bb09ff34cbb235ce5abd12f31c6a640bda29b5bc65c86a723d921f89150789c54ea429b47c618fd2cc35ba27037021c00ab3766739ba5f39131 |
\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | f30b31cd985bb3b4c2dced17df5ed9fb |
| SHA1 | 94a2218267ddd03b538636ace0593e38f52c9b5a |
| SHA256 | b650d35b4c45c0ae9ff9a10df74e5d3c724a8e693a05706e61e798805a731645 |
| SHA512 | 648ae868eaf7473a7922796d1e1572df192a81dc7ee38c6ca17b3ca8c81dc6af7b3539564fce58ba8c220a3154618e45dfb79640a96a14c56a51123a339b2213 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | f0ff5f372a958f41fa51da9c9f03c8b2 |
| SHA1 | 06d46a56e5bc97c19dd5fb7195e973121b641c55 |
| SHA256 | d2ed2c2940a1994e68fb473cf5e7c0ab0487d38ea141f35c0f6c07230e7e868b |
| SHA512 | 8ebc3a3acd0f9139707f0681f85457ffdaba8f6532bb7d28a196be05a0bf04692ffff4c0cf0a712897068c395e3f5aa64c799fd9cffc810b0139cb7d778e8424 |
\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | b0d57e6d5fc9c56a76c73dd4abcf39af |
| SHA1 | 86f43b94bae3b83fc7fe2e9006ea6f13cab7201c |
| SHA256 | 77f7855b58730066777ac2041f8a412ece456737018183999d8ab6fd6af51879 |
| SHA512 | 6a6132f60603457635e8f96d279c04dac7d2f4cd99ab655d40ef31487258198cd96890aeddcf8e0773a194e94fffe75df9cb760bc25e5e6dd55bd0ef8dbdefab |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 7a28ee2c85975a324052901d8370e041 |
| SHA1 | b3a4a904aaec064f0c2b4a5a73f6032c70f25489 |
| SHA256 | d32d4f301998b5892e34fcd16ed5953ca09098ae365dba556cf2d490bdfe6cb9 |
| SHA512 | 8d33a6d6b0646dd177b71d6f1bf132fb49b2198aa13fd4e12cd9be9f5c7c0fb6697c7c7a535c47f7deef28061c356fe7f7ba5df7ffc1778ff71609a88b2fdd8d |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | 6ef3edf4d23bb910afe422a2a442fe74 |
| SHA1 | e38ca79a7f3163dc000f63aea0a6258f8fa0ef13 |
| SHA256 | 137252c23757e5e0d99d53bae3305915a151bfb1c9b2dacba713caf4d3c7d55f |
| SHA512 | 935600fa640acdca693d791deebbed132dade5c11fbc2ddb3c2d3cc4284787b686876c6e96a718356f05b5d72f919d29faf15d592ed99b95dcef5c9a2dc28a62 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | bc8734b6c9a1c0daee56015569795877 |
| SHA1 | 07eabf9d20468b91094ef59e024c95512e81ba47 |
| SHA256 | 26d3ec3f2343e560e37e62eb2026e5a19eeb296a1f304b9db2e1954f997c2ee8 |
| SHA512 | 12b50d8d09df8002ae7c55a72133da149f0a71e8b4eac9ecf46d6f9bcd5bbc187445c5a63fae87d894876df7c976ba0443c047d8cada78ea0f2167b434aa4033 |
\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | c6d82c53a70939bf9579b79370191d6d |
| SHA1 | d33d21fb0f1d5624637826b8e6ce77c0c3225da5 |
| SHA256 | 9585a70174876f6eaa0877610cd91222f4d29cd3e9a666fbf7a8993f4369955d |
| SHA512 | e90094e1c145419ee8bd8db262d5ff4cb49e326b7b0af174f1f5cbd9b08572f6a42597fd9d971a2481eccab70c8b482d25394c9cee15851ef2bcd0cf08816886 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
| MD5 | a5cff547a0b21ea2b83973e448b9cde4 |
| SHA1 | 1ce21af16fc7990a6482813d5da8a01da6128c3d |
| SHA256 | 71c401cd7cdfb7c753c85656e4b2c14541b4ce56a919ec20882928c97bca8ac7 |
| SHA512 | d1314a37ed9ef07411c4c4e7b15078bec4c3e1a94823c3ef4e13e1f8958a2a21cce909aec9d5f5ff896b4a6035953f8c2fcdd498dfdf33a469894ea501a37825 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 15f35a20eaa6afdf85d13e7393e00dd8 |
| SHA1 | ae0c13ff90b76080fd0dd61bbf91f4b46742db66 |
| SHA256 | e0e452e96bcf27ab921f0e46c7d37d783d25a655f8698aefff375d9eaeebde38 |
| SHA512 | eb083ff690c73e710b9d799cc317e748920e1dfd87dafb2117bf4c9ad9a5b3586169dd4cc3f0064f81640752a5e2f076837648da4d5a95fff921877e49d96443 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | bd31d1bde3494d280387cc081f7829af |
| SHA1 | 882e7c8c46d00a9ac04abb6d8d40dd7333524bf8 |
| SHA256 | 6af46f7a40c487191a953fb171a742afda53f6f3cd4de0c41fc1ac0d8e7ca129 |
| SHA512 | cae888e497324ed500eafc546f7af3a7819c8d40101d674e8236af5c5cb1101df46257d9c0691c3b43854cb5a4edca5f2018cb71201b5aad8bc771369aa59320 |
memory/1552-239-0x00000000733F0000-0x0000000073ADE000-memory.dmp
\Users\Admin\AppData\Local\Temp\nse1B9D.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2076-246-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/952-248-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/620-247-0x0000000000400000-0x0000000000700000-memory.dmp
memory/620-245-0x0000000000400000-0x0000000000700000-memory.dmp
memory/952-249-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/952-251-0x00000000029C0000-0x00000000032AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1DB3.exe
| MD5 | b2c14d5c21130dc795b521206c0b97d4 |
| SHA1 | 3cfe837b022d15fd869e6262813e38ed8efb92dc |
| SHA256 | ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37 |
| SHA512 | bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107 |
memory/776-259-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/776-258-0x00000000002F0000-0x00000000003F0000-memory.dmp
memory/776-260-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | c7fe878e6fc3be20c84b5e85b97efe17 |
| SHA1 | 51ebfabdef927465e68c5843ae4f2a930b82a24b |
| SHA256 | a4a662c0c92c27d74fc00f6f5e24b1b4116da7d582607161f0570cdfcc0a6040 |
| SHA512 | 24f2fd40425ce1a1585157255b0dbb856635fa2fb08f00419693ebf8e0c774d47890aad7b69adee08b315607b0bc68375421737f4785b577110894028a013289 |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 075ba87f561aabdf85b6304d4c016cce |
| SHA1 | 8d328481f29e6f33f2abdf47846e4078d6963ae0 |
| SHA256 | 6398b519b64633375c432b8a02c9e2e7b5292180ffa6aa76adff0354d05ab7dd |
| SHA512 | 37812042b601b75ce29f2ffc32307ed08cd7fb58dd0b86bc30664af4941423faa042560281b7b1920aa9b94daa0fddae0f4536fcdbefff42d007296bf92827d2 |
memory/2448-267-0x00000000026A0000-0x0000000002A98000-memory.dmp
memory/2448-272-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/952-273-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/952-274-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2576-286-0x00000000003A0000-0x00000000003C7000-memory.dmp
memory/2576-285-0x0000000000230000-0x0000000000330000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso26D4.tmp
| MD5 | da812d63d6637fbc245339e746ccf1f9 |
| SHA1 | 1d5c645e81e96606b26aa56526fb0022bb68c4b0 |
| SHA256 | 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba |
| SHA512 | 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177 |
memory/2576-287-0x0000000000400000-0x0000000001A2A000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 0f68106658c054bde5c705e5b1f000e6 |
| SHA1 | 5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102 |
| SHA256 | 58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c |
| SHA512 | 30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e |
\Windows\rss\csrss.exe
| MD5 | 8968359e460df9992c18c113c1c17674 |
| SHA1 | 1370811cb82506f311c9ea7564df9a0029bd2265 |
| SHA256 | da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c |
| SHA512 | cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3 |
C:\Windows\rss\csrss.exe
| MD5 | aaf0bb37ae70edf36b650977fe25658f |
| SHA1 | dec39feae72f0c5ae84775303e543ca353de6256 |
| SHA256 | bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06 |
| SHA512 | d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4 |
memory/2448-298-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2640-336-0x00000000024D0000-0x00000000028C8000-memory.dmp
memory/776-345-0x0000000000400000-0x0000000001A2A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4975.dll
| MD5 | 29eb6d30843e8be8868fa094be34ce1d |
| SHA1 | 9bfb7fa1d52b4747597c89fadbb2ed783955fcc2 |
| SHA256 | 5ef77adb0b5b0981d5c1f14c7a1623d5b49f38ef441ed7cd1f660ed675e17548 |
| SHA512 | 191b68119ab6388b5775d9981b8c2537e42306709ed4c33fe2463dca8015abc48fe90b66394d3f70ffe38200c1b211feb24e9df3c6136566b001488daf06e3e9 |
memory/2640-481-0x0000000000400000-0x0000000000D1C000-memory.dmp
\Users\Admin\AppData\Local\Temp\4975.dll
| MD5 | 357fa7178d686f8197a5f4ba0a07d129 |
| SHA1 | 1aad3ab250681e9ee108df92d063629d50e30621 |
| SHA256 | 2ce7ce2046ba27fbc92d4a99e2def37a5f842d17246c95d4a6b2f3f7bb860a64 |
| SHA512 | c84ffa844c22a31caf5f759956dde426f5cbd8d2fa58ca17b4a61d8595ca35dd47363ff69cc3c34408ee922e4869a1817e5e00bd9fb392cb484c8fcf935523c2 |
memory/3660-1550-0x000000001B5D0000-0x000000001B8B2000-memory.dmp
memory/3660-1701-0x00000000022E0000-0x00000000022E8000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |