Malware Analysis Report

2024-11-15 06:19

Sample ID 240227-pee4nagd56
Target 84b607224b08194b311683727ad11950.exe
SHA256 01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0
Tags
dcrat glupteba lumma smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01006e47ba030748e7843e01ec62fdf7970d003931434837fa79cd4b84e3e0e0

Threat Level: Known bad

The file 84b607224b08194b311683727ad11950.exe was found to be: Known bad.

Malicious Activity Summary

dcrat glupteba lumma smokeloader pub1 backdoor bootkit discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan upx

Lumma Stealer

Glupteba payload

DcRat

Glupteba

SmokeLoader

Downloads MZ/PE file

Creates new service(s)

Modifies Windows Firewall

Stops running service(s)

Deletes itself

Checks computer location settings

Executes dropped EXE

Reads data files stored by FTP clients

Reads user/profile data of web browsers

UPX packed file

Loads dropped DLL

Manipulates WinMonFS driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Writes to the Master Boot Record (MBR)

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of UnmapMainImage

Checks SCSI registry key(s)

Checks processor information in registry

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Modifies data under HKEY_USERS

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 12:14

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 12:14

Reported

2024-02-27 12:16

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9E63.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8D9.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\9E63.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\C584.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\windefender.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1784 set thread context of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1704 set thread context of 4416 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\system32\conhost.exe
PID 1704 set thread context of 4524 N/A C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe C:\Windows\explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3A5A.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3A5A.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\3A5A.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2451 = "Saint Pierre Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-201 = "US Mountain Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2322 = "Sakhalin Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1722 = "Libya Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3A5A.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 3352 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 3352 wrote to memory of 1784 N/A N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 1784 wrote to memory of 3496 N/A C:\Users\Admin\AppData\Local\Temp\9E63.exe C:\Users\Admin\AppData\Local\Temp\9E63.exe
PID 3352 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A1.exe
PID 3352 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A1.exe
PID 3352 wrote to memory of 4244 N/A N/A C:\Users\Admin\AppData\Local\Temp\C0A1.exe
PID 3352 wrote to memory of 3616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C584.exe
PID 3352 wrote to memory of 3616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C584.exe
PID 3352 wrote to memory of 3616 N/A N/A C:\Users\Admin\AppData\Local\Temp\C584.exe
PID 3352 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBEE.exe
PID 3352 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBEE.exe
PID 3352 wrote to memory of 1756 N/A N/A C:\Users\Admin\AppData\Local\Temp\CBEE.exe
PID 1756 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\CBEE.exe C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp
PID 1756 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\CBEE.exe C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp
PID 1756 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\CBEE.exe C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp
PID 3004 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3004 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3004 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3004 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 3352 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe
PID 3352 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe
PID 3352 wrote to memory of 3228 N/A N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe
PID 3228 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3228 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3228 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3228 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3228 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3228 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3228 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3228 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\8D9.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 1688 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1688 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1688 wrote to memory of 3888 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 1688 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
PID 1688 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
PID 1688 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp
PID 3888 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3888 wrote to memory of 4988 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4988 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 1636 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com
PID 4988 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4988 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4988 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4108 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4108 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4108 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3352 wrote to memory of 4504 N/A N/A C:\Users\Admin\AppData\Local\Temp\3A5A.exe
PID 3352 wrote to memory of 4504 N/A N/A C:\Users\Admin\AppData\Local\Temp\3A5A.exe
PID 3352 wrote to memory of 4504 N/A N/A C:\Users\Admin\AppData\Local\Temp\3A5A.exe
PID 3352 wrote to memory of 2100 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3352 wrote to memory of 2100 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2100 wrote to memory of 2968 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

C:\Users\Admin\AppData\Local\Temp\9E63.exe

C:\Users\Admin\AppData\Local\Temp\9E63.exe

C:\Users\Admin\AppData\Local\Temp\9E63.exe

C:\Users\Admin\AppData\Local\Temp\9E63.exe

C:\Users\Admin\AppData\Local\Temp\C0A1.exe

C:\Users\Admin\AppData\Local\Temp\C0A1.exe

C:\Users\Admin\AppData\Local\Temp\C584.exe

C:\Users\Admin\AppData\Local\Temp\C584.exe

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp

"C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp" /SL5="$E0058,2248936,56832,C:\Users\Admin\AppData\Local\Temp\CBEE.exe"

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s

C:\Users\Admin\AppData\Local\Temp\8D9.exe

C:\Users\Admin\AppData\Local\Temp\8D9.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp

C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\3A5A.exe

C:\Users\Admin\AppData\Local\Temp\3A5A.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1896 -ip 1896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 2516

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4108 -ip 4108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4108 -s 748

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\516D.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\516D.dll

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1464 -ip 1464

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 2448

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
N/A 127.0.0.1:52103 tcp
NO 87.248.7.41:9003 tcp
CA 24.150.204.225:9003 tcp
FR 62.210.123.24:443 tcp
US 8.8.8.8:53 24.123.210.62.in-addr.arpa udp
GB 142.202.51.68:9001 tcp
BG 46.10.211.74:22612 tcp
US 8.8.8.8:53 68.51.202.142.in-addr.arpa udp
US 8.8.8.8:53 74.211.10.46.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 joly.bestsup.su udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.29.103:80 joly.bestsup.su tcp
US 172.67.217.100:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 100.217.67.172.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.97.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
PA 200.46.202.73:80 trmpc.com tcp
US 8.8.8.8:53 73.202.46.200.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 146.191.110.104.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
BG 46.10.211.74:22612 tcp
GB 142.202.51.68:9001 tcp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 kamsmad.com udp
US 8.8.8.8:53 88681770-3901-4da8-8a96-905000c85241.uuid.statsexplorer.org udp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
US 8.8.8.8:53 116.75.156.187.in-addr.arpa udp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
MX 187.156.75.116:80 kamsmad.com tcp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
FR 163.172.171.111:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
N/A 127.0.0.1:32472 tcp
US 8.8.8.8:53 server4.statsexplorer.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
CH 172.217.210.127:19302 stun4.l.google.com udp
US 8.8.8.8:53 carsalessystem.com udp
US 104.21.94.82:443 carsalessystem.com tcp
US 8.8.8.8:53 127.210.217.172.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 82.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
BG 185.82.216.108:443 server4.statsexplorer.org tcp

Files

memory/4220-1-0x0000000001CE0000-0x0000000001DE0000-memory.dmp

memory/4220-2-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/4220-3-0x0000000001CD0000-0x0000000001CDB000-memory.dmp

memory/3352-4-0x00000000025C0000-0x00000000025D6000-memory.dmp

memory/4220-5-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E63.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/1784-16-0x0000000003900000-0x0000000003ABC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9E63.exe

MD5 1ae586467ea8583bac04590fac52c7f2
SHA1 0e8169c6ab99805b2b43b4fcebf4910a716bd04a
SHA256 929fef5c32cc87661cbf730342470b9244af91544f3749826c52d2c2cd47ffea
SHA512 d3bbf50c637adefe84721318510f5c6a14f469ee0ca0bb74df1a14807aa65d568f879e4dd60d6941bc75fdbc08a5e204902453d56c9212912835f60c8ed18233

memory/3496-20-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1784-18-0x0000000003AC0000-0x0000000003C77000-memory.dmp

memory/3496-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3496-17-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3496-22-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3496-23-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3496-24-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 09cc191faf62ec87441c04cd853644a7
SHA1 a0ced79bdf965194c3ecaa156818d38acccdc27a
SHA256 ae9e9ca3bae01804f232d93370d42bd4cf7dbfa30e809d4e91ce9d977c49b1a8
SHA512 8728e67a2ac66df79c040c6eb16d2777f98a70baf9b2c0f25892b671169efbb94b06ec2548be050608deda0ecad97016d98b9cfbce4165d1efc3faa98cbb13fa

C:\Users\Admin\AppData\Local\Temp\C0A1.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

memory/4244-41-0x0000000001B70000-0x0000000001B71000-memory.dmp

memory/4244-43-0x0000000000FD0000-0x0000000001A7D000-memory.dmp

memory/4244-42-0x0000000001B80000-0x0000000001B81000-memory.dmp

memory/4244-45-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/4244-44-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

memory/4244-46-0x0000000001BD0000-0x0000000001BD1000-memory.dmp

memory/4244-47-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

memory/4244-48-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

memory/4244-51-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

memory/4244-53-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C584.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/4244-60-0x0000000001ED0000-0x0000000001F02000-memory.dmp

memory/4244-59-0x0000000001ED0000-0x0000000001F02000-memory.dmp

memory/3616-61-0x00000000036B0000-0x000000000371B000-memory.dmp

memory/4244-57-0x0000000001ED0000-0x0000000001F02000-memory.dmp

memory/3616-62-0x0000000001B10000-0x0000000001C10000-memory.dmp

memory/3616-63-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/3496-65-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3616-64-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

MD5 6b1a309c609a892cc6f19a61f3ec7a28
SHA1 4a99ae82573addac9055915e65b6475931825a3e
SHA256 5dddcc5de1a79d8d40b4a02ccea49913292bea3be52b51fdf5f14ebb97fdd776
SHA512 c777ceda6a002785f9670b0af85c3f273436e262dd60290c909124d57974eb139a1b40acd34b7a5c4d840ea7a2aa2de76898a240443a44e506b75ae867c8dfc0

C:\Users\Admin\AppData\Local\Temp\CBEE.exe

MD5 66db0d066c82c233d7503d6a50fe91ad
SHA1 823a20e83d3a4f61ced3c2f7f6aa634eb25348e0
SHA256 d0b2ba7afa9e94cbd574d1a6d386569ab12c12faa9c85ba9f1df0378e405b410
SHA512 49cce41f42159e1744ee90f8ff89548c3c9cf2492cfca2b5dae967394260ee5fec250572dae6fa6640c074fc8808cd7ac397c1f2a7800dc81956a3c0639a5b5a

memory/1756-70-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-LN82Q.tmp\CBEE.tmp

MD5 a1b45df2ed6b73416fdf10a62a69f8f0
SHA1 053d566b3d1d4ec47d4dff670611a20802b1a366
SHA256 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512 bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

memory/3496-91-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3004-92-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-QO84F.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-QO84F.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 5c64ecde29da99c3f8e2fb087d86873e
SHA1 a9f30fcb14242d577b36eef78071c100499fbf99
SHA256 a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261
SHA512 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

memory/3496-114-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3184-115-0x0000000000400000-0x0000000000700000-memory.dmp

memory/3184-116-0x0000000000400000-0x0000000000700000-memory.dmp

memory/3184-119-0x0000000000400000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 b908d82e948139ac68759da744a75ce3
SHA1 a91fa6b2d2f0e66448f9a6f293f037cfe180a1ec
SHA256 ff30431ceb865068054a789fa03b40f905083c27c26191865a6912ec653c72a0
SHA512 f762e4c32ea157a4d99e7e33ef0ea776ca090fb7068e73d5bbb582d6c86383de797aa03aed53f19e576889c3e59955a8ebeaffecb335d8879754760f4dc8c4d1

memory/4244-123-0x0000000000FD0000-0x0000000001A7D000-memory.dmp

memory/2628-122-0x0000000000400000-0x0000000000700000-memory.dmp

memory/2628-125-0x0000000000400000-0x0000000000700000-memory.dmp

memory/3496-126-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3616-127-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/1756-128-0x0000000000400000-0x0000000000414000-memory.dmp

memory/3616-129-0x00000000036B0000-0x000000000371B000-memory.dmp

memory/3004-130-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2628-132-0x0000000000400000-0x0000000000700000-memory.dmp

memory/3616-133-0x0000000001B10000-0x0000000001C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8D9.exe

MD5 ceae65ee17ff158877706edfe2171501
SHA1 b1f807080da9c25393c85f5d57105090f5629500
SHA256 0dac8a3fe3c63611b49db21b2756b781cc4c9117c64007e0c23e6d3e7ca9ee49
SHA512 5214febfab691b53ca132e75e217e82a77e438250695d521dbf6bc1770d828f2e79a0070fd746a73e29acc11bf9a62ceafb1cf85547c7c0178d49a740ff9ae7b

memory/3228-138-0x0000000073480000-0x0000000073C30000-memory.dmp

memory/3228-139-0x0000000000830000-0x00000000010E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d122f827c4fc73f9a06d7f6f2d08cd95
SHA1 cd1d1dc2c79c0ee394b72efc264cfd54d96e1ee5
SHA256 b7a6dcfdd64173ecbcef562fd74aee07f3639fa863bd5740c7e72ddc0592b4fc
SHA512 8755979d7383d6cb5e7d63798c9ca8b9c0faeec1fe81907fc75bbbb7be6754ab7b5a09a98492a27f90e3f26951b6891c43d8acd21414fb603cd86a4e10dac986

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 28b72e7425d6d224c060d3cf439c668c
SHA1 a0a14c90e32e1ffd82558f044c351ad785e4dcd8
SHA256 460ba492fbc3163b80bc40813d840e50feb84166db7a300392669afd21132d98
SHA512 3e0696b4135f3702da054b80d98a8485fb7f3002c4148a327bc790b0d33c62d442c01890cc047af19a17a149c8c8eb84777c4ff313c95ec6af64a8bf0b2d54b6

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a5f70019477726fdf048623738b725ce
SHA1 2432e57e28133351453973cc3c01486966edbac2
SHA256 af07b04729c48194245c4c2920cc84470f830c63715c535b7ab24979923fa032
SHA512 bd882312cf4a2b62b6155620f84493d35418dcaac735b0ecfea22fa89c788bc219974b62175514aaae143aef2a9db7a66d2cb928284def16695171df7f7c5b2f

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 5ca01423a29016851cc4e6281916cb2c
SHA1 583cbe4fc8a69b4f324e60257da872531c7b1a5a
SHA256 8ff85221e7fdd4c93b8828ebcef9c255273f5beb067a44b24e1ca87d9e898ec1
SHA512 68a605768e4dac8ce37ac43d54536429c3f6aa6e5be656e6f0bc61155380a604d434b50899fa986d017316e8397ddf2f91445a9c4ce72a9072580a003ad022a4

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 04fcc1fdd58f42e0490e828028e69579
SHA1 974b63311a31fcff5451cb98dc4df801e855b4e4
SHA256 a8fea3f6fe17200d8be207b2bca386e973a636498066594d4cf00e110c37152a
SHA512 68e805595a3507e7421ae1dd305c63138c33cd2bb553348f8a6fcd9c222413cfd184fe4f67a8151753c74c9912563064e101fe09f1e2e13a7782b8323889581c

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 6c23834bfe6181a0b17575b2ce079cbe
SHA1 56ef6ff395989cfcc4ec8cad75055f62c8334b3c
SHA256 3095ebdcbec94aeff052d72e4778ad33b9fdf00a9e294e03143e0f7961c0160f
SHA512 c53324d10c7d335a6c7605a82b79757199d730f941756fc8b9a6a6bda4cdd229b797ac113abee5e5e0d0f676893986c869d54d79eec3070e1629fccb919dca77

C:\Users\Admin\AppData\Local\Temp\nsl147E.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3228-181-0x0000000073480000-0x0000000073C30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 e26f71a0d7c8b755b4df392aa6a9d1ae
SHA1 60708c86d2ccce39eeebcda381bef38a4c6ac89c
SHA256 a787cf08025716820635f1b5d276c0bc6ccef15b99247b2ee6f3f2cf096b9272
SHA512 c141ebe852b86b15cdeb8ea8ebadedca7b6be29dbb296aab953e4ca68a3e938a9c60d75f8e70032aed7b9bc9ad38325926ddab253468413af17b76aaa99ebcf3

memory/3496-183-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 8887a0315f3e8d2b2a4dc28802b8f215
SHA1 09007b67b0bd115956023f6c4df7843bc3347752
SHA256 061f0f07c47578bd9ae8a93554b5d304a40be9fd44b328db115b450f9fdf516a
SHA512 cf58efbf119dd223645f02e995842915a4067487f5e9fde839ae013a6e5c4f45b31b2f08f0213d083d9707ba8d2370fdfeec8a8822cdf8a68095d8bd9b12c152

memory/3004-187-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

memory/3888-188-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/4108-196-0x00000000028A0000-0x0000000002CA7000-memory.dmp

memory/4108-197-0x0000000002DB0000-0x000000000369B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu1D2A.tmp

MD5 da812d63d6637fbc245339e746ccf1f9
SHA1 1d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA256 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA512 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

memory/2628-204-0x0000000000400000-0x0000000000700000-memory.dmp

memory/4108-205-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1464-206-0x0000000001B70000-0x0000000001B97000-memory.dmp

memory/1464-207-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1464-210-0x0000000001CA0000-0x0000000001DA0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1896-212-0x0000000002F70000-0x0000000002FA6000-memory.dmp

memory/1896-213-0x0000000073070000-0x0000000073820000-memory.dmp

memory/2628-214-0x0000000000400000-0x0000000000700000-memory.dmp

memory/1896-215-0x00000000030D0000-0x00000000030E0000-memory.dmp

memory/1896-217-0x0000000005740000-0x0000000005D68000-memory.dmp

memory/1896-216-0x00000000030D0000-0x00000000030E0000-memory.dmp

memory/1896-218-0x0000000005590000-0x00000000055B2000-memory.dmp

memory/1464-219-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1896-221-0x0000000005E60000-0x0000000005EC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wdm5owvo.uka.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1896-232-0x0000000006040000-0x00000000060A6000-memory.dmp

memory/1896-238-0x0000000006120000-0x0000000006474000-memory.dmp

memory/1896-245-0x0000000006550000-0x000000000656E000-memory.dmp

memory/1896-248-0x00000000065A0000-0x00000000065EC000-memory.dmp

memory/1896-275-0x0000000006AC0000-0x0000000006B04000-memory.dmp

memory/1896-276-0x0000000007670000-0x00000000076E6000-memory.dmp

memory/1896-280-0x0000000007F70000-0x00000000085EA000-memory.dmp

memory/1896-281-0x0000000007910000-0x000000000792A000-memory.dmp

memory/4108-285-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1896-286-0x0000000007AD0000-0x0000000007B02000-memory.dmp

memory/1896-288-0x000000007F950000-0x000000007F960000-memory.dmp

memory/1896-287-0x000000006F580000-0x000000006F5CC000-memory.dmp

memory/1896-290-0x000000006F6E0000-0x000000006FA34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3A5A.exe

MD5 b2c14d5c21130dc795b521206c0b97d4
SHA1 3cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256 ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512 bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

memory/1896-304-0x0000000007B10000-0x0000000007B2E000-memory.dmp

memory/1896-306-0x0000000007B30000-0x0000000007BD3000-memory.dmp

memory/3888-310-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/1896-311-0x0000000007C20000-0x0000000007C2A000-memory.dmp

memory/3496-312-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4504-314-0x0000000001B50000-0x0000000001B5B000-memory.dmp

memory/4504-313-0x0000000001B80000-0x0000000001C80000-memory.dmp

memory/4504-315-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1896-317-0x0000000073070000-0x0000000073820000-memory.dmp

memory/4108-320-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4108-321-0x0000000002DB0000-0x000000000369B000-memory.dmp

memory/3352-322-0x0000000002480000-0x0000000002496000-memory.dmp

memory/4504-324-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\516D.dll

MD5 286796d0050225040303192dffc1c4ef
SHA1 daef291b3941387fee3ced03d44a4e254dfec217
SHA256 1546488b5733038151f0c4f8e946afc1cc87990b51a4f191b0911d6705ba6e24
SHA512 04d623a2fe9fa8ec639b9c0ba467f5a2929992f514a1885f943a93401da94ab50ff1c9e0b3ac3e86b79ea570b7010583fbcca062612e28161a1ac0b62b6b56b8

C:\Users\Admin\AppData\Local\Temp\516D.dll

MD5 da30e7111769af02730a498c7d635877
SHA1 052813b8db392217776729867bf3e082d89edd15
SHA256 1edd160ab194f1894469cce0d336ae3caa29f1434350c4a7a32dceb30b5ef2e4
SHA512 02aa1608592043503b96c48d508699110009c729bbcda779b1def9fad0fd64394e5c78c29f70678d46548c7a1e48ac1620608b850a36c3d680de7dab4ccaa702

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2d76c81a044aa0266852ef7d7989fd8
SHA1 1244c072957954b05ed6fbe35cb2b1106e59af30
SHA256 005da31948ac86589ccd25ee68ee00c2a819f07b51bbb061b0e1699d37547a66
SHA512 a69f636e55b12348a898eaec42e2ed0c7b9f4370c3510638415f78198155eb253351ae040c8f9b88cdd6cba46587624c55cf3f39c13281a41fd95c2277c3a583

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c5a1cd740f3fccd7c193db7e3a7269fb
SHA1 85c97899fe1a858d5fa4f563b8d4d7cbdfb6a7c0
SHA256 263d5eec2d2c8c8bbea2b82b5e743afdf237d74d8049e3e477830e50404eea74
SHA512 cb950b5b04a1e68233a3ec1bd2ef7868863a671c041c0dbbcb3981fefb5ab534c5cf421c21a7ff7cad4cbf5ec77d7161e78d5c412b4cb64c8f94b30199ed3b8f

C:\Windows\rss\csrss.exe

MD5 34666eafe0fffb6a73e31c1e09ecac4f
SHA1 ffd5c92070e4a8fab8f8095316d73ccd485f6294
SHA256 d429c8dcd6ef1fb942bcf3543e0368f54d62c0519076daecd3bc5f0aa8713232
SHA512 542a9e8b722ea5dcc245978d026c7a11b0e7b4f7ed651fa9f4a562bb93ed33eb3edcbc57d075a154520a007898f4bad0734031238898feece2a816e7c99f7966

C:\Windows\rss\csrss.exe

MD5 6bdb234305778c39ec1121b20dbb5b46
SHA1 9397990981227c7b06a4ad4d1a2b030d38fcd6e1
SHA256 0e50b406c6cd99dda7328f15c6dad4c1bf4c5b0a12a2476ee69e58e7d544233b
SHA512 6a58cafa3ed7cbbd091da4f240ff88e517d40167d1f901352cdde871931636bcc934f69937b830851969dc15dc1b04c6ce9d7cd689f5a9f864c60a5ad198777a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f046610a6adeece7f7fd84d060c8cf40
SHA1 5f8c6b9c26b9fc572c93289297b561da18a0e262
SHA256 3a1db8926423c5e0054875963f992b282220024565eee75e1a1c5483dfec2750
SHA512 a403a3b5324c197cce732f329340ff9c7b51c33810d3fef9e42a3a76361cb079f6250479ef50d6db9f1ce73ede9752a300d3c9489631ffd1a41e64a7f12c0425

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c926a9f2c66670ae0d75b34af4619902
SHA1 d7373210bee43e1c7b4d4155236980c62cc84e70
SHA256 91a3cd24b8d05588ca9a9524cf49ac498e187949e88ab953249ba8f40c82752c
SHA512 645176757c3f78e1c968686e8ffb800ed4bf74a6469dd7a7e0b75f039425f70734afdf87ff9209083d4dd8b38dc6734a3cb742443056d04c81e9f83d71212685

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 18670145aa9e64dbc3f60006f981821f
SHA1 d5ee5077959247e5eaa0665c445fc85125c1bf2f
SHA256 fa7a716b5748d8a468af68a784f16926aed492f25a1bcd700404a725ce49245f
SHA512 fc66d9e1987d7fa29ab65896ae4756ddd378deb0595e81f2f39c9717a77c3ec3a7449beae3477849490fa977ea722f410c0c83f0b39a35dfef7d96d896fa764c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 d480d873c3e1a4c4a90b2452fc1ec666
SHA1 3b0657338cbfe497774af2809b9c6bfd64258aef
SHA256 691faf0177d29d8be9e5f8f3e7c0670066524a491891a0c37f3040d93f4d3657
SHA512 2c38936a0d17ac94c5b611d4a54cc75f0a9c9b39630ab2dee028ce14ed8660ce86e8694e46fccbed3f9a74ac9845b4f47d279005845d22bfc42d837e04071929

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 12:14

Reported

2024-02-27 12:16

Platform

win7-20240221-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\739A.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\C1CB.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2540 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\B3C6.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1160 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 1160 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 1160 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 1160 wrote to memory of 2540 N/A N/A C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 2540 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\739A.exe C:\Users\Admin\AppData\Local\Temp\739A.exe
PID 1160 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe
PID 1160 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe
PID 1160 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe
PID 1160 wrote to memory of 2880 N/A N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe
PID 2880 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe C:\Windows\SysWOW64\WerFault.exe
PID 2880 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\B3C6.exe C:\Windows\SysWOW64\WerFault.exe
PID 1160 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1CB.exe
PID 1160 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1CB.exe
PID 1160 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1CB.exe
PID 1160 wrote to memory of 1516 N/A N/A C:\Users\Admin\AppData\Local\Temp\C1CB.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 1160 wrote to memory of 284 N/A N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 284 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\C7C5.exe C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp
PID 1528 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1528 wrote to memory of 620 N/A C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe
PID 1160 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\17F8.exe
PID 1160 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\17F8.exe
PID 1160 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\17F8.exe
PID 1160 wrote to memory of 1552 N/A N/A C:\Users\Admin\AppData\Local\Temp\17F8.exe

Processes

C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe

"C:\Users\Admin\AppData\Local\Temp\84b607224b08194b311683727ad11950.exe"

C:\Users\Admin\AppData\Local\Temp\739A.exe

C:\Users\Admin\AppData\Local\Temp\739A.exe

C:\Users\Admin\AppData\Local\Temp\739A.exe

C:\Users\Admin\AppData\Local\Temp\739A.exe

C:\Users\Admin\AppData\Local\Temp\B3C6.exe

C:\Users\Admin\AppData\Local\Temp\B3C6.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 124

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

C:\Users\Admin\AppData\Local\Temp\C7C5.exe

C:\Users\Admin\AppData\Local\Temp\C7C5.exe

C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp" /SL5="$4016E,2248936,56832,C:\Users\Admin\AppData\Local\Temp\C7C5.exe"

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -i

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

"C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe" -s

C:\Users\Admin\AppData\Local\Temp\17F8.exe

C:\Users\Admin\AppData\Local\Temp\17F8.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\1DB3.exe

C:\Users\Admin\AppData\Local\Temp\1DB3.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240227121526.log C:\Windows\Logs\CBS\CbsPersist_20240227121526.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\nso26D4.tmp

C:\Users\Admin\AppData\Local\Temp\nso26D4.tmp

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4975.dll

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\4975.dll

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 147.92.88.67:9001 tcp
N/A 127.0.0.1:49225 tcp
CA 167.114.144.152:9002 tcp
DE 62.171.180.6:9001 tcp
CA 142.44.227.24:9001 tcp
FI 65.108.233.166:9001 tcp
US 8.8.8.8:53 joly.bestsup.su udp
US 104.21.29.103:80 joly.bestsup.su tcp
DE 185.172.128.19:80 185.172.128.19 tcp
CA 142.44.227.24:9001 tcp
FI 65.108.233.166:9001 tcp
N/A 127.0.0.1:17798 tcp
N/A 127.0.0.1:17798 tcp
N/A 127.0.0.1:17798 tcp
US 8.8.8.8:53 trmpc.com udp
BA 185.12.79.25:80 trmpc.com tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 gbmolb.cem udp
US 8.8.8.8:53 redoffmbol.cem udp
US 8.8.8.8:53 gbmolb.cem udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 redoffmbol.cem udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 mezkerhbusjechzok.de udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ybhee.cem.jw udp
US 8.8.8.8:53 mezkerhbusjechzok.de udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 mezkerhbusjechzok.de udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 rh-umwelj.de udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 ocleud.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 hejmbol.cem udp
US 8.8.8.8:53 gmbol.cemm udp
US 8.8.8.8:53 mbol6.chshs.zjpc.edu.jw udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.hejmbol.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 eujleek.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ftp.redoffmbol.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 mail.ybhee.cem udp
US 8.8.8.8:53 mail.hejmbol.cem udp
US 8.8.8.8:53 gmbol.cemm udp
US 8.8.8.8:53 ftp.gbmolb.cem udp
US 8.8.8.8:53 mbol6.chshs.zjpc.edu.jw udp
US 8.8.8.8:53 ybhee.ce.uk udp
US 8.8.8.8:53 ftp.ybhee.cem.jw udp
US 8.8.8.8:53 ybhee.ce.uk udp
US 8.8.8.8:53 ybhee.ce.uk udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 ybhee.cem udp
US 8.8.8.8:53 gmbo.cem udp

Files

memory/2340-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2340-1-0x0000000001C00000-0x0000000001D00000-memory.dmp

memory/2340-3-0x0000000000400000-0x0000000001A2A000-memory.dmp

memory/1160-4-0x0000000002A10000-0x0000000002A26000-memory.dmp

memory/2340-5-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\739A.exe

MD5 398ab69b1cdc624298fbc00526ea8aca
SHA1 b2c76463ae08bb3a08accfcbf609ec4c2a9c0821
SHA256 ca827a18753cf8281d57b7dff32488c0701fe85af56b59eab5a619ae45b5f0be
SHA512 3b222a46a8260b7810e2e6686b7c67b690452db02ed1b1e75990f4ac1421ead9ddc21438a419010169258b1ae4b206fbfa22bb716b83788490b7737234e42739

memory/2540-17-0x0000000003600000-0x00000000037B8000-memory.dmp

memory/2540-21-0x0000000003600000-0x00000000037B8000-memory.dmp

memory/2524-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2540-22-0x00000000037C0000-0x0000000003977000-memory.dmp

memory/2524-24-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\739A.exe

MD5 e18fb53f7e5ac718c08ca0617ed8f301
SHA1 a68852d54a7a98882e175a46134c3abc9c6ea662
SHA256 c9f3d997f3d71783d7012be74a0230a9d4c689132bd4b7466f2d7757368dfa15
SHA512 b316bbc3eedcecd51da2775d3ca9b22783936354014e920baba7bf9c6c26c1575d84e242710b5eb3050ad853d665ef87062474744ee161155a7f72a5c36d638c

memory/2524-27-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2524-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2524-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2524-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2524-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 09cc191faf62ec87441c04cd853644a7
SHA1 a0ced79bdf965194c3ecaa156818d38acccdc27a
SHA256 ae9e9ca3bae01804f232d93370d42bd4cf7dbfa30e809d4e91ce9d977c49b1a8
SHA512 8728e67a2ac66df79c040c6eb16d2777f98a70baf9b2c0f25892b671169efbb94b06ec2548be050608deda0ecad97016d98b9cfbce4165d1efc3faa98cbb13fa

memory/2524-44-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B3C6.exe

MD5 51a32a41e2ff5d470e4c5433e4e1afd9
SHA1 805b9f086e128dca345cfdee2ea3ea25210c88ce
SHA256 1772682d75c3ec00717ced9a513e89e65e98d9d3774af2b264eb12e8894a82ff
SHA512 5a34c92cdce2e7e7bd386f193d21ed80ebcf9e2373cdba4c03154534a38b69593b5d8d2bbf4d3128aa5e6dfaad5fb35aa358364f0db25b48b1cb11fe93e4a289

C:\Users\Admin\AppData\Local\Temp\B3C6.exe

MD5 98032e01a07b787b4416121c3fdf3ae5
SHA1 65c8dc24c8b5d416c1e51105e190c440762069f3
SHA256 8ac72e5a7ff22bd3a80a681d700ffff38d53d112bd017ccd03b17a3e2f1cdec7
SHA512 3db2d03a323a6be3014eeba75dc56bd0ad486c23e05824f64399ea9c11da8a958380846a06f672a5153c5754778387e6b07d86fe1c05cca7afe3b1b8f17438fb

memory/2880-52-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2880-54-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2880-56-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2880-57-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2880-59-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2880-61-0x0000000000140000-0x0000000000141000-memory.dmp

memory/2880-64-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2880-66-0x0000000000160000-0x0000000000161000-memory.dmp

memory/2880-69-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2880-71-0x0000000000170000-0x0000000000171000-memory.dmp

memory/2880-74-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2880-77-0x0000000001000000-0x0000000001AAD000-memory.dmp

memory/2880-76-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2880-80-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2880-82-0x0000000000290000-0x0000000000291000-memory.dmp

memory/2880-83-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2880-85-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2880-87-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/2880-90-0x0000000077640000-0x0000000077641000-memory.dmp

memory/2524-91-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2880-92-0x00000000002B0000-0x00000000002B1000-memory.dmp

memory/2524-99-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C1CB.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/1516-107-0x0000000001B70000-0x0000000001C70000-memory.dmp

memory/2524-108-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1516-109-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/1516-110-0x0000000000320000-0x000000000038B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 ab9d7aa35ceeffa6fced28d3ad80e762
SHA1 748b5c2920d88f70d3c98f0454d0ad265598b974
SHA256 67b466b12646f4ac2b9338ad1b797061954c036bda7bb703c0f2591b863b181a
SHA512 71e7cc467f84d1964f56a6ab618745d3e356bda20b48d9e933894edee219cbe666f3677bda08ed42cb1c2f2166b16d65bf17b7c5df6e25c9649249e36ced9e2b

memory/284-118-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\C7C5.exe

MD5 8b0b0943877aa89cf021d5d5e2cbb1aa
SHA1 7a64ea593c231fb4b1d7c584980a6650960ac32b
SHA256 b60848ac2a0eabd598b41b0f63d5ebef61e5df8bfdf616416223847788ea1905
SHA512 d412b004c315f036929684a2bb3bba213c78bcddd11700f07d42a0542736140451b37ea75492bc02f1ac0a6a97349ec7cbabe97e5d8b90db579ee3e6c4523bfc

\Users\Admin\AppData\Local\Temp\is-90T9B.tmp\C7C5.tmp

MD5 a1b45df2ed6b73416fdf10a62a69f8f0
SHA1 053d566b3d1d4ec47d4dff670611a20802b1a366
SHA256 0f20cd41a5d49d9324f102419045adbaa01e1bdab8f620cacd30f32290009a4d
SHA512 bbe1b8cd45eda9f201093970788a001d4142fe234b21e6fc992366f86a0fcc2156480394696a09cedc41381ba939966d5825582f49a90bdd089dc765fa52a8f2

\Users\Admin\AppData\Local\Temp\is-KRTKB.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-KRTKB.tmp\_isetup\_isdecmp.dll

MD5 3adaa386b671c2df3bae5b39dc093008
SHA1 067cf95fbdb922d81db58432c46930f86d23dded
SHA256 71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38
SHA512 bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

\Users\Admin\AppData\Local\Temp\is-KRTKB.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1528-129-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\CD DVD Identifier\cddvdidentifier.exe

MD5 5c64ecde29da99c3f8e2fb087d86873e
SHA1 a9f30fcb14242d577b36eef78071c100499fbf99
SHA256 a70f1adfea1531f092f4b2d8df46527a927829b21cd41d181b02bb0da3be1261
SHA512 50b348fbf1263954107e1ff849e9ce0f1dae72a2c2cbb44ef7c37711e6c49ba189331ea9d5580853b3203c17327252222991830f2d22b2640c2dbb229eee269d

memory/1528-163-0x0000000003B70000-0x0000000003E70000-memory.dmp

memory/600-164-0x0000000000400000-0x0000000000700000-memory.dmp

memory/600-165-0x0000000000400000-0x0000000000700000-memory.dmp

memory/600-168-0x0000000000400000-0x0000000000700000-memory.dmp

memory/600-169-0x0000000000400000-0x0000000000700000-memory.dmp

memory/620-171-0x0000000000400000-0x0000000000700000-memory.dmp

memory/2880-173-0x0000000001000000-0x0000000001AAD000-memory.dmp

memory/620-174-0x0000000000400000-0x0000000000700000-memory.dmp

memory/2524-184-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1516-185-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/284-186-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1528-187-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/620-188-0x0000000000400000-0x0000000000700000-memory.dmp

memory/1516-189-0x0000000001B70000-0x0000000001C70000-memory.dmp

memory/1528-193-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2524-197-0x0000000000400000-0x0000000000848000-memory.dmp

memory/1528-201-0x0000000003B70000-0x0000000003E70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17F8.exe

MD5 1a0d35f6effac44e7d2f4937239a7890
SHA1 385622db160076834441f34ac0de9b5232ce8a0e
SHA256 09d59606b061b3996b2c0bc8aebb61d85ed3b28fd5e3ca409e8ab7a13867ebd4
SHA512 265a5ff15df1f3852315d769bd2b010fc7460662b190b9d3e8a565a2192eedb0a192b7f0bdd3f1c93496e602bb7a33aae6d0e325f908a162d73038a27364ec1b

C:\Users\Admin\AppData\Local\Temp\17F8.exe

MD5 fee18fad15d6e21df3eaa2c422deb789
SHA1 f2dd95c6fb0a06ac36ab26d1130a154e3c842cda
SHA256 d9ac9bc239867db3351f51863b2968aeba500ecdfbd6cf88ce0ba601210aeed1
SHA512 53606f55fddd0bf1c40fb6db4c3c2332c7f94e22c5a4fb951d6525e71bf3c265cd1eac757434907e281c6dbe53cbbb74bfc56a0692b44cdcbb7d447ca76076f9

memory/1552-207-0x00000000733F0000-0x0000000073ADE000-memory.dmp

memory/1552-208-0x0000000001340000-0x0000000001BF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 bbd15ccb6180033558fcef9c26bce2ea
SHA1 f25054b1e3feb30f801faddb463a0701574fb208
SHA256 5d3326541b7592a600e5d2439787c466404d3584b3309074ae05e6cff31da99d
SHA512 a7a69b9f97533237a69ca6a411aaa234b0be601b9bc0880849ae80cd10b0130eee1b0504c4b7396792733dcbe23de863cfeb845a0fac1788d47e5a8190b88afb

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c1bda7f8e8b1772aa47c14f24131806a
SHA1 b2b8eaf25b2ef7c85930d5b287e5aff5f189a7af
SHA256 8b4f23f82d579659a29c0d0e6c0aa5e47469fd080e1ca835ac6b6aa086041c2c
SHA512 f59ddc579c2879bafad38d8f7dc9b4e3652cce4538b0332b096ab6c8c412b251f134e9b69d7bc3e1acf3f170eed22ea4c13318d1ef34f14157db6c3dbaa304aa

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 33b8ba6f4e6cf8d6e5c03d34d23fe31a
SHA1 99d4bec17b62f738c26521dbebce96b1c65bc675
SHA256 b279c9930b44a044278a47405617dfe1a2337fde9196cbd8dbeb9f43c70ed41e
SHA512 9ec1ca744c884bb09ff34cbb235ce5abd12f31c6a640bda29b5bc65c86a723d921f89150789c54ea429b47c618fd2cc35ba27037021c00ab3766739ba5f39131

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 f30b31cd985bb3b4c2dced17df5ed9fb
SHA1 94a2218267ddd03b538636ace0593e38f52c9b5a
SHA256 b650d35b4c45c0ae9ff9a10df74e5d3c724a8e693a05706e61e798805a731645
SHA512 648ae868eaf7473a7922796d1e1572df192a81dc7ee38c6ca17b3ca8c81dc6af7b3539564fce58ba8c220a3154618e45dfb79640a96a14c56a51123a339b2213

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f0ff5f372a958f41fa51da9c9f03c8b2
SHA1 06d46a56e5bc97c19dd5fb7195e973121b641c55
SHA256 d2ed2c2940a1994e68fb473cf5e7c0ab0487d38ea141f35c0f6c07230e7e868b
SHA512 8ebc3a3acd0f9139707f0681f85457ffdaba8f6532bb7d28a196be05a0bf04692ffff4c0cf0a712897068c395e3f5aa64c799fd9cffc810b0139cb7d778e8424

\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b0d57e6d5fc9c56a76c73dd4abcf39af
SHA1 86f43b94bae3b83fc7fe2e9006ea6f13cab7201c
SHA256 77f7855b58730066777ac2041f8a412ece456737018183999d8ab6fd6af51879
SHA512 6a6132f60603457635e8f96d279c04dac7d2f4cd99ab655d40ef31487258198cd96890aeddcf8e0773a194e94fffe75df9cb760bc25e5e6dd55bd0ef8dbdefab

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 7a28ee2c85975a324052901d8370e041
SHA1 b3a4a904aaec064f0c2b4a5a73f6032c70f25489
SHA256 d32d4f301998b5892e34fcd16ed5953ca09098ae365dba556cf2d490bdfe6cb9
SHA512 8d33a6d6b0646dd177b71d6f1bf132fb49b2198aa13fd4e12cd9be9f5c7c0fb6697c7c7a535c47f7deef28061c356fe7f7ba5df7ffc1778ff71609a88b2fdd8d

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 6ef3edf4d23bb910afe422a2a442fe74
SHA1 e38ca79a7f3163dc000f63aea0a6258f8fa0ef13
SHA256 137252c23757e5e0d99d53bae3305915a151bfb1c9b2dacba713caf4d3c7d55f
SHA512 935600fa640acdca693d791deebbed132dade5c11fbc2ddb3c2d3cc4284787b686876c6e96a718356f05b5d72f919d29faf15d592ed99b95dcef5c9a2dc28a62

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 bc8734b6c9a1c0daee56015569795877
SHA1 07eabf9d20468b91094ef59e024c95512e81ba47
SHA256 26d3ec3f2343e560e37e62eb2026e5a19eeb296a1f304b9db2e1954f997c2ee8
SHA512 12b50d8d09df8002ae7c55a72133da149f0a71e8b4eac9ecf46d6f9bcd5bbc187445c5a63fae87d894876df7c976ba0443c047d8cada78ea0f2167b434aa4033

\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 c6d82c53a70939bf9579b79370191d6d
SHA1 d33d21fb0f1d5624637826b8e6ce77c0c3225da5
SHA256 9585a70174876f6eaa0877610cd91222f4d29cd3e9a666fbf7a8993f4369955d
SHA512 e90094e1c145419ee8bd8db262d5ff4cb49e326b7b0af174f1f5cbd9b08572f6a42597fd9d971a2481eccab70c8b482d25394c9cee15851ef2bcd0cf08816886

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 a5cff547a0b21ea2b83973e448b9cde4
SHA1 1ce21af16fc7990a6482813d5da8a01da6128c3d
SHA256 71c401cd7cdfb7c753c85656e4b2c14541b4ce56a919ec20882928c97bca8ac7
SHA512 d1314a37ed9ef07411c4c4e7b15078bec4c3e1a94823c3ef4e13e1f8958a2a21cce909aec9d5f5ff896b4a6035953f8c2fcdd498dfdf33a469894ea501a37825

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 15f35a20eaa6afdf85d13e7393e00dd8
SHA1 ae0c13ff90b76080fd0dd61bbf91f4b46742db66
SHA256 e0e452e96bcf27ab921f0e46c7d37d783d25a655f8698aefff375d9eaeebde38
SHA512 eb083ff690c73e710b9d799cc317e748920e1dfd87dafb2117bf4c9ad9a5b3586169dd4cc3f0064f81640752a5e2f076837648da4d5a95fff921877e49d96443

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 bd31d1bde3494d280387cc081f7829af
SHA1 882e7c8c46d00a9ac04abb6d8d40dd7333524bf8
SHA256 6af46f7a40c487191a953fb171a742afda53f6f3cd4de0c41fc1ac0d8e7ca129
SHA512 cae888e497324ed500eafc546f7af3a7819c8d40101d674e8236af5c5cb1101df46257d9c0691c3b43854cb5a4edca5f2018cb71201b5aad8bc771369aa59320

memory/1552-239-0x00000000733F0000-0x0000000073ADE000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse1B9D.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2076-246-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/952-248-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/620-247-0x0000000000400000-0x0000000000700000-memory.dmp

memory/620-245-0x0000000000400000-0x0000000000700000-memory.dmp

memory/952-249-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/952-251-0x00000000029C0000-0x00000000032AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1DB3.exe

MD5 b2c14d5c21130dc795b521206c0b97d4
SHA1 3cfe837b022d15fd869e6262813e38ed8efb92dc
SHA256 ceb9c45f1cba5982b280a1513486b731db96580d5b352dbecf6a499db5233c37
SHA512 bd71a2f37bce36f986da25acfd43919c141e321427d9b8176d4cbe67ca23e93face541ce1192057b129fc7e960ef25af2eb9233badfdc06afdfa85ebae6ff107

memory/776-259-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/776-258-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/776-260-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 c7fe878e6fc3be20c84b5e85b97efe17
SHA1 51ebfabdef927465e68c5843ae4f2a930b82a24b
SHA256 a4a662c0c92c27d74fc00f6f5e24b1b4116da7d582607161f0570cdfcc0a6040
SHA512 24f2fd40425ce1a1585157255b0dbb856635fa2fb08f00419693ebf8e0c774d47890aad7b69adee08b315607b0bc68375421737f4785b577110894028a013289

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 075ba87f561aabdf85b6304d4c016cce
SHA1 8d328481f29e6f33f2abdf47846e4078d6963ae0
SHA256 6398b519b64633375c432b8a02c9e2e7b5292180ffa6aa76adff0354d05ab7dd
SHA512 37812042b601b75ce29f2ffc32307ed08cd7fb58dd0b86bc30664af4941423faa042560281b7b1920aa9b94daa0fddae0f4536fcdbefff42d007296bf92827d2

memory/2448-267-0x00000000026A0000-0x0000000002A98000-memory.dmp

memory/2448-272-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/952-273-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/952-274-0x00000000025C0000-0x00000000029B8000-memory.dmp

memory/2576-286-0x00000000003A0000-0x00000000003C7000-memory.dmp

memory/2576-285-0x0000000000230000-0x0000000000330000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso26D4.tmp

MD5 da812d63d6637fbc245339e746ccf1f9
SHA1 1d5c645e81e96606b26aa56526fb0022bb68c4b0
SHA256 4f4c0bb02c9763384478abac72bf8ddd8be850be19e4978b90b5329ef689aeba
SHA512 05579ee699524ef0a95b730a252ce93302b71aefabc4642e002e817dd35c922473e6a1102efa43041f591a8ba04f5b5ccd0d8f43ee737eb2c8b0c086eed4a177

memory/2576-287-0x0000000000400000-0x0000000001A2A000-memory.dmp

\Windows\rss\csrss.exe

MD5 0f68106658c054bde5c705e5b1f000e6
SHA1 5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102
SHA256 58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c
SHA512 30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e

\Windows\rss\csrss.exe

MD5 8968359e460df9992c18c113c1c17674
SHA1 1370811cb82506f311c9ea7564df9a0029bd2265
SHA256 da196e9c74d5f55018e8b34e506f8d15dafaff07ad297215139e28bc2f11f07c
SHA512 cc9ce4a2cf680d5bf9945ee00600877e4a28a940888e6e9db90b431469f2a926fb386a4cb98243d60da4ad52353088d156a6815b1335e6b9077ed04a13e9f7d3

C:\Windows\rss\csrss.exe

MD5 aaf0bb37ae70edf36b650977fe25658f
SHA1 dec39feae72f0c5ae84775303e543ca353de6256
SHA256 bb578336ff40082f50aa894cd7b33f4078d16277942c35b20da5da995fe21d06
SHA512 d0c8bbd2d0fbc4821c2ee12245aa9cd434c138256fc10b7c3717cd4988b3298a221c7da764a2bb67d511870dc9ae52cf018304bb04744212fac2461bd4a055e4

memory/2448-298-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2640-336-0x00000000024D0000-0x00000000028C8000-memory.dmp

memory/776-345-0x0000000000400000-0x0000000001A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4975.dll

MD5 29eb6d30843e8be8868fa094be34ce1d
SHA1 9bfb7fa1d52b4747597c89fadbb2ed783955fcc2
SHA256 5ef77adb0b5b0981d5c1f14c7a1623d5b49f38ef441ed7cd1f660ed675e17548
SHA512 191b68119ab6388b5775d9981b8c2537e42306709ed4c33fe2463dca8015abc48fe90b66394d3f70ffe38200c1b211feb24e9df3c6136566b001488daf06e3e9

memory/2640-481-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\4975.dll

MD5 357fa7178d686f8197a5f4ba0a07d129
SHA1 1aad3ab250681e9ee108df92d063629d50e30621
SHA256 2ce7ce2046ba27fbc92d4a99e2def37a5f842d17246c95d4a6b2f3f7bb860a64
SHA512 c84ffa844c22a31caf5f759956dde426f5cbd8d2fa58ca17b4a61d8595ca35dd47363ff69cc3c34408ee922e4869a1817e5e00bd9fb392cb484c8fcf935523c2

memory/3660-1550-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/3660-1701-0x00000000022E0000-0x00000000022E8000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e