Malware Analysis Report

2025-01-02 11:06

Sample ID 240315-fek58sge6t
Target 036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb
SHA256 036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb
Tags
amadey glupteba smokeloader stealc pub1 backdoor bootkit dropper evasion loader persistence stealer trojan upx dcrat lumma discovery infostealer rat rootkit spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb

Threat Level: Known bad

The file 036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb was found to be: Known bad.

Malicious Activity Summary

amadey glupteba smokeloader stealc pub1 backdoor bootkit dropper evasion loader persistence stealer trojan upx dcrat lumma discovery infostealer rat rootkit spyware

Pitou

Amadey

SmokeLoader

Windows security bypass

Glupteba payload

Lumma Stealer

Glupteba

Stealc

DcRat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Blocklisted process makes network request

UPX packed file

Reads data files stored by FTP clients

Reads local data of messenger clients

Reads user/profile data of web browsers

Checks BIOS information in registry

Loads dropped DLL

Identifies Wine through registry keys

Deletes itself

Windows security modification

Reads WinSCP keys stored on the system

Executes dropped EXE

Checks installed software on the system

Manipulates WinMonFS driver.

Accesses cryptocurrency files/wallets, possible credential harvesting

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

Runs ping.exe

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-15 04:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-15 04:47

Reported

2024-03-15 04:52

Platform

win7-20240221-en

Max time kernel

92s

Max time network

294s

Command Line

"C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe"

Signatures

Amadey

trojan amadey

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\8891.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\8891.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\8891.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\8891.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\4914.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8891.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\8891.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8891.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8891.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8891.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8891.exe
PID 1196 wrote to memory of 2628 N/A N/A C:\Users\Admin\AppData\Local\Temp\8891.exe
PID 1196 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe
PID 1196 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe
PID 1196 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe
PID 1196 wrote to memory of 1600 N/A N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\3861.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\3861.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\3861.exe
PID 1196 wrote to memory of 1452 N/A N/A C:\Users\Admin\AppData\Local\Temp\3861.exe
PID 1452 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3861.exe C:\Windows\SysWOW64\WerFault.exe
PID 1452 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3861.exe C:\Windows\SysWOW64\WerFault.exe
PID 1452 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3861.exe C:\Windows\SysWOW64\WerFault.exe
PID 1452 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\3861.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4914.exe
PID 1196 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4914.exe
PID 1196 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4914.exe
PID 1196 wrote to memory of 2112 N/A N/A C:\Users\Admin\AppData\Local\Temp\4914.exe
PID 1600 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe C:\Windows\SysWOW64\WerFault.exe
PID 1600 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe C:\Windows\SysWOW64\WerFault.exe
PID 1600 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe C:\Windows\SysWOW64\WerFault.exe
PID 1600 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\E8CA.exe C:\Windows\SysWOW64\WerFault.exe
PID 1196 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\764D.exe
PID 1196 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\764D.exe
PID 1196 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\764D.exe
PID 1196 wrote to memory of 2960 N/A N/A C:\Users\Admin\AppData\Local\Temp\764D.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 2960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2960 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 2960 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\764D.exe C:\Users\Admin\AppData\Local\Temp\april.exe

Processes

C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe

"C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe"

C:\Users\Admin\AppData\Local\Temp\8891.exe

C:\Users\Admin\AppData\Local\Temp\8891.exe

C:\Users\Admin\AppData\Local\Temp\E8CA.exe

C:\Users\Admin\AppData\Local\Temp\E8CA.exe

C:\Users\Admin\AppData\Local\Temp\3861.exe

C:\Users\Admin\AppData\Local\Temp\3861.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 124

C:\Users\Admin\AppData\Local\Temp\4914.exe

C:\Users\Admin\AppData\Local\Temp\4914.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 560

C:\Users\Admin\AppData\Local\Temp\764D.exe

C:\Users\Admin\AppData\Local\Temp\764D.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\april.exe

"C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\is-5UIL6.tmp\april.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5UIL6.tmp\april.tmp" /SL5="$501EC,1478464,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\uto.0.exe

"C:\Users\Admin\AppData\Local\Temp\uto.0.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240315044849.log C:\Windows\Logs\CBS\CbsPersist_20240315044849.cab

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\9977.exe

C:\Users\Admin\AppData\Local\Temp\9977.exe

C:\Users\Admin\AppData\Local\Temp\uto.1.exe

"C:\Users\Admin\AppData\Local\Temp\uto.1.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

"C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\CAD4.exe

C:\Users\Admin\AppData\Local\Temp\CAD4.exe

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\D6D6.exe

C:\Users\Admin\AppData\Local\Temp\D6D6.exe

C:\Users\Admin\AppData\Local\Temp\is-GH5S0.tmp\D6D6.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GH5S0.tmp\D6D6.tmp" /SL5="$3023C,1787282,54272,C:\Users\Admin\AppData\Local\Temp\D6D6.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\3E6F.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\3E6F.dll

C:\Windows\system32\taskeng.exe

taskeng.exe {64C57A43-464E-42F3-9638-DECAA92A20B8} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\298544033322_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Roaming\wbjtssd

C:\Users\Admin\AppData\Roaming\wbjtssd

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
RU 185.215.113.45:80 185.215.113.45 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 185.215.113.45:80 185.215.113.45 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 trmpc.com udp
JM 63.143.98.185:80 trmpc.com tcp
DE 185.172.128.145:80 185.172.128.145 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 slim.dofuly.info udp
US 172.67.221.14:80 slim.dofuly.info tcp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 nidoe.org udp
KR 211.181.24.132:80 nidoe.org tcp
KR 211.181.24.132:80 nidoe.org tcp
US 8.8.8.8:53 nidoe.org udp
US 8.8.8.8:53 2d3ce16f-56e4-425c-8cde-934002fbfa99.uuid.alldatadump.org udp
KR 211.181.24.132:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
KR 211.181.24.133:80 nidoe.org tcp
RU 185.215.113.32:80 185.215.113.32 tcp

Files

memory/3000-1-0x0000000000510000-0x0000000000610000-memory.dmp

memory/3000-2-0x0000000000220000-0x000000000022B000-memory.dmp

memory/3000-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3000-5-0x0000000000400000-0x0000000000474000-memory.dmp

memory/1196-4-0x00000000025C0000-0x00000000025D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\8891.exe

MD5 82cc4876ad98b647cfe84f76eecd8f64
SHA1 0c18c3c81a0b66f8e61a989528360ffbba103065
SHA256 bb9fce882e4ecc356da7cdc7226c6d1af9e56285880cb106625f075dd224742a
SHA512 00775d283ebee4793237f9ff4d1f098779418fb06e8812d95d5477a0634c704e2f1abf98efbeae292503402a959fc7db176715c2548284cc6b75eafe3a7ad19e

memory/2628-17-0x0000000000A10000-0x0000000000ED6000-memory.dmp

memory/2628-18-0x00000000774B0000-0x00000000774B2000-memory.dmp

memory/2628-19-0x0000000000A10000-0x0000000000ED6000-memory.dmp

memory/2628-20-0x0000000002510000-0x0000000002511000-memory.dmp

memory/2628-21-0x0000000002630000-0x0000000002631000-memory.dmp

memory/2628-23-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/2628-24-0x0000000000700000-0x0000000000701000-memory.dmp

memory/2628-22-0x00000000022E0000-0x00000000022E1000-memory.dmp

memory/2628-25-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2628-26-0x0000000000A00000-0x0000000000A01000-memory.dmp

memory/2628-27-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2628-28-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/2628-29-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2628-30-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/2628-31-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/2628-33-0x00000000009F0000-0x00000000009F1000-memory.dmp

memory/2628-34-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/2628-35-0x0000000000810000-0x0000000000811000-memory.dmp

memory/2628-36-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2628-41-0x0000000000A10000-0x0000000000ED6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E8CA.exe

MD5 b4c77aaa26e437858f099abfdb8ee1f5
SHA1 c0bd1444874a16b42a5d1e22b10e0744dd0f15c6
SHA256 e564d98fbfb0405a28d41e54db998225decbe3574641c985f5d39d071f259f12
SHA512 6fce5c77a06b6ec781af4717946c6ef680e411202137d07a026a5d519c59d15fdc682aee17137cdc8dd336256abe7a8727ad248a7b33723af9225a44f3e4d034

C:\Users\Admin\AppData\Local\Temp\E8CA.exe

MD5 c05facf90ceefb6d9da6dc74f0d3274a
SHA1 be9e6cf2a48e56854a5ce41956bd212423e17d72
SHA256 ced8c3ab1b5eec6f115582785bc815cba23a926111eb93241fa4fdfe0201321a
SHA512 bf755b3de39cd3ba8425d362037220df18a154279d4a4be2f2a0e7bdbc6839127b9382d2cb90be59d4e2489dffe3a2540428f487affeadcf6df33c2bc925e8f0

memory/1600-47-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/1600-48-0x0000000000BF0000-0x00000000010C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3861.exe

MD5 6d46cb1df7eab58a56aee28845a8e985
SHA1 e7ae4c2431b461074e90f82e700556949e9462d0
SHA256 2c577b5e30f1b99a40257982d7d075c071598c03c9d2fa684ea8fd893dd23dde
SHA512 35adc71192bea069a8c6e9cc7fb38a101699b4db036af2d2676dad0b39795cd8ccb676c7609e1ed3007a594dc686f027404bb7fc56ba85d15ab2586e1c028a96

memory/1452-54-0x0000000000E80000-0x0000000001AD9000-memory.dmp

memory/1452-56-0x0000000000E80000-0x0000000001AD9000-memory.dmp

memory/1452-57-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1452-53-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1452-84-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1452-82-0x0000000000110000-0x0000000000111000-memory.dmp

memory/1452-79-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1452-77-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1452-74-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1452-72-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/1452-69-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1452-67-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1452-64-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1452-62-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1452-60-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1452-59-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1452-89-0x0000000000E80000-0x0000000001AD9000-memory.dmp

memory/1600-90-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/1452-91-0x0000000000120000-0x0000000000121000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4914.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/2112-102-0x0000000001BC0000-0x0000000001CC0000-memory.dmp

memory/2112-104-0x0000000000250000-0x00000000002BB000-memory.dmp

memory/2112-103-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/2112-105-0x0000000000400000-0x0000000001A77000-memory.dmp

\Users\Admin\AppData\Local\Temp\E8CA.exe

MD5 0de49b7358184b13c717ea9a823f12bb
SHA1 a764efe549b694c7ce05773c55b7d582b6f4ba2d
SHA256 48c26d758ee7acee07033f1583de83451a9e1f07facf958b786c654786f7f18f
SHA512 d10361e573912aad2dd49791c14cb6eec6d271eb5353b9c500e2824eb229e96799ecc982e96abb3fbd610eef6cb55487873bbac9dfbf0a68872beac746e9044a

memory/2112-111-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\764D.exe

MD5 01a662109a24994cfed9daef68feddeb
SHA1 df29b74541171333ccb76ab1f53f010cda1981d5
SHA256 45ad76a00bebad5671ad39411a85e149d64cf44db0d0198ae59f42b3cb68e4ac
SHA512 65a71aa14732467cb22372330df16ee5a39ff784684ffb74b383086d4e3b13ae77cf6899dded5e24da77ed6fc3c182564c4081a3e7d11c624783f1ed6505620f

C:\Users\Admin\AppData\Local\Temp\764D.exe

MD5 d56181b20ad49068b12a3f53fd1e09a0
SHA1 459e75c4d446dce80408c0a687b44e91af5e5062
SHA256 998bce3c57dbf400919091518fe7f76047f2ce3dc36d32a7299472f6ed906b00
SHA512 0235325e03e1fbb15881552052f18f2dd195c1587f25750658a01b24b0c26cc95d3d0df867fc4e1484727d821c9a414dcedd79f430f9e900f0dfcaefed89c520

memory/2960-118-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2960-117-0x00000000008F0000-0x0000000000F34000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 f98c75a2502a2f5251b262e4aeaf1c16
SHA1 0edb55ec7e7768a39f1bf37dc27aecd04507f63c
SHA256 392ff6fc0a544611919098a630cebfd47ecd210cdc34c97081bfe31c938ba67c
SHA512 b05969d381c66f06b3ec8af2a76312e3bf6cef34e84ef062685a16062ee50f0aa198a8d2d7641939ec2c66f08e3439357f15087eb51a7ef1b63a6683a129bd58

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8abd32ff29fa755495aeb64ecc7d5695
SHA1 ad5b51e3fdf40232079343c5318c51c7cfde97d4
SHA256 64c6348642b6e7fca5b8cd5e5b571ce5014a55759828627c592fc4aaca24c256
SHA512 4847836417e6253102184c190a133d3cdde434e883d134f57e1c1351230ffd897f997a241f4c8416fc496f422c00ad4f575d31d204275fd62664bc53cbf77521

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 0ff541aacdc3f24f495d97aad8107d24
SHA1 94b30417bcab2c8a90a83ecfa98eceafbfb79452
SHA256 c7e60fa17326ee871b23d43754d680248e5870ec7e6d7bf26e2ef0e02c6e14c8
SHA512 6d9834f0b1da83104c704dd8d8c21d956a1e2be66a13ff4dbccb16211ba0d5f63caecb44d459f1726e6fcd277be2be5bd8df2ee1e516b27b95267da44a4c6e09

\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 6811cbac1098d9684b6023d95d0f9f21
SHA1 00853e5745c493e404ad08fbb8c28d0124a679c9
SHA256 d3475b993c32e155c965883499fa92ee473e558e4fdbd6cec9c333fc80c2f338
SHA512 6a55e9dfb71d879633eea2f64c2071fea866cfa7b8220af0548dc42381c8d16d6779687b2ae5b042f2c08ca83747dbb63bf3e0e39777d90e2cf2b0b841af233d

memory/1744-136-0x0000000002800000-0x0000000002BF8000-memory.dmp

memory/1452-137-0x0000000000E80000-0x0000000001AD9000-memory.dmp

memory/1744-139-0x0000000002800000-0x0000000002BF8000-memory.dmp

memory/1068-144-0x0000000000270000-0x0000000000370000-memory.dmp

memory/1744-141-0x0000000000400000-0x0000000000D1C000-memory.dmp

\Users\Admin\AppData\Local\Temp\april.exe

MD5 a84541841e8d381cefe71b9467c439c3
SHA1 4e45c5d8ec17818e67a9d1b65183be203d54b7bd
SHA256 c4529e757bce9a52ff52cecff2b89344d33acc4cc3a23577b4f560396ab3beda
SHA512 43b28773d2d5529577c21a82d520e01716625a90b734f750722ee97abd92a9845267ce02b41cf75f0f50d165020b278f76386efbe8106979c429047b4f54dd49

memory/1068-143-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/1068-142-0x0000000001C40000-0x0000000001CA7000-memory.dmp

memory/1744-140-0x0000000002C00000-0x00000000034EB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 79e00c7949907d9199c2534a5752ec68
SHA1 463a315d7dca1fa65f4b4cd27ce8ad50b60df36b
SHA256 e80e0059de4bb77da9de848f9f89863c873721159d1800785c20fceea5aca76d
SHA512 cf55871e759021e2e5ed8108675ed3ee6283a5780bfd7befb4aa5edfe688dbd05c212dbbaf1b09df3ec0d6b10f8f12a00d5e10d394849f005c597900cdc6db6e

memory/768-152-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2960-151-0x00000000744E0000-0x0000000074BCE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uto.0.exe

MD5 2dca1d0c0e9f892a717ed02f6e90211a
SHA1 5857f867c5fb4bedc25794c1f960b3c03dfabccf
SHA256 b589fe21a9c02115d64fa8adab169804c69532eb2476132135a568afd179cefb
SHA512 2f84804935e96ba3ced308deaa1c5c8b991b4ab70551b192fbedee36b629b12780d338f84e2ed95e427eb4b93c6def9aa82d15f1d97add3fa8366b620463bd5d

\Users\Admin\AppData\Local\Temp\is-9OGU6.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-9OGU6.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2112-170-0x0000000001BC0000-0x0000000001CC0000-memory.dmp

\??\c:\users\admin\appdata\local\temp\is-5uil6.tmp\april.tmp

MD5 33da9dc521f467c0405d3ef5377ce04b
SHA1 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f
SHA256 dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c
SHA512 a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

memory/872-196-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 abc868cf6f8183990f8d476dbe1224ba
SHA1 b9226909d1c0472af5eabd6949232d509ecf38cb
SHA256 17573c321796456afc4e0fdf9eb00326636410dbbcd2c4c92495ef39a2f48924
SHA512 d1c1e5c11cb58430b8f9455fbbdb094fc51cdb75382b1e7d1b03c08936f553cfb73c71c9869428e8a77ad3e9de8cde15bbd733b4843cb9ed9dc394d1a160ba01

memory/1744-200-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2888-203-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1068-204-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/2704-214-0x0000000000390000-0x0000000000856000-memory.dmp

memory/2888-215-0x0000000000400000-0x000000000063B000-memory.dmp

memory/2644-212-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2888-211-0x0000000000640000-0x0000000000667000-memory.dmp

memory/2704-216-0x0000000000390000-0x0000000000856000-memory.dmp

memory/2704-217-0x0000000002690000-0x0000000002691000-memory.dmp

memory/2704-219-0x0000000002660000-0x0000000002661000-memory.dmp

memory/2704-220-0x0000000002930000-0x0000000002931000-memory.dmp

memory/2704-225-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2704-234-0x0000000002520000-0x0000000002521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\uto.1.exe

MD5 e21c7d13f0fa52d40a04861b68541a4d
SHA1 05a6ed1daa9b4cc551e4471e84227aca179887c0
SHA256 973c66020724a0f158e03b731e3d56b22698cc0f003c75bd1bba29c02e4192d8
SHA512 de68362cc10829a9ab973afffb9a1c6e135b49964e1e422dea6432908631a9c2efe1379e802085a09f2ab9b54b047c35946eb3d7b153eb6815a51924d1624953

memory/2704-236-0x0000000002610000-0x0000000002611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 6725ad6a88a65205aa7c928e8213bd7f
SHA1 08a464717ebf1bb81661fd44641587d7cde57c3b
SHA256 6673658c9fb8bcc2c7d714fe257af3a61d42e94b82fc3b4e8794bc90b7b2608e
SHA512 0f7840a5b88d2a0ae7e7824bb1bcfbc338b9397ff8c4ee228b8466297f18cd57b3d8b40ba74c93f2a91487359fad68d4163b414e47616857655b9f573eb50809

C:\Windows\Tasks\explorgu.job

MD5 3d41a9d370aaee439f269f69fab7909a
SHA1 7acc6894a22a16b9ec661a4f67df157d9aba6d42
SHA256 04bcdf906cfab039d5ddc7954e415e2725b496692132dc7308920af7b3e17255
SHA512 3da6bf9fd88f178ea3f2c82b84abd14103428a0fd6eded106daca9e439e287fb4af4410db99bcb4b5472536f3789008f70741aeae4111499d941807d9b0263bd

memory/1068-235-0x0000000000400000-0x00000000004A5000-memory.dmp

\Users\Admin\AppData\Local\Temp\uto.1.exe

MD5 eee5ddcffbed16222cac0a1b4e2e466e
SHA1 28b40c88b8ea50b0782e2bcbb4cc0f411035f3d5
SHA256 2a40e5dccc7526c4982334941c90f95374460e2a816e84e724e98c4d52ae8c54
SHA512 8f88901f3ebd425818db09f268df19ccf8a755603f04e9481bcf02b112a84393f8a900ead77f8f971bfa33fd9fa5636b7494aaee864a0fb04e3273911a4216dc

memory/2704-223-0x0000000002260000-0x0000000002261000-memory.dmp

memory/2704-218-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/2704-242-0x0000000000390000-0x0000000000856000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\CAD4.exe

MD5 99dbdc616a0156da7de4ddfed412d1be
SHA1 046d9a56d7645d417ae829b740104b8f01795138
SHA256 f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
SHA512 1fd1943143666b3718764322e25b111c3c1c434f4ec71de9f0fed7b5c64f015374556f1cbc78aca6641b27ad7f447e64760de2b1d4a8d085ef42fad7a34d22fb

\Windows\rss\csrss.exe

MD5 94128affead2a4301b5001ef061a5385
SHA1 ed4f50e0260d93332d2a0d2585e2a708454d700d
SHA256 8d1cc6587f661f25e97fb2d96aedf1ebab3c7b702fb845155ea7dfb3403f135e
SHA512 6aeb87cba1b546f8457cf0b156318ac1313111ef9a663592317eee2aab51c2e446c483507aac8b217e5aca539d60fde0d9c3dda3a49525ef28f0ab7070671a20

\Windows\rss\csrss.exe

MD5 93bd5275550b239666f3167957c5240f
SHA1 c5984c7eadf4daac21ee2a54a80f92ad74bee940
SHA256 0b87034accc2da56ae53af536c0936a511f4bc3b57c4eb1c7146e69fc0ef2596
SHA512 963684c11966a51a1817e85b4cf6f1b27d7da1e36db994904d362a352057f777bedfeef1692b3a8b96faba801c062c16f55bc70aa5b99a3958094e4ee7ac9e30

memory/2644-279-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1594a7e0eeedef87c6c66e116e1e2c65
SHA1 941fd5e6498fc0c0b3c2f14452095d7f98880aa1
SHA256 fc67b81ee5e8320fc7350405a93aa9b168a7883a6b05945d0b0e5afc2aa2e535
SHA512 4985de06d4e92f904f4d036000d245782907db0f3f9d6ce820d3ae5829f1a0aa594c0c7190a0911f0e88a427d20961850548bee36cfa07fe6e26e52877267f99

memory/2644-280-0x0000000002680000-0x0000000002A78000-memory.dmp

memory/2888-281-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6D6.exe

MD5 ae48c780678124682f8dc9a4129cc18c
SHA1 f7f939dc6135aee23744c90284b1a0f9400d31a5
SHA256 9a1dde8c55a6661116b7adab9f57105ae80c199fe03749f660e9a73bc4bd4708
SHA512 4beb6862902adf1abac382ba64e311bac9c99b27f2008a0ce8bb93373e3ac7327d6d5ee3b4245a7d9c1e18fc203e07f6e4003b3f455fa9b053b27f568c7ad4ee

memory/1196-292-0x0000000003CD0000-0x0000000003CE6000-memory.dmp

memory/2356-295-0x0000000000400000-0x0000000000474000-memory.dmp

memory/2356-299-0x0000000000653000-0x0000000000660000-memory.dmp

memory/2356-300-0x0000000000230000-0x000000000023B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6D6.exe

MD5 ef9121c17a0446e39abeb575f3ab297d
SHA1 3c40e0a6f78c259a1e63c896f2db32d60b427c48
SHA256 7fa201403ef6a1aa0cbe530622362b2438a708ae8467a345d16cf731ba72b6f9
SHA512 d701a98e3213ca0ead28567ff769b9e887154c6df9fb7a596c90f2c393600387db927905691383c65f3100da3610e949a1b25e883170721281533090a86454f2

memory/1972-291-0x00000000026B0000-0x0000000002AA8000-memory.dmp

C:\Users\Admin\AppData\Local\Free Sitemap Generator\is-RSRHR.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a21ba51320e246460cd10fd9d940ca1f
SHA1 253437834f3537debd72664218c2bb077f07b3a8
SHA256 85f872e7dc95829e4fb98c1932b1f704124ab476278e2c665978859236209a98
SHA512 02cc643f962517da3694e2e523eb7a552b18fcad9865cafa64ac6de6af55cf14cacc75d35caca5539a0405a4ca23cde662c56fa990e5b7adf096355a788025bb

memory/1932-287-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D6D6.exe

MD5 cc1d9b4b2bc6a3ce7c44172429b1e4f6
SHA1 2c5a509a930f8c9b6b3c3a73f1c903f9ef24c124
SHA256 0b1b395f19414f8f4097042894b4a8931377eef9bb35b840d09c1fbc084d5632
SHA512 f641c5e60858a39293af2a551dd23a5d05b1068f12f913b0a932526daf8ca37963129b9d48b7259f95bd49655f4a0591e62a7a0378d82e29206b7186b40cded7

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 6d52b4cd1952eab81063072a859e66c4
SHA1 56d3b2da03edc6a1d8c1538a847c8bb7e6b974af
SHA256 4c426386efef2c8682d24647cac6333934e9354f09407109689362d1da659f18
SHA512 86994a40614e490c63fd213efcf46d534451972f9e5516e13db6d7b285c9ecdbff7925cc3478299cfc1160ec8d4026df1e5acb165a2b858224d675da2ebbde9a

\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 fd17bf7b07fc556a1748e9aafed3a89f
SHA1 ba458f77410c2cd7644bb5a6f37d88ed86ebdfcf
SHA256 e649e0c94651f1201d50828cc7598eebf21dbae67631308b412febb3c9dbf9f6
SHA512 53a3975029e7788acab6242527a9f056b98e246c72a88eb440cf1407b96c86ef6781fffe0bf441d3d25521be3577ef7c87218ffb42b9aae49453861854fda3c4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/1132-365-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/1132-366-0x00000000021D0000-0x00000000021D8000-memory.dmp

memory/1132-367-0x000007FEF4A30000-0x000007FEF53CD000-memory.dmp

memory/1132-368-0x0000000002814000-0x0000000002817000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-15 04:47

Reported

2024-03-15 04:52

Platform

win10-20240221-en

Max time kernel

302s

Max time network

302s

Command Line

"C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe"

Signatures

Amadey

trojan amadey

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Pitou

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\D69.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\360F.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\360F.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\360F.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\D69.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\D69.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\D69.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\360F.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\288c47bbc1871b439df19ff4df68f076.exe = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ledger-Live Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FCFBFBFBKF.exe" C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-885525822-3215264538-2232956653-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\CC76.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D69.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\360F.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2936 set thread context of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\D69.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4A05.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4A05.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vrjshha N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\4A05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vrjshha N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Roaming\vrjshha N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\umk.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\umk.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-541 = "Myanmar Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-222 = "Alaskan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-962 = "Paraguay Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-52 = "Greenland Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-742 = "New Zealand Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-961 = "Paraguay Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-282 = "Central Europe Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-872 = "Pakistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-391 = "Arab Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-142 = "Canada Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2632 = "Norfolk Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-772 = "Montevideo Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-92 = "Pacific SA Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Windows\windefender.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\umk.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3352 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\D69.exe
PID 3352 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\D69.exe
PID 3352 wrote to memory of 1304 N/A N/A C:\Users\Admin\AppData\Local\Temp\D69.exe
PID 3352 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\4988.exe
PID 3352 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\4988.exe
PID 3352 wrote to memory of 2936 N/A N/A C:\Users\Admin\AppData\Local\Temp\4988.exe
PID 3652 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 4788 wrote to memory of 1268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4788 wrote to memory of 1268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1268 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1268 wrote to memory of 1208 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 1268 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1268 wrote to memory of 4104 N/A C:\Windows\system32\rundll32.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3652 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3652 wrote to memory of 4500 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 3352 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEAA.exe
PID 3352 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEAA.exe
PID 3352 wrote to memory of 4476 N/A N/A C:\Users\Admin\AppData\Local\Temp\BEAA.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 2936 wrote to memory of 1436 N/A C:\Users\Admin\AppData\Local\Temp\4988.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 3352 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC76.exe
PID 3352 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC76.exe
PID 3352 wrote to memory of 4308 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC76.exe
PID 3352 wrote to memory of 5012 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe
PID 3352 wrote to memory of 5012 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe
PID 3352 wrote to memory of 5012 N/A N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe
PID 5012 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 5012 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 5012 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
PID 5012 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5012 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5012 wrote to memory of 4268 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 5012 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 5012 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 5012 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\F3D.exe C:\Users\Admin\AppData\Local\Temp\april.exe
PID 3096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\april.exe C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp
PID 3096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\april.exe C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp
PID 3096 wrote to memory of 1432 N/A C:\Users\Admin\AppData\Local\Temp\april.exe C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp
PID 812 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\umk.0.exe
PID 812 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\umk.0.exe
PID 812 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\umk.0.exe
PID 812 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\umk.1.exe
PID 812 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\umk.1.exe
PID 812 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe C:\Users\Admin\AppData\Local\Temp\umk.1.exe
PID 4268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4268 wrote to memory of 604 N/A C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4312 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\umk.1.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\umk.1.exe C:\Windows\SysWOW64\cmd.exe
PID 4312 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\umk.1.exe C:\Windows\SysWOW64\cmd.exe
PID 3352 wrote to memory of 3548 N/A N/A C:\Users\Admin\AppData\Local\Temp\360F.exe
PID 3352 wrote to memory of 3548 N/A N/A C:\Users\Admin\AppData\Local\Temp\360F.exe
PID 3352 wrote to memory of 3548 N/A N/A C:\Users\Admin\AppData\Local\Temp\360F.exe
PID 668 wrote to memory of 2936 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\chcp.com

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe

"C:\Users\Admin\AppData\Local\Temp\036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb.exe"

C:\Users\Admin\AppData\Local\Temp\D69.exe

C:\Users\Admin\AppData\Local\Temp\D69.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\4988.exe

C:\Users\Admin\AppData\Local\Temp\4988.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\855258223215_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\BEAA.exe

C:\Users\Admin\AppData\Local\Temp\BEAA.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\CC76.exe

C:\Users\Admin\AppData\Local\Temp\CC76.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 952

C:\Users\Admin\AppData\Local\Temp\F3D.exe

C:\Users\Admin\AppData\Local\Temp\F3D.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\april.exe

"C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp" /SL5="$901F4,1478464,54272,C:\Users\Admin\AppData\Local\Temp\april.exe"

C:\Users\Admin\AppData\Local\Temp\umk.0.exe

"C:\Users\Admin\AppData\Local\Temp\umk.0.exe"

C:\Users\Admin\AppData\Local\Temp\umk.1.exe

"C:\Users\Admin\AppData\Local\Temp\umk.1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\360F.exe

C:\Users\Admin\AppData\Local\Temp\360F.exe

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\4A05.exe

C:\Users\Admin\AppData\Local\Temp\4A05.exe

C:\Users\Admin\AppData\Local\Temp\5D11.exe

C:\Users\Admin\AppData\Local\Temp\5D11.exe

C:\Users\Admin\AppData\Local\Temp\is-71QJA.tmp\5D11.tmp

"C:\Users\Admin\AppData\Local\Temp\is-71QJA.tmp\5D11.tmp" /SL5="$8021A,1787282,54272,C:\Users\Admin\AppData\Local\Temp\5D11.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe"

C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe

"C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe

C:\Windows\SysWOW64\PING.EXE

ping 2.2.2.2 -n 1 -w 3000

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7DC9.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\7DC9.dll

C:\Windows\System32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\gajshha

C:\Users\Admin\AppData\Roaming\gajshha

C:\Users\Admin\AppData\Roaming\vrjshha

C:\Users\Admin\AppData\Roaming\vrjshha

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 476

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
RU 185.215.113.45:80 185.215.113.45 tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 45.113.215.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 wisemassiveharmonious.shop udp
US 8.8.8.8:53 colorfulequalugliess.shop udp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 herdbescuitinjurywu.shop udp
US 104.21.69.91:443 herdbescuitinjurywu.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 104.21.19.68:443 colorfulequalugliess.shop tcp
US 8.8.8.8:53 68.19.21.104.in-addr.arpa udp
US 8.8.8.8:53 91.69.21.104.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
RU 185.215.113.45:80 185.215.113.45 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
DE 185.172.128.126:80 185.172.128.126 tcp
US 8.8.8.8:53 187.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 126.128.172.185.in-addr.arpa udp
DE 185.172.128.145:80 185.172.128.145 tcp
US 8.8.8.8:53 trmpc.com udp
KR 211.171.233.126:80 trmpc.com tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 126.233.171.211.in-addr.arpa udp
US 8.8.8.8:53 slim.dofuly.info udp
US 104.21.62.68:80 slim.dofuly.info tcp
US 8.8.8.8:53 68.62.21.104.in-addr.arpa udp
DE 185.172.128.187:80 185.172.128.187 tcp
US 8.8.8.8:53 26.73.42.20.in-addr.arpa udp
US 8.8.8.8:53 nidoe.org udp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
US 8.8.8.8:53 234.83.134.187.in-addr.arpa udp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
MX 187.134.83.234:80 nidoe.org tcp
US 8.8.8.8:53 694250eb-4beb-416a-b0af-4edffb5c8996.uuid.alldatadump.org udp
US 8.8.8.8:53 129.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 server14.alldatadump.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 8.8.8.8:53 carsalessystem.com udp
US 172.67.221.71:443 carsalessystem.com tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.221.67.172.in-addr.arpa udp
US 8.8.8.8:53 108.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
BG 185.82.216.108:443 server14.alldatadump.org tcp
US 138.91.171.81:80 tcp
RU 185.215.113.32:80 185.215.113.32 tcp
BG 185.82.216.108:443 server14.alldatadump.org tcp

Files

memory/5084-1-0x0000000000510000-0x0000000000610000-memory.dmp

memory/5084-2-0x00000000004E0000-0x00000000004EB000-memory.dmp

memory/5084-3-0x0000000000400000-0x0000000000474000-memory.dmp

memory/3352-4-0x0000000001530000-0x0000000001546000-memory.dmp

memory/5084-5-0x0000000000400000-0x0000000000474000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D69.exe

MD5 82cc4876ad98b647cfe84f76eecd8f64
SHA1 0c18c3c81a0b66f8e61a989528360ffbba103065
SHA256 bb9fce882e4ecc356da7cdc7226c6d1af9e56285880cb106625f075dd224742a
SHA512 00775d283ebee4793237f9ff4d1f098779418fb06e8812d95d5477a0634c704e2f1abf98efbeae292503402a959fc7db176715c2548284cc6b75eafe3a7ad19e

memory/1304-15-0x0000000001230000-0x00000000016F6000-memory.dmp

memory/1304-16-0x0000000077214000-0x0000000077215000-memory.dmp

memory/1304-17-0x0000000001230000-0x00000000016F6000-memory.dmp

memory/1304-18-0x0000000005800000-0x0000000005801000-memory.dmp

memory/1304-19-0x0000000005810000-0x0000000005811000-memory.dmp

memory/1304-20-0x00000000057F0000-0x00000000057F1000-memory.dmp

memory/1304-21-0x0000000005830000-0x0000000005831000-memory.dmp

memory/1304-22-0x00000000057D0000-0x00000000057D1000-memory.dmp

memory/1304-23-0x00000000057E0000-0x00000000057E1000-memory.dmp

memory/1304-24-0x0000000005820000-0x0000000005821000-memory.dmp

memory/1304-25-0x0000000005850000-0x0000000005851000-memory.dmp

memory/1304-26-0x0000000005840000-0x0000000005841000-memory.dmp

memory/1304-32-0x0000000001230000-0x00000000016F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 63061d4e57b2c22e345c54e24b012553
SHA1 bc77a9055e8053c70da238ca4324ad55608a145d
SHA256 d12d7bec1c3abdde667d846d5758330e8c0b488d39e0ddebc8ae9f909f320ff1
SHA512 46bd78a183123e99fe4acf104d5eacc0b2138cdb42a40b610adf13ba18c222a247922b3a1e62dd12cdca2c425c2d656f57465e9df8178332a4f0e266159af459

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 0e390f28fb74d393a717d9c4006faa9f
SHA1 fdd780e9007fb98ad1afc5a4148327ad1a357507
SHA256 272010da5673ceca8f75821f115ca20c3b081f63f56e1d99c9bc0ab122cd6d86
SHA512 1a3ce937b5a22f49cbcd8a2cab0bb28771f52d35c47780895fcb4f8f103142c7dec397df2a788da6322c66c2978aaad2722714e85ed578a7fbf2ccd6521a9b73

memory/3652-35-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/3652-36-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/3652-37-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/3652-39-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/3652-40-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/3652-38-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/3652-41-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/3652-42-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/3652-43-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4988.exe

MD5 60ce46e76d774af2d8f7e9ae8fdb87c6
SHA1 0bd2817f65722ab65ad83fe30cdf464a978e6b69
SHA256 0413cc7d5ee3ad8b3a33591b95bc528f575586744b316d8e1f28afda00236f4a
SHA512 42e9b4b0b1eb07c71c39873b60b59a110e990c3369bf9882e3d2890983e141377268233cf8738a835c83c48d821bc333d0258b677bb4fbb517acdbd89c0438af

C:\Users\Admin\AppData\Local\Temp\4988.exe

MD5 a532be0490a14764f332ae0300a56195
SHA1 f386503bb92df113cdd58634fe0e94020397dc6b
SHA256 9b3f56d01140a499f4b30fe2cefe6afb1a748421aa034ce2df502f3c1196864a
SHA512 00441c34d7e9a5afd9d509ce6ad636155e61080be6a470f3ce8a5c1d899aa6a96f73588e56e34fa49cfc978203f37d14b54e45228e9ceee101bd953b1d1fa7de

memory/3652-48-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/2936-49-0x00000000004C0000-0x0000000000996000-memory.dmp

memory/2936-50-0x0000000005200000-0x000000000529C000-memory.dmp

memory/2936-51-0x0000000072A30000-0x000000007311E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 92fbdfccf6a63acef2743631d16652a7
SHA1 971968b1378dd89d59d7f84bf92f16fc68664506
SHA256 b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72
SHA512 b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

memory/4104-68-0x0000016EA7F90000-0x0000016EA7FB2000-memory.dmp

memory/4104-69-0x00007FFE108C0000-0x00007FFE112AC000-memory.dmp

memory/4104-70-0x0000016EA7F50000-0x0000016EA7F60000-memory.dmp

memory/3652-71-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/4104-72-0x0000016EA7F50000-0x0000016EA7F60000-memory.dmp

memory/4104-75-0x0000016EA80C0000-0x0000016EA8136000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y1vrmjcu.ri2.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4104-96-0x0000016EA7F50000-0x0000016EA7F60000-memory.dmp

memory/4104-123-0x0000016EA7E90000-0x0000016EA7E9A000-memory.dmp

memory/4104-110-0x0000016EA7EF0000-0x0000016EA7F02000-memory.dmp

memory/4104-132-0x00007FFE108C0000-0x00007FFE112AC000-memory.dmp

memory/3652-133-0x00000000001B0000-0x0000000000676000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/3652-145-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/2936-146-0x0000000072A30000-0x000000007311E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEAA.exe

MD5 10f972b1672480cd094e5f27816fa42c
SHA1 f868633b465ef3801342768c4bdfe3120290020e
SHA256 f2458108927b9b3855feb598333127dd94c5986b8fe275206ce75d9b717930ce
SHA512 0505582f8394e9b176903d27498254c2b7e8d57970b1a494899bf16ef5428091620f47d3fa8059c8b1e9c7670895f6dfb82b1d8ee2f1cc4c94fb3f5a015b5088

C:\Users\Admin\AppData\Local\Temp\BEAA.exe

MD5 3db3b1cda1cc4578f6b3a63adbb4fa27
SHA1 fe1c8aeb5213a11f6b26d5007707395431b1477d
SHA256 3c354d36dd8b55151c81990620956648ca2be3f3d05195581da05a1ad2bd2850
SHA512 d528aff5f2f974b1ff5c6de7a0f45c1359ce322ee6f2191b4cb18baa7c5b4950db3d4b44550e13a713977adb0df93b22f21ecec07f7b20b141fb61a33aeb31fa

memory/3652-151-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/4476-152-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

memory/4476-153-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/4476-154-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/4476-156-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

memory/4476-155-0x0000000000030000-0x0000000000C89000-memory.dmp

memory/4476-158-0x0000000000030000-0x0000000000C89000-memory.dmp

memory/4476-159-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/4476-157-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/4476-164-0x0000000000030000-0x0000000000C89000-memory.dmp

memory/4476-165-0x0000000000030000-0x0000000000C89000-memory.dmp

memory/4476-168-0x0000000002DF0000-0x0000000002E30000-memory.dmp

memory/4476-167-0x0000000002DF0000-0x0000000002E30000-memory.dmp

memory/4476-169-0x0000000002DF0000-0x0000000002E30000-memory.dmp

memory/2936-166-0x0000000005670000-0x0000000005802000-memory.dmp

memory/4476-170-0x0000000002DF0000-0x0000000002E30000-memory.dmp

memory/4476-171-0x0000000002DF0000-0x0000000002E30000-memory.dmp

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/2936-177-0x0000000005940000-0x0000000005950000-memory.dmp

memory/2936-178-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-180-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-179-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-182-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-181-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-184-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-183-0x0000000005560000-0x0000000005570000-memory.dmp

memory/2936-185-0x0000000005B30000-0x0000000005C30000-memory.dmp

memory/1436-186-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2936-187-0x0000000005B30000-0x0000000005C30000-memory.dmp

memory/1436-190-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2936-189-0x0000000005B30000-0x0000000005C30000-memory.dmp

memory/1436-192-0x0000000000400000-0x000000000044B000-memory.dmp

memory/2936-193-0x0000000072A30000-0x000000007311E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC76.exe

MD5 a1b5ee1b9649ab629a7ac257e2392f8d
SHA1 dc1b14b6d57589440fb3021c9e06a3e3191968dc
SHA256 2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65
SHA512 50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

memory/4308-199-0x0000000001BB0000-0x0000000001CB0000-memory.dmp

memory/4308-200-0x0000000003690000-0x00000000036FB000-memory.dmp

memory/4308-201-0x0000000000400000-0x0000000001A77000-memory.dmp

memory/4476-202-0x0000000000030000-0x0000000000C89000-memory.dmp

memory/1436-203-0x0000000000400000-0x000000000044B000-memory.dmp

memory/3652-204-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/4308-205-0x0000000000400000-0x0000000001A77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\F3D.exe

MD5 01a662109a24994cfed9daef68feddeb
SHA1 df29b74541171333ccb76ab1f53f010cda1981d5
SHA256 45ad76a00bebad5671ad39411a85e149d64cf44db0d0198ae59f42b3cb68e4ac
SHA512 65a71aa14732467cb22372330df16ee5a39ff784684ffb74b383086d4e3b13ae77cf6899dded5e24da77ed6fc3c182564c4081a3e7d11c624783f1ed6505620f

memory/3652-210-0x00000000001B0000-0x0000000000676000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe

MD5 f98c75a2502a2f5251b262e4aeaf1c16
SHA1 0edb55ec7e7768a39f1bf37dc27aecd04507f63c
SHA256 392ff6fc0a544611919098a630cebfd47ecd210cdc34c97081bfe31c938ba67c
SHA512 b05969d381c66f06b3ec8af2a76312e3bf6cef34e84ef062685a16062ee50f0aa198a8d2d7641939ec2c66f08e3439357f15087eb51a7ef1b63a6683a129bd58

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 1594a7e0eeedef87c6c66e116e1e2c65
SHA1 941fd5e6498fc0c0b3c2f14452095d7f98880aa1
SHA256 fc67b81ee5e8320fc7350405a93aa9b168a7883a6b05945d0b0e5afc2aa2e535
SHA512 4985de06d4e92f904f4d036000d245782907db0f3f9d6ce820d3ae5829f1a0aa594c0c7190a0911f0e88a427d20961850548bee36cfa07fe6e26e52877267f99

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 d791c9cea7016387ea0f96242e0116ef
SHA1 df06454126281ea614355019bbd3c739f202410e
SHA256 830be6a091c55906e3d3525eafa1ac25b6c2b724677fbfb8bdecffd8379d1dca
SHA512 3c54d87c730a559d8c0f893e21b2994a3b4512037e32a7406ce40a24aee93e3431de178b25271ee2b8bd25c54fce799542b227bf9f051378b7280ec6ba6ccf09

memory/3096-228-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\april.exe

MD5 72efb9f6f15bb3d1c49c636bf8667de3
SHA1 b8560adabbb7e302e795db27d55100a36f9239c0
SHA256 d743f4e106f34ad67304717d3669d6c62622bccff7e02d9474b4741d63c73bd1
SHA512 899a7867acad6e162709ed1ac35a2b7bbdfda2115f24328df1fbdd2d818a20fa48f545e3b5c2c45c8df2545348e94443897bf853d1b0fff5bd95c0a7354388f2

C:\Users\Admin\AppData\Local\Temp\april.exe

MD5 842afc047dca3f7912a4e5a58c9ba6ed
SHA1 65c698d919521fa8af51abd584ac0948e572047e
SHA256 ca75030842e0557ba61a6f6b1a384e69e3774a9bbd3592b124df246623b57d3a
SHA512 a038b857c384eb59acdc8c4b04fe25afd0d9c639d3edef8cc2944c7b2ad07f94573de2c6fde4edf1b6f0d1de55a57aec0a1c36e9bca80665043b6e1719784d96

C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp

MD5 33da9dc521f467c0405d3ef5377ce04b
SHA1 5249d7ce5dfabe5ee6d2fc7d3f3eba1e866b7d1f
SHA256 dbab8a7b2b45fc7001d5e34d3d45ccbe93a7591f12910281acf2c32f8c4e631c
SHA512 a3093637e1d731eab58080e10706db1afbf6e79fbac6593733b61033f97875ecbe230311e9741d349625ec3a66a6435318846d35290db8cd00af76d692699a55

C:\Users\Admin\AppData\Local\Temp\is-EHSPT.tmp\april.tmp

MD5 93ebab50adb428b5bc68673f0bc7f51f
SHA1 c4a96c92ed6e703f43453b6726a62e74d4cc1d21
SHA256 4e1a2ac299f40b6e30c05d42843d713d648d7a6e4d76eb16c3c517161c6bd823
SHA512 d7720b9e664c99a170e7ceddd21de9112457c81af42d527adf379f61e9fcc405d9161913546a21cab5554050d88bbeb15e82c5e26053c047da331ef7b1f08516

\Users\Admin\AppData\Local\Temp\is-195UM.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\umk.0.exe

MD5 2dca1d0c0e9f892a717ed02f6e90211a
SHA1 5857f867c5fb4bedc25794c1f960b3c03dfabccf
SHA256 b589fe21a9c02115d64fa8adab169804c69532eb2476132135a568afd179cefb
SHA512 2f84804935e96ba3ced308deaa1c5c8b991b4ab70551b192fbedee36b629b12780d338f84e2ed95e427eb4b93c6def9aa82d15f1d97add3fa8366b620463bd5d

C:\Users\Admin\AppData\Local\Temp\umk.1.exe

MD5 9952dcfb41f6f66722d62a618fff1ddd
SHA1 2d5432845cebbb4170ff537c8eff34ab8669b56f
SHA256 f9f7fb55046a515be4de919adf97880024e6979ec01035c5ed0182aa2e80a7c0
SHA512 ea1a7868353690d69d2f2aecd619eb2a161af27c72facda90f0c75aaccdb9b715aadd1c531ff5c399ba571227b7f8dcc8d302b9b0dc169a7348dee84bc945d35

memory/812-273-0x0000000000400000-0x00000000004A5000-memory.dmp

memory/3652-290-0x00000000001B0000-0x0000000000676000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3548-360-0x00000000003C0000-0x0000000000886000-memory.dmp

memory/936-362-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/4268-390-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1432-401-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4A05.exe

MD5 99dbdc616a0156da7de4ddfed412d1be
SHA1 046d9a56d7645d417ae829b740104b8f01795138
SHA256 f4f899bed189e546ba6e1fdc82282bd9ec3d6894b1e73a9b07cadd23c8fee606
SHA512 1fd1943143666b3718764322e25b111c3c1c434f4ec71de9f0fed7b5c64f015374556f1cbc78aca6641b27ad7f447e64760de2b1d4a8d085ef42fad7a34d22fb

memory/936-521-0x0000000000400000-0x000000000063B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5D11.exe

MD5 f29be5ebf81cd87cfd6856c014fdc41b
SHA1 4b0c50e5cab17cb630c6fbeff323bd8a0145a029
SHA256 3475c03356b621fee37cbe8a2cb1a9dc6dbc4735654b0a93fbc6a337fb6db633
SHA512 6f0e2751a8c582894e9f6bcf02fa300e842e409e84a813edec002d4e605fe462aa15854cc8da7aba74b680a685d9997887f3e8b26bf8d3aac7fb3b513b38446b

C:\Users\Admin\AppData\Local\Temp\5D11.exe

MD5 2d2b80fa49a5c3d0a3c2cc3a74270519
SHA1 adbaac0bebefc4820fa0ed02b8ccbfbac2f47384
SHA256 b2ea745b99ce71482b164138ee90491db4906229e0dc97622b86f035e5371099
SHA512 48ad88eb567458fa929dfb9ec5c40bf5fad33b8803e1ed5d6a1f34796356d393ca7247c0bd915d9403b39b968b6a5335ab692104cf3f0ff42598567f0e1da988

C:\Users\Admin\AppData\Local\Temp\5D11.exe

MD5 2d879ac2a9de00436ac2979834f9f503
SHA1 01113e031205652b8b48a72d8792abb5a9826f41
SHA256 ec2f58cc447c87bf7d807a0372d646e2f891b3ae9206c8fa97c96d8c1ba640d9
SHA512 4e8df2287675d7b025943d703ab0d536af4ff24aad6f79b4cf3e86f13cf6562c9913ae8e94ea905f2d05eb981b80e40e13bbc82d8aa9f502e76e495e009b2f66

memory/3652-639-0x00000000001B0000-0x0000000000676000-memory.dmp

memory/2340-638-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-PP3O4.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Free Sitemap Generator\is-BVEFN.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/3352-696-0x0000000002E10000-0x0000000002E26000-memory.dmp

memory/1612-699-0x0000000000400000-0x0000000000474000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 abc868cf6f8183990f8d476dbe1224ba
SHA1 b9226909d1c0472af5eabd6949232d509ecf38cb
SHA256 17573c321796456afc4e0fdf9eb00326636410dbbcd2c4c92495ef39a2f48924
SHA512 d1c1e5c11cb58430b8f9455fbbdb094fc51cdb75382b1e7d1b03c08936f553cfb73c71c9869428e8a77ad3e9de8cde15bbd733b4843cb9ed9dc394d1a160ba01

C:\Users\Admin\AppData\Local\Temp\FCFBFBFBKF.exe

MD5 42b838cf8bdf67400525e128d917f6e0
SHA1 a578f6faec738912dba8c41e7abe1502c46d0cae
SHA256 0e4ffba62ce9a464aa1b7ff9f1e55ace8f51ff1e15102d856f801a81f8b4607d
SHA512 f64b39d885375251ab7db72c57dc5b5095f0c6412169f1035d1f6a25b8415a2a01004d06bfa0267cf683ef7dea7a9f969ad43fde5a4376f1fcb65a57403433c0

C:\Users\Admin\AppData\Local\Temp\7DC9.dll

MD5 6670f934200c05645fe83658b712a0cb
SHA1 8eafc8865f8c70f99c393b7b5add04f160de2d84
SHA256 2b8cc7bee391ce75661bb9b264e7c804ac385e4624f7bd5b64f0e61d2ffc1e15
SHA512 2b90204abbe7fd83aeccb669b5db0b675674c54a2327c80582c88a466d3a8d97e49816117850e8fdd7f83ff4860bc127191a143a29da0765b4da44c0c4b1c0d4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 db01a2c1c7e70b2b038edf8ad5ad9826
SHA1 540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256 413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512 c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 63bcf3e68a169c8f97fda4563912c989
SHA1 8046ebac67b85c10a01a2fe9ce046111216578ec
SHA256 204e295e12d1204dbbb2e2f69630cdda0a1360133a769086161ea732d80315d5
SHA512 c3a3f2462a25afcf4c1aa201a6f1c11a64cb740d9c049b693205683b7a000212979d62427af7410764bcb0ee981b380711cd5514aae4c3852684b32d601eb9b5

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 38e63c28d4975831848f1db6cd8408be
SHA1 18dd874237ac6343453fec2ce4028bd37d1e7471
SHA256 cf6842e0ea02933345213819788211b802e04acf6df06058cff4737bb6eca11b
SHA512 d79d401bd21f59e53d990842c6c5b4f662be38c2427741d0e7228b75b9b5b29600567419013939c56f7e91a1454f56070fc22b44c0b149a74c62dbea44eaf29a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f40c4842837a4288c5d6d9ff28c98003
SHA1 fcb5387df20d13f500a4edecde494d2f127f6328
SHA256 d03f286ef10a059322bce995c6b97c04901c5c7956d80c01c9c53a6d591689a6
SHA512 ca933b87f51568ab88b7efd608357c1b0caeba80d4613c6bc3fe216507bf0256f9ddbdd4a4697c5a0c61836bfb10a4746dbcac7835f612b1b24f0d6888d1ae54

C:\Users\Admin\AppData\Roaming\gajshha

MD5 e5f41d1ac34e543ae5174a2b540ac95d
SHA1 71ce99e956847513f7d00b4222746b6363f4fe38
SHA256 036f13de3d4ae9b9a268c561ec1681642988320302a4696e0c6683cbfd7831bb
SHA512 2198275db3e5d5d0490a2cff8ecb942da2b158552a79690fd2f7bb82ca2d49f8ed923a1d8cfe1559c4d93d3dea31806161579e06d91246ccd318ed0a4d332dc0

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f2827975fe6ff42b4a68c27aad5b8151
SHA1 f85d4d6521fba7b1d49d3c0ab6a116b79e9b416e
SHA256 ee957ce6f8b48790d868edd540097e9f9aae8b984b877864e03d7a68ce5111bb
SHA512 9a38d2bcf7ee2a4f252f145ddd71390d9a81e2102e950afbb913368ec275e0e34e9f8ffbd2f7fc529336e2c0579e954515ef306307422082efe07d19522115ea

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4d8674390d3f7ce1d858a076f15e7f41
SHA1 eaae4d04812632f13891c7730dd045a7bc52bae1
SHA256 6196d75bf36d384e0a88eb6b7b5c38ed6f9ef685e1584a1b1fa42cad853542eb
SHA512 da7b937133bb3049638afa9a1c69b47f6a31354388a31de0b5326e56e82e1bf25c63a71d0897f171c62870b2f13a92ef35f70b68ae7d549fd73b36c726cc4667

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec

C:\Windows\windefender.exe

MD5 e5c48e630471a2a8233eed664210e0bb
SHA1 1c87c02ccf2b03638968f9eea31a6c06a350fc73
SHA256 f2c7e0fa825c1fe91de816ee47185ce98c7769492cab8d72db6631ecfad64f7e
SHA512 0a330c2a352425d16567377f8495f1937e4786ec023bb971c6eee8a5ee5360b43ec3aab8b61d3c77386794976dbf6d3219400b307239350b4030433a5417499b

C:\Windows\windefender.exe

MD5 eac3c94e166a4ac3e7d3dbf26d505ebb
SHA1 c231e723ad6077f9b6bd12c5e7bd3fd208f7fa45
SHA256 662eb9030b85d481e53772eb13a1b747a62bc68a862e0e4ba90f4e6acb3fe124
SHA512 b5b0f2d3205ebf43593ae73318cc078b5eafed92be6c8d113cf0e7dbef9f84da759301393b9528ac7f11b2f82dd8a190ad5c2b9066c84afbc1c9fb775fcff1a0