Analysis Overview
SHA256
99215ca6eef63aa9399c52e6579aad4caf12bdce85d327a1591fab6e1c223b8b
Threat Level: Known bad
The file 633c983c901941da05e19f89ca8e9d33.bin was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
Glupteba
Amadey
Stealc
xmrig
SmokeLoader
RedLine payload
Glupteba payload
ZGRat
RedLine
XMRig Miner payload
Stops running service(s)
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Creates new service(s)
Checks BIOS information in registry
Checks computer location settings
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Manipulates WinMonFS driver.
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Launches sc.exe
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Checks SCSI registry key(s)
Checks processor information in registry
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-21 01:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-21 01:26
Reported
2024-01-21 01:29
Platform
win7-20231129-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Amadey
SmokeLoader
Stealc
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe
"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\taskeng.exe
taskeng.exe {55A22E86-0B74-4198-8B63-670F14C23BCF} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240121012923.log C:\Windows\Logs\CBS\CbsPersist_20240121012923.cab
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | lizotel.pt | udp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| DE | 185.172.128.53:80 | 185.172.128.53 | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | efd5e480-3b3d-48dd-8b33-90cede7d7d4e.uuid.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 92.123.241.137:80 | www.microsoft.com | tcp |
Files
memory/880-1-0x00000000013A0000-0x00000000017A8000-memory.dmp
memory/880-2-0x00000000013A0000-0x00000000017A8000-memory.dmp
memory/880-4-0x0000000000370000-0x0000000000371000-memory.dmp
memory/3032-14-0x0000000000080000-0x0000000000488000-memory.dmp
memory/880-13-0x00000000013A0000-0x00000000017A8000-memory.dmp
memory/3032-16-0x0000000000080000-0x0000000000488000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 8c36cdedb21883bff86e082a57ed1639 |
| SHA1 | 5114ce74a63ca7f5c381786fa19b51d4b6de2e78 |
| SHA256 | 0c46fd38bdae3cf9f5bc062173966770e843001d337b94af5c2cc7b20c61de77 |
| SHA512 | ed83f24476a17213a4e1147cde59885e55c1b593ed237aa7d2354d2485873edd87c3dca4177686630764be594b13dbaabdd659a65357f5f5854fdba1b16bb1fa |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 4d02ad56d89664c5a8318f6fad89c5b4 |
| SHA1 | d05bb520186ed520eb5d061dd6a53b3139af1844 |
| SHA256 | ec032c4f4264fb76a158ed96fe821e8e53624d6fbf7ac956c395ff32225206ab |
| SHA512 | 645449b3562b3549ae4ea9c47f71052ab1bfbb9db45740a011ed543ae9c1dafc4a55b45f963fa465f27e4ce3d6e20ac22658eee6a95c4c6893a213afd2ceda0c |
memory/880-15-0x00000000056D0000-0x0000000005AD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | e12c85e7dcd7aef252a0b97c77ff8bb6 |
| SHA1 | c7c232506ae61196d3ff2b3a20144a30ec7a2e00 |
| SHA256 | faad0c3c44702a80099bbbdb48ea6d732680c2652c3a29d4971a4c13eb6ee773 |
| SHA512 | c405b70413bf479cb9aeb3670c15973098286fe4d857876108356666598663445732299cb572fedf3fd96087555d526fd5de63dbd0c936e51c846704254809a9 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 97b403eb563e491b0ac3d1092ee0d73d |
| SHA1 | ea951a20eb75693045ca1f1d261c400b330cd372 |
| SHA256 | 9f0bba96965b74fa5681eeaacd3382db67999ebacf4b1cabd99f599060f31201 |
| SHA512 | 8dbf78c8b4b378f22c99bccbd89e6a81372d68f612b923676b332086bb8f8ce6e473a39f34b775c4855f8d66f159a4278adad25508d56932596a216c52be21b4 |
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 862f0bec16174e42297963ffbd188bfb |
| SHA1 | 6e2d0a04283a1e517dbd48aab179b1daad1c530f |
| SHA256 | 146e6fc6be06d2a8c1a21e94be944c165ad32b0704d7d9d212848efa55fac50a |
| SHA512 | 741a57201e651591057926b6ff29983ae94f5cd97ee3b475a950ab15965254db1666a0a90c561fe813426ddabc4c04083f28cbb5b82ee516878f7688e68e0892 |
memory/880-0-0x00000000013A0000-0x00000000017A8000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/3032-28-0x0000000000080000-0x0000000000488000-memory.dmp
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 10e1636cd3801ae025509f07a56713e2 |
| SHA1 | 9e7baaec086b4e41687668da3d87c91a7ffd5ed2 |
| SHA256 | e740d9a956390013a54628dc84a48e3527e84032ab9ebb65195d1229adf48e46 |
| SHA512 | 65b7d0304570491e125b832931f8487d29f4bc8ff3f32904926ddf7539b0f97db20b0509cc59982a5f81fbe93edf44cb48b4a5395b72346fce9457351d0c8c20 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 1b3445b9bf68c6afe78d91f4c7ce539a |
| SHA1 | 5b9dbf648b201dfb42dc70eef9530cd48ab8aec7 |
| SHA256 | 587094e7b0e23b122ea02c9cf68d805265d1611ce3943b228680fdf5ad2e7fe0 |
| SHA512 | fc22227cf1c3fa234934fb3d1955148ae5d4bbe71e4e78c4be6cd60c09977ff5caee7ff3b84be84710163b4e07a38e0a1068c081f173e4feaad32eeaa1e28abb |
memory/3032-44-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-43-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-45-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-46-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-47-0x0000000000080000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 633c983c901941da05e19f89ca8e9d33 |
| SHA1 | 82bc062a291c45b6e4ede5bf3bffbf85029d07d1 |
| SHA256 | 5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608 |
| SHA512 | 8090fe04a680a7d9a7d782120f65f2b81ce7b25ba42937f7e561bfaf9a228d05a8dfa35659704c3933ca4394cdbffae791f09ed43e49f2fb62ea84bcda4391f4 |
memory/2324-50-0x0000000000080000-0x0000000000488000-memory.dmp
memory/2324-53-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-54-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-55-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-56-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-57-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-58-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-59-0x0000000000080000-0x0000000000488000-memory.dmp
memory/1304-61-0x0000000000080000-0x0000000000488000-memory.dmp
memory/1304-65-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-66-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-67-0x0000000000080000-0x0000000000488000-memory.dmp
memory/3032-68-0x0000000000080000-0x0000000000488000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | a51af4c25f47724e1c9f66992dceef49 |
| SHA1 | 0fa9421419deed01b57377fe8377052983d700e9 |
| SHA256 | c4bb0144fae93284dbedea9a428b7f6b01c2f8114161d370d7ed306ccaba7c8d |
| SHA512 | 0eb7ebbd542292d90e0e4a98714544e30148218c67cc2a4a3df946eab28ad92b7a97e8c5c9d8335f995be1d248fb7535fda8262edf35b074058fc014d145ad02 |
\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | 6fc1aae355a0cb38a54d2a2364c9255a |
| SHA1 | 0176fbaefa5026b7edd93132aa022338f68b69ed |
| SHA256 | f39ffd82ed6c2143222f6979d51932d03deed49ae916f583da636d59ca1e6255 |
| SHA512 | 34a9a1d05d427c436ea8e82a4a824b0339e41f8a9bd673a9bae3111033d3b6dc099347e6b10a4946066b3955da7518d4e01ef68b9955e54dc6d778da9b98869b |
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | 842cc6351396e461f2c7df4414637638 |
| SHA1 | 04d7674a80aa131d7cb200c2e662c456e667debe |
| SHA256 | 5cdd9e2faaa774891d36d3fea55747f9e8fe026386fa40b95913a764c87d953e |
| SHA512 | 5b8e6ebb32bb2b0d9e3f447e9176ee62ca3b86f3c6d3846f7d531dcf4e940a4cca37812a31adc4023cb111c5d7f9b0983ee60585c9e5c68b8126e1fff32d1259 |
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | 46a0dbc503b77eaa7248b826bc29e3de |
| SHA1 | ec586f5bb0907117a52b47b4d86e9020e10c10d8 |
| SHA256 | b5e5b8bcf93fba376d321be4c930fb303d7ff2d8284c14ca27132384346eeda0 |
| SHA512 | fb0774c7d4b30bcb45c3ce04cc8d14ca206879fa13a04d1109398e1100a41b7c51fce94a0fa6065874ef209e1c4cc738d5f1bbc16223f63a2678b8d6d8013417 |
memory/1676-85-0x00000000001E0000-0x0000000000860000-memory.dmp
memory/1676-84-0x0000000074600000-0x0000000074CEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 19dcbe3b32fed5c710c96a1490b28c02 |
| SHA1 | 2e6934dc92d34282277f1985a7738e7694d56e78 |
| SHA256 | 9840f1a449257875f67a88977c0938c4b3a91184a0aadd68ecb77af726149029 |
| SHA512 | 58f119b5ddcd1f6524dfcab16a225931382a036c90775f4488b0596a1fecf26bca40bd29dcb9d3d85b29ecc7b2dc91a7d11c2039d21c69f18e2e943788c9704e |
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 76594f4a6ab823c9936fb9f8ddabd6f2 |
| SHA1 | a7ee1e3c65697b463e3dd46f920d5bae820c20e5 |
| SHA256 | 458e20116aa29684a300af8c3011dcef4d0c188e7f272cb431edae4056ef9ac4 |
| SHA512 | 41486fe62eef4c458805a53a73319b3ada02d38122872a23db66f3621f7e35c0ca6b5a735e9598652cb5e3c466a4f4e8d8ccead4a4ba4ab67c34577777ea8d40 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | bc65b4e942fc566ae0a56ba7035eb7dd |
| SHA1 | 214d10c44b88e9403716504eb36a42a357da40bf |
| SHA256 | 7f8755a6285e4091439cc1449e260a05e9f1b2e3f5d415b7599711b5029a4f25 |
| SHA512 | 6660b9eea07664edc58142948cb8128168d110f2aeaf626f43e468c935e2afa63946f8fb221c3fde2fa92f4dabf19817f79f6187e0226d420b247a7db1a1ba72 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | e50ac86f237b1270e612096af3177071 |
| SHA1 | a0e91ca2786264878291e50c9b08112285ecdd9d |
| SHA256 | 1f662a36532b634b34fcc9315bb392d9e4b3cb5b9d60d16e6befb9893785f2e9 |
| SHA512 | 773b2bf1d8b09c34f849616f942c81a2e4af4b77a625a58f5132101e9d93fb71ea8620c8027c5b3b2de98885c77132421ace94ed4acac63c30196d68b8268771 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | d80dfda148a10e4feeba4a89af447088 |
| SHA1 | f1954c4f09c099dca1cc81be661433b1e34c7da9 |
| SHA256 | 29d743c1bc71c32a0f672b756b0614dd95aa51c662991103357550be4b5ce696 |
| SHA512 | 500b25b750f1dad229867f74d3aeef43bf88ae2e9db3bf50bdc06f87e65a93747fec1e371ffd41d108c8d7599fe855150d4eb24aa39b75ae13568d60ddc8d6c7 |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 5e26c7588863deda966d6260364895eb |
| SHA1 | 1c8a3ac289375d550bb1ff09bd18e16ccd658c2b |
| SHA256 | e00bdea92ad0ff9ea3070b88ae4b5a5db510a24af52f38c92dc6ce3bce071835 |
| SHA512 | e79fed6c9b17a503b18ca1014d825d1e296031b075c8b37cbf4c394c37d01dd584bbadff792102b037269e10d18474aa59d0109a14de044a9ada04caccdb6476 |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | d3905ef542dc796793617e9698916c58 |
| SHA1 | ad6ae9a1d007254f4a8d5e381a0a0581a0a27f0b |
| SHA256 | 0ab13dd97299d22d89d2ecd908dd8933785b62c7027ba002af6926e98138a833 |
| SHA512 | 543dd7a6a806d6dbae644aec6271526aca2e8a33175b76f18452169b7b5ec05f2a564ba0abb59424e865f85607c266f89daafc03cd54066a7756daff7bbcb22d |
memory/2384-105-0x0000000000230000-0x000000000023B000-memory.dmp
memory/2384-108-0x0000000000400000-0x0000000000866000-memory.dmp
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | f908366591af50e199a909a2c7d5ff7c |
| SHA1 | 1ce9e49bec665b25ea44db29ddb165183f776adb |
| SHA256 | c7b54b524fc3a14837c657d5b4ae3dc1f645baad24a67e19ea0ef7b92c9d2263 |
| SHA512 | 753cf224b9ec8232398a8ef95aa5ae6ff52b5a227e6619a2f823a23c00aa017f2e4dc85a97e8fce3a3d4aa02f49e1da1fc485a8930e870879ecbaf0a19459ebe |
\Users\Admin\AppData\Local\Temp\nsj3EB7.tmp\INetC.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/876-132-0x00000000FF2F0000-0x00000000FF342000-memory.dmp
memory/1676-126-0x0000000074600000-0x0000000074CEE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 3a977f92d7e133069dea09a0db1a1725 |
| SHA1 | 86fbb29433813cd3fd7f8b9ee834e5586414a3ce |
| SHA256 | 06af282cb7b30f33c0e0b933723af322b39e538266db595ee0efa08eecc6647b |
| SHA512 | 2bd3f9b1b6c554060f16344a7db82d7b6f6fd108699b35e4b44bc1bb10cd129fe0d1fd2a3ff62390f38c787ed21e4ffc3fd44873f99ce23009ab1b7a55979d0f |
\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 140ccb91b00a438261d30fdc9c83ece8 |
| SHA1 | a5ce2a1af142c0c8acf00ba311a8b81429ae7c8a |
| SHA256 | e5642382bd2b52bbb10ec06cc0888f8ad3300f5281645904f563238f3661b0fe |
| SHA512 | e7afd5eb4960c4c42ddd334dd27cb49f2c323e113887881b3ac2e34ad7e800ad904cc572ff480413df131485246376986bda3db46d5781b23450809936ffc5b2 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | d7065b0b403ffef3815f06f578fca5ec |
| SHA1 | b6faf818b2de14492d6128378e8fc7d6c985cc7b |
| SHA256 | 6282de8bc3d509aebdcd7b818c66f78d973b42fb4ff3fc9672958001812ffb6d |
| SHA512 | d77b9f907a2a0dc9d236c00221015089a12ac6f5b4cdccbd29ddd9bd97b616226c09683202f9ea54cafb9b848d02ece8f0d9bfe2ba17ee034ca849656f137363 |
memory/2248-118-0x0000000001040000-0x0000000001438000-memory.dmp
memory/2248-133-0x0000000002B60000-0x000000000344B000-memory.dmp
memory/2176-134-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2248-135-0x0000000001040000-0x0000000001438000-memory.dmp
memory/2248-136-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3c0e80a875b2425703c93fc997978379 |
| SHA1 | 04f9f519d0eef2fc0dc65af77716939985b10613 |
| SHA256 | b1fa9269ffef97baa6047d1572e530a8576dd54e1066d198bb3a0e13a6d1dab2 |
| SHA512 | 22164979818a5e1e6a1e51adee8d872d0ecd58138a9958f5d2d4ae8c36223ffde16af1bb12b686239783ed658213a70315c4db53839b092cf6214b1a972286e3 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0e8eda066055352f2d19d7f14c39a3a4 |
| SHA1 | 40812f3e5d6ce7a62d5b628697e76bdbeac8d02a |
| SHA256 | f87bd00d8280ba49e98631915d584d45cd1aa395ae4f2ac140671df86ad0dcf4 |
| SHA512 | 2c882bc35d9fca120adc702418fbaacdcfefea08953542d601eee9c506314cf4ac811e73dda534ec484f730053c6be76d3376961b3719e1de5f0fc2758a38200 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f83fe380821a2353502c4a78a14656c9 |
| SHA1 | 577b13478b9eddcce36433822c58ec27a59ba143 |
| SHA256 | 61ede911dec8df1f5f9e09652e65ca97323d9f99a5c21eb811d1b00d1d7db29a |
| SHA512 | 05054c6ea654b1da046b4d385c3062be7b6ac20e2238810040fa259a436ed8cfaeb1f59e5c3b09e3285e4dec6bc0d8db8ceac67b637a171ee975c35f7fe1345f |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 97bb6246e09f623c1b1f21719a15dfdb |
| SHA1 | 7ed48747b1b6910c0ab66cc4e4605275006b0937 |
| SHA256 | 82cddfce7d0aceeb7a2a13e7a8e085bf245aa1df08ef1f210c5121de220913e4 |
| SHA512 | 010caf2c44f9a11c5f67f55ec6a82630a3ef4bd8ae3bc581775d23f37392697e0d61bc3c27b35dcdd4fcc8172467592b59594fc02a07e8206f4383a2bd9abf29 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 568406e45edf93dbc1baa2991bd32151 |
| SHA1 | 7210324fe9c35ff2ff32260338168d32228869e5 |
| SHA256 | 7d4e89c13c566f392bd11b7ea2d311a9ce1ff943735805e5f2df4d1e20acb550 |
| SHA512 | 38119be78a385a1aa98229713c806bf896970dcecd5bf93660ca1c808e3da3af89698116b6fc6192baa18cba8ad43346269a4e1ec1a754bfaeabcd0c102e15a4 |
\Users\Admin\AppData\Local\Temp\nsj3EB7.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2384-103-0x0000000000940000-0x0000000000A40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
| MD5 | 662ecd556188be87c7d759a6a0d729d6 |
| SHA1 | daa719b14668658df99c2a21077f2f444495e8e1 |
| SHA256 | 27fa17ca2c4bc78aa3122258b31e2780d442adb63203c5578df6c6d387c8497c |
| SHA512 | 3a53fd88607c21536d51ac2c68796a59ffa93897c72e95571d40fefe47c433b45065fb354c197778ef2dfe1109d7fb57893fbe684702e7f22f8c719d8adc4dfb |
memory/2520-154-0x0000000000220000-0x000000000023D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
| MD5 | fc882b0868b8f57ba553f1e6fa831d7b |
| SHA1 | 21caf47fdc0cac4ae29fb650b01b571928e9fc1d |
| SHA256 | cf36d8bfdc432005e50a4b91e7f37518154ce8b45921f081bf633d50a5dcb412 |
| SHA512 | 4cb8f06229344081e085851ee3f3eca286dd1b4e1751cdd10d13888bcb725f488b33e9e41bd775e442e122aec661fb5ca36e47122f8462d1567509255fbf9fab |
memory/1640-157-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
| MD5 | 48745d428c242471c7b1af621d62ed63 |
| SHA1 | 2d847504d328ad5720f2552a4a80ecc6729c75f4 |
| SHA256 | 3800d85b927700271067580ad6a5bc4722f6c134f7bdbcd2352fd99180bab535 |
| SHA512 | 59f1e061d243ceabc92fdec4849dd76faa7a8d54ff0e5a49e3f4821576c3206d3dd8329faeb996400b10c7bcdd36e847fcce2d239071421515c3ce7560fd7ed5 |
memory/1640-159-0x0000000000400000-0x000000000062E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
| MD5 | 7456ce192266f7feadc34351d39a976d |
| SHA1 | 9a0cccbfdec500eaf9803aa8657aa9b1a0ecace9 |
| SHA256 | 420291de832c77b25c86eca212dc28baa4d9c40fa05d0dc96c3706339b436006 |
| SHA512 | 5ace1139b25d73c963a0c460b6e9b0d1fd1f77b86ba9e6e2952bd5be6505349ac2053d7b9e66e71714d1658c9b8a9c472c740211e26b7f65ab6f4eceeb127658 |
memory/1640-165-0x0000000000400000-0x000000000062E000-memory.dmp
memory/1640-166-0x0000000000400000-0x000000000062E000-memory.dmp
memory/2520-153-0x0000000000A00000-0x0000000000B00000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsz41D4.tmp
| MD5 | 556bcc07d119b54c0416768a7037eac7 |
| SHA1 | 2d1cad0906753e017ed8494617c0184e751219f1 |
| SHA256 | a20e4c11c4761572b1ae83ff068a7aae4da7f804e7ad14353a2cc28ebe2cca32 |
| SHA512 | d1f1f10bbc36a9d2a923f7cf9043cc407ec649b2c9763785d1142191e21d653a0caa2db391745c48feda365540705f14ca5bab1fbb7789698188a02dfbf78550 |
memory/2320-170-0x0000000000F90000-0x0000000001388000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5da79819f3d97f52b54045375a694b5a |
| SHA1 | fea25077880571b8bb0eb29c664f93eb18e6a268 |
| SHA256 | c6606046c0b22e37fb4e997882fc01f25ef1c2f8e77efef20628bbff0d4a773d |
| SHA512 | 6f571cb2639b0008db3a17200db881b421247087d6cd0c52b6cd05cbd5f01ff52abf3c6a47706c54ce38e5e153118c339061101b1a52e9fe6f439616c0188d40 |
memory/2320-172-0x0000000000F90000-0x0000000001388000-memory.dmp
memory/2248-171-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2320-174-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2384-173-0x0000000000940000-0x0000000000A40000-memory.dmp
memory/2248-175-0x0000000002B60000-0x000000000344B000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2304-185-0x0000000000FE0000-0x00000000013D8000-memory.dmp
memory/2320-184-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2320-193-0x0000000000F90000-0x0000000001388000-memory.dmp
memory/2304-195-0x0000000000FE0000-0x00000000013D8000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 1daf54a1e16fcbf9369f934b97ea9562 |
| SHA1 | 3e65d48cdc2cc7a5aa643ecf63dbced8e78eb0fe |
| SHA256 | 91e1bffde2d8971c6ee9f43be213671dd36deda885acc6f109baeed3d3aadba9 |
| SHA512 | 05522015c8be08bc1db0d3c8d7e2e8c4728cce06fd5aa162fda23ceea426bff91d62c6ad6feb490ccf2dbe13d75e6364ad78c845ab63e6364b05ba3b1ed62cb8 |
memory/2176-198-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/2304-197-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | 9e3fd5f73d5694eee22b487dcea4f595 |
| SHA1 | eae2efac54b9fa335d263478af020fa678246249 |
| SHA256 | a050a4f5f45f6c080e7ac5fd72eeaf7d565deafb90f3e62f8f99e0ede0ebc6bf |
| SHA512 | 006f0d1565e554f693f90a4a24823493d67c7de79c15fc5c509e2dc5c23003d5bdeb5b06dcbb67d6dbd383caaafed65e99c7ef71b5b491812cd766b61c21210d |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | d0a7150b329f1ab07573732b9347e805 |
| SHA1 | fc089f7ed078c457039dcfca1c8eeae9a25a1add |
| SHA256 | a0b6dddbc710acc317d1768fdd02d6762f73917a69a9b8678629b5f8131c99ff |
| SHA512 | 09a543ca6791c9f7469ca537f1ffaaa5869e41351f1b878577625bb42865ac109d3cea549afa79913c3ce5132b4b9751822369e2f70fbcd5f09636eac9edef3f |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | 491781f52b555858c202c6498260afa9 |
| SHA1 | a79a7e2faf4b0e2fc54539f3aeecb5024be23e8c |
| SHA256 | 1760015e2ca809ef0f383cf3f74987525ed45391e7372b99dc37f8e8521a6157 |
| SHA512 | 6d802a9c7e53b28b1ce66d93147c99f8aaef930058ad077cff3264509be7f34d98c584abb4dbcda2df7adc28aa0b96f904cac86e24996af7d6c6dab203c24057 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | ec66061109132d2afdf48c013a7fc980 |
| SHA1 | 72d9457042f2e0e6368cf15269467c88bdaf630d |
| SHA256 | d7fd63847ae1f4347f8c4a4d57fa0d08248fb21ae474d133485cb92d12cecb0a |
| SHA512 | 5fe2806dfa2d6bcf048ba6009de9e5ea82c63c05230ef8c887556348a06018fb95c3e23da1ec7cac0e59daf5a0aa2962dc0f6f99239c142fd477b0181537d14d |
memory/2220-220-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2384-219-0x0000000000400000-0x0000000000866000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 6e99a65d9ff24a201b168d360eb9842a |
| SHA1 | ad80620021be3e5974a4679e57d063efe9fe1544 |
| SHA256 | 98c38d2244822983318f0be07eb90392d92614d4f4b3aca2f056056f08eddf5b |
| SHA512 | 87c9b01aa1ee97a9b0f36d7f661a7072586efe94c009ea3d6796d7f07d262771e4406b86651fbfd9c74ec758aa926f2e9a05114998415c4ca2d0287fc98f5be8 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | bb469f0e8ab50fa252fa8b66e3d4980f |
| SHA1 | 85e87a3a210188bd0c8b93169b38c3c4e1cf3249 |
| SHA256 | 363665e432b3bd59c200840e4283098e71a0288f559c6215e4235c0c3b5dd09f |
| SHA512 | 06c0cdec28758adb71fde58fa88b2194c232c405f771a86c6ed8b7bbb845881b074f93e40362ff3ef0b87f37d7f31753ceac96bc02e5be019da6307e3dcd335a |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | edc5a205f65bba75844e496806542a25 |
| SHA1 | 7a4586eec2e95709706a03bb0fd7f9b155298ad8 |
| SHA256 | 7ce376071a06ece60623c8b803b7855b0af15554e030e3c94ad988e33a6cbc0b |
| SHA512 | 3dc1244f81111074e51f2e7308ec372b5acc15b8cf0e1c6db8f9bea9a12767bd8f9a8c5d454c103a86ee79574ee393331139c27f583d58254e486dfb8b4eb3dc |
memory/1380-211-0x00000000024B0000-0x00000000024C6000-memory.dmp
memory/2220-210-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 1e80230cd9426ada42a087b822208e53 |
| SHA1 | 4bd9526ef9e476085c142d9c3e80dbe7d87de7ee |
| SHA256 | f0822c704dd5033dc0cfdb957f75ff0472ffb4494e7b6b03bc8e7800bea3cfdf |
| SHA512 | 7e6354306914c5f4ba6842323d98d41cadb3d09af70a8d44a7b49a6c9ae4cf929443e554b913bf1433f5a92a0419bbe6572ac3986c6017526dcd5b2cae5791b8 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | ae7c45f7e0742e9cb5e15ed9837ed834 |
| SHA1 | d2a17d0befe2a9d7436916e9e200d35535ec3d8e |
| SHA256 | 35758f3e2e5e82d15d88b985f96b7e8015a4ea6d783149e060f7ec5fc37ab115 |
| SHA512 | 50bdb658620ed021167164c5c50f18f58a87a071ee0cfe16624fb2991ad7cfbb8004cd7412e340f81a7f8039dea1913c28dd8ad8573d780f638bf3a967fd2192 |
C:\Users\Admin\AppData\Local\Temp\Cab5457.tmp
| MD5 | 9e8a70a78112e3add0ce6b95b3b3b899 |
| SHA1 | ccfbb0290e95712d3cf97e5f2d33d5df33af3133 |
| SHA256 | 73136a69737a7cd582265362864a6d0f7159deae651422840aaf88a9f60a50b0 |
| SHA512 | 7af59f6ae125fdeb266335b0903f5d80f339fc15519d9f5c6c05ac86ee72590f5c31feeddcf981289a2f363fe6cdd716815c3f9b6e15cc00c038538a99d09c3c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 1f1a3b101012e27df35286ed1cf74aa6 |
| SHA1 | 46f36d1c9715589e45558bd53b721e8f7f52a888 |
| SHA256 | 7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c |
| SHA512 | d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05bda3e583239c89b4855a958ab1cabd |
| SHA1 | c5d442f721ce12669ed9288b9bed1b15b04393a9 |
| SHA256 | 588b1bf41c50dc3b60df02da466fbc808e58a9e39606d858a895adbc89cc14c2 |
| SHA512 | 6de86573e72b8de086c753d96411d81275a3fa63f714a34d49342af66ef98d1543e55ae0c591fc694c1082fe915b03358f34ab604de4a79940410f9870b2b54d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 00dfcede93e66b869f9983f1dad60261 |
| SHA1 | e5d6162dd717e0b8b1b8390e5ece02c9cd7ac02b |
| SHA256 | fb7f68aa89364143d5d56d8dd0b6f47c84f7b8337ff89b7644dcb4ffdea928cf |
| SHA512 | 8dbd41420290ce018a9f1359b6ead95b1408489ddddcf94c5b5f6fb2fcb81f52a7d1457e900c10efb7b92af5fcc06b6cae308444b79dee1421ddc4a890884f94 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 354e9fef8093169ab558b3f20c4bf81a |
| SHA1 | b2293505f7519daa90aecd20a1e3b236f74be983 |
| SHA256 | ef8aab456cd4812c46735b308aa6e30d679289b8f2859c0afd0e9118c180f7a5 |
| SHA512 | 9c26b8026958b65233a568675bd0eb4ca589289200fd198eb15f574bf69273212eff684011bfb048a3af659fdf7395871e1b6666e36e83b471f67335d5ba5b27 |
memory/1640-315-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | bc85c6f6982922acc1971cac44a73de3 |
| SHA1 | e99335b8263cd4a50dd3e0238197ba33d4aa3b1d |
| SHA256 | 08c0acb657ff2a712c626e0a24ee76aa89448044f64439baf5b7c19d6849c48d |
| SHA512 | 3a57a3649e7fdf288e83f4ebf65d31de4c31eb9e7e62fe1b872698665378dcf1127171be0b22bcb31526d017c61387f14aefd968a491fbed4176af9f4faae9ee |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 64e98ea298d6ce41015decc64355465b |
| SHA1 | 21c640af8e67cb8116f86a3e559026457e418fd9 |
| SHA256 | 8c5072e70daf848dc355c41124cc6f54f6bab206847ebb5c7dc18c6e6b1c82c1 |
| SHA512 | e26a4435ab41415d3d3849cd3153ca8e92df548db864697d54c798f7f7c4e4ef3f483787412122e0273aad383225b359db9686297c70b2f5921aee2d146fa899 |
C:\Users\Admin\AppData\Local\Temp\Tar54B8.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bb344b796c6e006d03ce593b646c7021 |
| SHA1 | 847fa7a8f7afdee7c6b552971abca9748642abff |
| SHA256 | 955d2742de2332793017668cd47a118d2cf0875dd6336864bbd301d07eafa9c3 |
| SHA512 | 2524b9f55df55390afa0d818860251d3d086152766a4af292f7a4039a62f46252de404959aed462fbf49997c9cb1c8cd47b6f36a8c3550a24637e59281341337 |
\Windows\rss\csrss.exe
| MD5 | dd4faa88cfa8f2e6301d534510818961 |
| SHA1 | a8cdb64cddae3a1bcb79dfd9cbf026afdc3c9836 |
| SHA256 | b044799ee5d4c364950143e9eefe8d610c81b9a2f2dc1bc82488f870d0e8ca98 |
| SHA512 | d82284fc92810cb847fc492295074d64f8f2a9ae3f61ef0f08649f38ff82c2093649dff844831f71cd959576ec9f9b0faa001f4ff2b590357bea107a4b161fc4 |
\Windows\rss\csrss.exe
| MD5 | 4b104719fc86f09bf1cde8ea4f31966b |
| SHA1 | 6f15dace86f853c4549f097bc6e50054c9f3b06f |
| SHA256 | f0608b847a7e5a53eeb6dab01025bf9e8b23a67f3d9879db7ba99db2eab59620 |
| SHA512 | ee5595508abc1c08a10c873ef05ff54317e5f5a12ff8f0d789a258d37649561973fa35a9749738f7e3418cf38defad83dac2c5189c046bb8756d8c8f7c6d76e2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-21 01:26
Reported
2024-01-21 01:29
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stealc
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000498001\\zonak.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe
"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
"C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe"
C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
"C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe"
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
"C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe"
C:\Users\Admin\AppData\Roaming\ms_updater.exe
"C:\Users\Admin\AppData\Roaming\ms_updater.exe"
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
"C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
"C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 220
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4660 -ip 4660
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv rvViOhNg1UCCFnraEXtuJg.0.2
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
"C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe
"C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe"
C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe"
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | lizotel.pt | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| US | 8.8.8.8:53 | 84.248.240.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 94.156.65.198:13781 | tcp | |
| IE | 20.54.110.119:443 | tcp | |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| DE | 185.172.128.19:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 195.20.16.103:20440 | tcp | |
| DE | 185.172.128.53:80 | tcp | |
| DE | 87.251.77.166:80 | tcp | |
| DE | 185.172.128.33:38294 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| DE | 185.172.128.79:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| US | 8.8.8.8:53 | server8.databaseupgrade.ru | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| IL | 142.251.125.127:19302 | stun4.l.google.com | udp |
| BG | 185.82.216.108:443 | server8.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| HK | 154.92.15.189:80 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| NL | 94.156.65.198:13781 | tcp | |
| GB | 92.123.241.104:80 | tcp | |
| GB | 92.123.241.104:80 | tcp | |
| US | 172.67.143.121:443 | tcp | |
| US | 8.8.8.8:53 | qualifiedbehaviorrykej.site | udp |
| US | 172.67.175.187:443 | qualifiedbehaviorrykej.site | tcp |
| US | 8.8.8.8:53 | combinethemepiggerygoj.site | udp |
| US | 104.21.38.174:443 | combinethemepiggerygoj.site | tcp |
| US | 8.8.8.8:53 | 187.175.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | weedpairfolkloredheryw.site | udp |
| US | 172.67.174.43:443 | weedpairfolkloredheryw.site | tcp |
| US | 8.8.8.8:53 | 174.38.21.104.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | tcp | |
| US | 8.8.8.8:53 | 43.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| NL | 94.156.65.198:13781 | tcp | |
| RU | 185.215.113.68:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| PT | 185.240.248.84:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 104.91.71.134:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 104.91.71.134:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 2.19.169.32:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.179.201:80 | tcp | |
| GB | 104.91.71.134:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 104.91.71.134:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.210:80 | tcp | |
| GB | 104.91.71.134:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 94.156.65.198:13781 | tcp | |
| US | 8.8.8.8:53 | expenditureddisumilarwo.site | udp |
| US | 104.21.5.215:443 | expenditureddisumilarwo.site | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 215.5.21.104.in-addr.arpa | udp |
| PT | 185.240.248.84:443 | lizotel.pt | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| NL | 94.156.65.198:13781 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| GB | 173.222.211.107:80 | tcp | |
| BG | 185.82.216.108:443 | server8.databaseupgrade.ru | tcp |
| US | 8.8.8.8:53 | udp | |
| N/A | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | paperambiguonusphoterew.site | udp |
| US | 172.67.177.31:443 | paperambiguonusphoterew.site | tcp |
| NL | 94.156.65.198:13781 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 31.177.67.172.in-addr.arpa | udp |
Files
memory/4864-1-0x0000000000090000-0x0000000000498000-memory.dmp
memory/4864-0-0x0000000000090000-0x0000000000498000-memory.dmp
memory/4864-2-0x0000000000090000-0x0000000000498000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | f0f040aac317339e457924378d7036c5 |
| SHA1 | c12561eeb011a9baae2288ca81e604d04841dc3b |
| SHA256 | 13d6eedae7c789ecc9d77304fff86fc6f2df37fb28c22fae3e54d86842d1bea1 |
| SHA512 | fbc9bfe5eb7c9956f1d85c71e163ff1f598e69d33ccf30e207581b4fe95f03a9d8372e1514c711c26cdd0f8fabeba307cfbb4241f00d7771bc8a0f3d35f6890a |
memory/4864-13-0x0000000000090000-0x0000000000498000-memory.dmp
memory/2332-15-0x0000000000D00000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 8844d90c795f320af90151cc7b3e8e22 |
| SHA1 | 300fe3c5209cf18772be5e43212b0f2495cedd7b |
| SHA256 | 1beb32f2d0a2eecc655c3f4a9ae6e686e6362d462d54140069610d2281cfb5fe |
| SHA512 | efbd7c94149430e4e578c9d603d6dbc0a1fcbc42ba96a0be7620ae7934ad72933cb3d3ff2c5afddcd6218a3ce7d1b6f989f9def2e781bd769ed926164d5a9151 |
memory/2332-16-0x0000000000D00000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | eb333f172f23ebd178501b307f202134 |
| SHA1 | 08d1a9a9bb95486c2144b8a93110fee5e60e7130 |
| SHA256 | a4a9256d58bf34ec02afa89c0c453c32b81ee19326e29dd2006813544f486bc4 |
| SHA512 | 0e0a0bb7b00f91db2b611058365ac6b8a54cc05568dc8aeed48f9e95615fd3e487d5e8d24e38090ef458cce23cff32f641ca39fc8d391eb8442394edaef195d4 |
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 8c36cdedb21883bff86e082a57ed1639 |
| SHA1 | 5114ce74a63ca7f5c381786fa19b51d4b6de2e78 |
| SHA256 | 0c46fd38bdae3cf9f5bc062173966770e843001d337b94af5c2cc7b20c61de77 |
| SHA512 | ed83f24476a17213a4e1147cde59885e55c1b593ed237aa7d2354d2485873edd87c3dca4177686630764be594b13dbaabdd659a65357f5f5854fdba1b16bb1fa |
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
| MD5 | 8d5ed9630b0aad76bea937c8008a1aa9 |
| SHA1 | a384063bc10511f303a0d3d401f9293b8ffb74f2 |
| SHA256 | 7c12a86a9e69241ae6bc099c3c6d157b9f2cbe999f375af0ed867511cce5e964 |
| SHA512 | a6e30e26d3ef70be2927f7b8a012fe3f325f9861bae5afa58875f2f3818f67b6b90e0c9c52b4cafc0c2f2ef94519a9b236847cfb5edc6ca6e6bd23f6d0ada77e |
C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe
| MD5 | 4c374666fd80d3f3b1e63fd12c1e7cc2 |
| SHA1 | ec23cac925bed1561e5fc84aeb62de12c2b6ce47 |
| SHA256 | f5f2788fd885a48eb38517740e34e1c015d8f1215f763c7c95c5a4712118ae26 |
| SHA512 | 8279260af7ba234549b7ecfa42edd393621ec18fb0ec635eb2d8311c4259f5c2a2b0b9b55fc39c6b8b7821b25ab2b89efb4fd5c9550fe97c69680d4b54639e9d |
C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
| MD5 | ece8e2177083eefb49d5e0185b899b93 |
| SHA1 | ea29f48483d95897da5af016c47ca99f825871cd |
| SHA256 | 5e88119a34553c24625c42dbbb35b9c969a051a54478ab9227dac4ce720a703e |
| SHA512 | 4cd4a45cba10387b7e977ca05a3f44efb0ed3911cbd22d2ec00d9e24a9d0e0a424727ddfee9aec71454fb52f0d85f6a42b95656ef232e0538e18d97a5f32646c |
memory/3548-64-0x0000000000130000-0x000000000018A000-memory.dmp
memory/3548-65-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/1588-69-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3548-71-0x0000000002590000-0x0000000004590000-memory.dmp
memory/3548-67-0x0000000002540000-0x0000000002550000-memory.dmp
memory/1588-76-0x00000000058B0000-0x0000000005942000-memory.dmp
memory/1588-75-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/3548-74-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/1588-77-0x0000000005A30000-0x0000000005A40000-memory.dmp
memory/1588-78-0x0000000005890000-0x000000000589A000-memory.dmp
memory/1588-73-0x0000000005DC0000-0x0000000006364000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
| MD5 | d9a805f6e7cbbd52c0f47e1a364fda73 |
| SHA1 | 6c06acccf19f8d31b6e99f1937e3b757baaa5ded |
| SHA256 | 12a870f240ce1e870ed51d932bd0982b49777db3aeea03ab69c4ff6df28d3e07 |
| SHA512 | 7825a747e99b68ed14d641cd29cd462b32f111c61d893fafecb7d1a04ebc81ccb39f3c70bb441a33009236129ac07e19de7e73968052d915072c0fbdc24c5a2f |
memory/1588-88-0x0000000006990000-0x0000000006FA8000-memory.dmp
memory/1588-89-0x0000000006370000-0x000000000647A000-memory.dmp
memory/1588-91-0x0000000005CB0000-0x0000000005CEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
| MD5 | dad914c1b058745ec0a8689f307f5e78 |
| SHA1 | 84351cbb84c016623de9d1a0029963a7ce601c27 |
| SHA256 | eec48de4cbc210718fe28d0c19f42765fc7c2c40fd9b01f50c25c12df757ffcf |
| SHA512 | 0f72b65f000fc249b8bf37410f692da808710a08d19bbe219a11de6076da133c3e01d13554041d39b78960511612b9482e0ebeb414aebfa64fe0eb552a3c14a7 |
memory/4892-103-0x0000000002360000-0x00000000023A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
| MD5 | 5afd0abdf589796afa275e234eb5dd48 |
| SHA1 | c05882e170685c8f88cc37d87579e0d2cf72bf72 |
| SHA256 | 40bdacfeb06cb0572685662768030d9b93fc7c9a2e12b981c2f1ab46e230b654 |
| SHA512 | 74099012026c1cfea5f200976ca01886a159d7596de32e22a24a0be2ea749d9498ad64ee1ecbaa83b4e8f414fee0ae099ee42fee89329ccfe8072f48767eb361 |
memory/1588-99-0x0000000005CF0000-0x0000000005D3C000-memory.dmp
memory/4892-105-0x0000000004A00000-0x0000000004A3E000-memory.dmp
memory/4892-106-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/4892-104-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/4892-108-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/4892-109-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/4892-107-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/1588-90-0x0000000005C50000-0x0000000005C62000-memory.dmp
memory/4892-110-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/4892-111-0x0000000006370000-0x00000000063E6000-memory.dmp
memory/4892-112-0x00000000065A0000-0x00000000065BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
| MD5 | 9cab7da3713242cdfc416453f5cc59de |
| SHA1 | 0ec38a077cb0cc483af1a875595aefc4d58bf96d |
| SHA256 | 8eb9aea356218ac085f60ed399e65d27104f7dff92705ff4e195c4aaff99c6ca |
| SHA512 | d6a64c28649d6f5410f1c0644a6b2c4630fb641cc81e93576a917b661dd79d8446f296a12470f49ccc81d0a1883b0b561d155edc8e5f825026f3861b492b2b5b |
memory/4892-123-0x0000000008050000-0x0000000008212000-memory.dmp
memory/4892-122-0x0000000006B60000-0x0000000006BB0000-memory.dmp
memory/4892-128-0x0000000008220000-0x000000000874C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
| MD5 | faa5da3bb93a6ed8770e8371dcb4dc12 |
| SHA1 | 6a513e5d2cc8c45dc42b7ec8f26e41707171a33c |
| SHA256 | 6bd95134220fe1a713b11af95c0247d96f0cb65eaffb9560b253a5629262490d |
| SHA512 | 326a51bd5d9b4164b739da914c942332a9811857efdbc5a8bb51e08d0595f7c2e9400f772ade74e1206466fdc4558d8683ba4386e20f0fa556348acfdd87ec9f |
C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
| MD5 | 343b40d00a1621d19638756a62381efb |
| SHA1 | 08870501ebb777b5c535788bf811658ddcfc4d69 |
| SHA256 | 18a278964513e4cd912ec696c181762a1026c48a898a09c0dbae94a808686c64 |
| SHA512 | 00ee5027ef2fb7a4a9eed46eb0c3524f9a1fc7daf69f531d80141d9e48f13a37d63fd77d87f8c9150b029aa1c64cd79bdcb94da4ba7ca9fe6feee0d03657d38c |
C:\Users\Admin\AppData\Roaming\ms_updater.exe
| MD5 | 95fc2737ab13f70835a03fe2fc322fb9 |
| SHA1 | d1058c7a7f8fd8e065cb2ac4c43dda5890d566a1 |
| SHA256 | 71667514d0ac30838264265cab7ac706d1a0c63b532c57841a2aefe29eafd900 |
| SHA512 | 3c1544bb4bf8ab9fc9c9ce3453f7065a718a64cd9b74e675ca178001d69d3a1a5896c7fbd29ba1d0937a687549982dd2b0c3710b14b02ee548496a844d3dfc5a |
C:\Users\Admin\AppData\Roaming\ms_updater.exe
| MD5 | 1742329c3caa2d4a3786a45e0cdf9887 |
| SHA1 | f7f77ceed58e2bda7e421dfcc2fbc21d9cfccca5 |
| SHA256 | f13490640de8281eea567545a98b060f006712fc979614776278a48ae0837dc2 |
| SHA512 | 9c3615d2f66af5981d14d72e9b689713a542e09aeba649dc34710be6fae1556b64da6f5d3fa26f3a104bdf97dce8c72f9b75eeda3dd1ece7620aa5f7669bfdf3 |
memory/2332-149-0x0000000000D00000-0x0000000001108000-memory.dmp
memory/1184-150-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/1184-148-0x0000000000E40000-0x0000000000E92000-memory.dmp
memory/1184-152-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/2332-151-0x0000000000D00000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Roaming\ms_updater.exe
| MD5 | 68170840ada51291a1b5d81bb0e0b1ba |
| SHA1 | 7d2424047126c61d77519f057dcd7ec8e587270f |
| SHA256 | e9389524608a627a41ac061a7cc3b705fa562cf889a72fdb413b3a2120f879b1 |
| SHA512 | bf8a1df5d806a37776e2d7ee4adb1765389d4c62d927786e1277fda64a5773fe7b2d5460a928a832847646930deca19a8c84e7578ba9045fc04748923ca23fd8 |
C:\Users\Admin\AppData\Roaming\ms_tool.exe
| MD5 | 02aaf9ca1fea131617439290cdd02fda |
| SHA1 | 2ec756e4ed1a66f944f0a780e903b66f86433de3 |
| SHA256 | 0c31969fea39ca5bc586cce2d78610db6e7974ce5151d424f75152ed93afc0c5 |
| SHA512 | 7ef57094a147ba515942a2afe8fb81783959684cb54a034add13edb1a13331233e9a6d9be683f1e8f9af9ff726d528a55b0014faed261b6dc6663e121c41bee8 |
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
| MD5 | f41dfce8b4a263aa727d32ba103efadd |
| SHA1 | 708599d7c7c6c6fb24add223c0e0fa5172248f83 |
| SHA256 | 08add940e5dddd664ee956c1fe862ce31b76cfec406c2749b0393636a41bc270 |
| SHA512 | 4aa527487193d7dcaf84e7fe8219ad045fd0e0539169ad1b6db203decbecad04fea517bd885d5ef231660190c821416153cdbcc7e9e3cd8287a4111862f16d17 |
memory/2332-182-0x0000000000D00000-0x0000000001108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
| MD5 | 2a2005551903c809e2bbb6d69f361833 |
| SHA1 | 4c7947f868a4ce9d8295970ee750dd3689966d88 |
| SHA256 | e4b0cb8718d4261e3f23a025354320d2088b6eb8c7ae4badfab77969c5f18af1 |
| SHA512 | a1937a38e30ae1057126a208ee2c552d2db0c04936d338d123e1eaa5d3e7c1051dc72b7a107028a60b17fc177a5d602036d5ad3f896f4c9a66f7bf3a526d7ae7 |
memory/1596-184-0x0000000000670000-0x0000000000C78000-memory.dmp
memory/1596-185-0x0000000005540000-0x00000000055DC000-memory.dmp
memory/1596-183-0x0000000072DE0000-0x0000000073590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
| MD5 | 9e42c76613c4f79a87125f4bc435d599 |
| SHA1 | 4181d508ff7191f7b66cbf4a407c8ada176b1c98 |
| SHA256 | 228b36d9dba0433a8e7f9324cb70ca6e7297ab013f394b6b63555633a26f9b30 |
| SHA512 | 71b7fac3caabc25676465337c86545b20e94c6ecef6b7e592fed0e8a84896b61ce55463801b89fcd8cbf2ff029e928b327db574e95e5984cbfd0994394c53b60 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/4892-199-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/4940-198-0x0000000000EE0000-0x0000000000EE8000-memory.dmp
memory/4940-200-0x00007FF85EE30000-0x00007FF85F8F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
| MD5 | 8a81072aced17c4b3680dc4b58337e23 |
| SHA1 | d4b99132345ee8295ff73f0f294888554bbd405d |
| SHA256 | bdcec318453b16d38a5fec9bfa1cec1dc40399a53819a87b2c366f26f73b599c |
| SHA512 | 9fac1d53cb82268859278468c2b5dd817f996c877bc575909b093b17da323ea96b74c8ded713bcdebe1943e203e2d5b35889b9ba95e700920a411be98f0e49c7 |
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
| MD5 | 8693fc1c13ab5e40a13edff8f59b223b |
| SHA1 | 1bd7b93349d848fa5749e4abe2d7a66d2e2a67cf |
| SHA256 | 82254b5c975192f973d941572d18bbf09e396ca696bf40210f5d39848935f4fd |
| SHA512 | a3bf239c3b96c0e2736015a07ab4e5ce3085408cfb8c4c188762308b530cef60a364143769e4d15b17125d5d0b6e46d764c55eeeae681e52ebc3880a1735629b |
memory/4992-220-0x0000000000AD0000-0x0000000000B22000-memory.dmp
memory/1588-221-0x0000000072DE0000-0x0000000073590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
| MD5 | 3c88e52acad3ff4b6409f546263af199 |
| SHA1 | 5a851373f0e587a3a72b1b38d0402ef34b3150e5 |
| SHA256 | 767d57e798c1a436a82f4238312b154a2ce2c01a013170d82049257ba915f65a |
| SHA512 | 28db4881cd2b19434930e1b3ce633b1a9860d2b556de6dd48e1a7839ae89ea624fde4a4654fe371ed6b59ae3f538fc1fd512806604f2f8796b3d58fa8ae496eb |
memory/4992-222-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/4992-223-0x0000000005650000-0x0000000005660000-memory.dmp
memory/1588-226-0x0000000005A30000-0x0000000005A40000-memory.dmp
memory/2036-227-0x0000000072DE0000-0x0000000073590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
| MD5 | 8012b988154b498d8f197cc70a1ef0f4 |
| SHA1 | 8ab61e32fde0b2fcfa853f6fe09b6156ce9e56ce |
| SHA256 | d7b4944562a290b58469dfbb5d12b097d1001e2895aef47fb31d00965a076931 |
| SHA512 | 4e796b880c39f94ba799dbf716971ab230433fb5af8637fd455268c4a528becd38c70ecabb3c86826185c3879bf74274bf1fec1fc93420980c51c8eb87fdf370 |
memory/2232-225-0x00007FF676DF0000-0x00007FF677085000-memory.dmp
memory/2036-224-0x0000000001370000-0x00000000013C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
| MD5 | 7743521c4822424b9b2ad8ee9a571e1e |
| SHA1 | d9c46a01e793a15c685f1f1a27ea4c2aae8f6dcf |
| SHA256 | c771287b428f4f3421740744756df2ed7a753276adcafb9f3ecc61ea476e3d40 |
| SHA512 | de973085a1801dc71ca15f446ba4c02972420c5d60a2ed9d1e8a5cd2806d07bf28a86cb0d24b2b90d79a9a31f4b72488b826d235183d57fee41635e42b172e29 |
memory/948-244-0x0000000000030000-0x0000000000098000-memory.dmp
memory/948-245-0x0000000072DE0000-0x0000000073590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
| MD5 | 0a5d951dc2c8e0df209f1bbfa4bfb21b |
| SHA1 | 6ed881e541041f8dd3866a8d75e512aea0b9197a |
| SHA256 | f54d7a0c85094f12a8a6f519b75a99f91e402777aa735e3697c4b9c2fefcc181 |
| SHA512 | 072c623eec195ba79f29265fd7e69cde6532dbaecd9bc4bfbd4776c1b9f763111834992bb7cbf938ae3292a0dc3780e9a7a4ba6c98337cc1acf1b5c7204e9c99 |
memory/1184-248-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/948-249-0x0000000004930000-0x0000000004940000-memory.dmp
memory/4444-251-0x0000000000400000-0x0000000000458000-memory.dmp
memory/1184-250-0x00000000056D0000-0x00000000056E0000-memory.dmp
memory/4444-255-0x0000000005770000-0x0000000005780000-memory.dmp
memory/948-254-0x0000000002200000-0x0000000004200000-memory.dmp
memory/4444-257-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/948-256-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/1588-259-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/1596-260-0x0000000072DE0000-0x0000000073590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | 3c3a96368474d263f5ea019bb148f2e2 |
| SHA1 | 59df3f80c5bf185c4614b6bd1fdbdd9ba98a70ff |
| SHA256 | 1c951cc45d6d7c65d8986608fc122707c5b514d02c35dda902d07b1d3ff30dc9 |
| SHA512 | 43ff378600b9feda6a5b71e025932a207bed40483421a7c5a4ab0f00b1f7f2d538dfee72cf1259253cc357da8f00fe62d1a6f00f01473694cb636b5e2783d574 |
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | e4c746348135449eae9c34f8323e5428 |
| SHA1 | ce8a89cf9b4c040a15e50b4b64c1e10a64369d52 |
| SHA256 | 2fefe3df9f5827e3158c1c1fff8f9eee5c3fa764d3ac357936103ee9563d501d |
| SHA512 | 637b2d85259188bacb820c5460cbef826e857e0f9b22750de9446211a626313c86a4d92dcefabfc30f82a8d4f6dcd459be261d92b47b5e78f52b2f75b8342530 |
C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
| MD5 | 1d24f60f35a9eed03b162c1a217bcfb4 |
| SHA1 | 6e02b81826873c0da073454c4405782051caad77 |
| SHA256 | f8c9a3651c2a36bddad283697b5b0125d7117d9721745263913e8fb214118283 |
| SHA512 | 53c2d2ca5be30405dda254c2bab497f048e0b215e8fe130ebd6e9e0f09294209c57502dd77068c7264da619225792bfb376ad2ae9175a49c18164cc6f238f6fa |
memory/4940-280-0x00007FF85EE30000-0x00007FF85F8F1000-memory.dmp
memory/4076-281-0x0000000000840000-0x0000000000EC0000-memory.dmp
memory/4992-282-0x0000000072DE0000-0x0000000073590000-memory.dmp
memory/4076-284-0x0000000072DE0000-0x0000000073590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 39bfa7ac284abd2170579ff0cbf4df07 |
| SHA1 | dbe239f5489b5ff7b3b18675eeb324b41122fdc9 |
| SHA256 | 127c01dc19f54347ca4daea88c3fba0545f54b03ab829d756f6e9abcea90ac12 |
| SHA512 | f1ebe8884b3a3c0f7840b1f1ce50de9e1e8287b74f19045e35a5b264b749c9d034426d18c98624f33d9c5b8fe5bdb258f34b1d4395bb642e1bdef40afbb4eede |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 0c42f46dcf1a569710e97ba682312c4d |
| SHA1 | 696c8842c252915c58411a0b11a5744058604ba1 |
| SHA256 | 975794ad879e756f3682e62c325fdb7850373f9dbe414ed55a8e52593fdbae49 |
| SHA512 | ad2bb1783ff97fe0e02f5dfd138d8bcd56dc7eaa669d0a494da61658435cf09ee44fe3fd2aff9a17c107fee88e73f6694f34e19dbcb88d29f36db70457a09990 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | be3db74fa2b8975b403c99aaaf7c0441 |
| SHA1 | f04097079bc70690c3e455d7bde1360e792daa08 |
| SHA256 | a87f4c2172f8861fff002afe34ee8b56d2a03393adb3a60da2d1a583a2b98803 |
| SHA512 | b48646bf9bbd5ff66b6e4c9b3a6092d836c1d1224db3a250627ec53d6ce2c80ce22a1538e47824a6b7e98f37dfc4c296975f17a223bbea34bb78edfee1e3ffde |
memory/4660-302-0x0000000000BC0000-0x0000000000CC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7d7bd18e7b132670a1bc101437dac26b |
| SHA1 | de74700742904966645530328ea0cf81629b472d |
| SHA256 | b831b62279d598b3447bcb8f5c85baeb426bbce2358a6e6217022f6e2c0b7879 |
| SHA512 | 9f360c563f4e6ca7fac5aff6f6900b29d4c9e81e694be972f8fa8fcd58b9626b210f47cb670fa2f3cb3b91d264dcd4d342b21f0e4074010fd3c6893cd7f12166 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 4c32362fb51825667d5972cae30d33f1 |
| SHA1 | b6102964ecdeac0e0447756ddb5decb1597a12af |
| SHA256 | d5342b0851bec4f7871100558db7de18c64e4212ff19af51c35007678e8faca9 |
| SHA512 | f0475e31c3c73ebb6010f99e749d9ced75a75064a70fae5b5d6a7518b1aabaf6ac19f09cfac5ce7e945cbd82edccd6c9459349dc7e8ee93c0dc30adf0e0c0f37 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | abdbc17e4495780a3905abacc9f96f18 |
| SHA1 | e9dac12503a223532286b748fa53bff8725dfb86 |
| SHA256 | 542474aa4e04ce767c0eeb16961aae2a6f279272daea9ce9cb9948bf3132f38b |
| SHA512 | a83e4be8c4113f5eac9945d69147dd839df652c538769d8c4f204c864cf9ff0500692c5b6d31a877bbc6b6ee1cd6f17f835e815b105eb3a671b45c1342f79fa1 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | b399f5e227591bf3df4e0527e781d308 |
| SHA1 | 8c2f3b02a2a5a5e185aa27b45f53bdc3fb8c80e0 |
| SHA256 | 215ce80936c60b578c1a4a458289d32e9d30dfc3f446768e42d7fcb5e375664f |
| SHA512 | f8c9d607a3c40159f4e431ebe59ed497db09f6298ab72cc43645149bed1863c456f498edae42db56d4770ca3296b58c41dd741bc303a59d20cff0a6fa75f3107 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | ce009f0680a40acc686b8c0f2f31f61d |
| SHA1 | 8999433edbe645a3aac4b4776fd94856f86cba98 |
| SHA256 | 73aa7d77c173000f4083d50606ca6cf3c71faa204e53910655693f0a3aef246d |
| SHA512 | f3845d6406175cf4cd30c3ab4316d9390015bd21bd36238e1b522e0957bd071aeb111a012388adcb9cc4d2b02f27351010a18586bb5c2d14c8513feff82fa980 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 1d58ff4ec15af321934e53d037a423ba |
| SHA1 | 2c4afd59880e889ab6dce065996792299aff96a9 |
| SHA256 | 1f1d8c38526673a2c4eecc63c7beb858665444fdccd8ab5e472202ab1a950d97 |
| SHA512 | a602d9411e453c50faca4e2ac330d3cf9db829930e398bc2344f494859b63db0f94dfbc4c3d47bed10d938747654a2a17a4f47426c2a6b9bbfca0060bc73066b |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 78394ad4787f4e98965fbbb62d079fef |
| SHA1 | 2bf8bc202db6b9dbf03e2b852645947e216f0c23 |
| SHA256 | 437fa9b74ff9727c08e8c2dd997f9a36229948d4d4f04f06c8816b2fbceabe5c |
| SHA512 | 27621d6b4421e5ab8d2cf9c31be6b626f649b5d30caff6274c9fa02bb244a4f94a036f2083722b030dada67f84bbcb4a5d769925ec30f4a81fcec87fe40b98eb |
C:\Users\Admin\AppData\Local\Temp\nsd9ACB.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | f57bf6e78035d7f9150292a466c1a82d |
| SHA1 | 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331 |
| SHA256 | 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415 |
| SHA512 | fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 43c66bb7924057abaf91e8ac6cc54072 |
| SHA1 | d05479ac2b8016f9435a75c5ec9506ff42b56563 |
| SHA256 | 35852b3d65c820d9d95c4b5105b5f8ace19a951932111c8b6929b0651591288c |
| SHA512 | 69b9b5d98e2d098cd48c645bd0dab4dbeadac1614a9e3e373c03c4c171a676188a2874524b2231404b18c742d144d1f4f7722f44daeb4da733eafd42c17d1f62 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 3124cab2fcb69e98e2daf40f87a1b631 |
| SHA1 | dde9cfb0dd07e25bc5c993c2e6870d2cb714b247 |
| SHA256 | 57a42bd71a3f39e1d7849b92ed05f8ed53f5a64fe7eeb0aac5d8371e2dcedb6b |
| SHA512 | 32eec8e39730108dea14ec81b7cc595c4e0403ded2263c7152a65a003218c36886f3464747431a741ff3d2a0bcf8ff5a0510421651688be321ff075f5b481805 |
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
| MD5 | a2730f3c9afc9ba81e578c5862c93001 |
| SHA1 | d0c27e6658447fbc982d065eb900e1eec97c54ef |
| SHA256 | 981d5a305f4c82ebf1d4173444ba41154a6f3e7f5c5603af416bea6d6ca12425 |
| SHA512 | c9b33fd1bbd5df1a4484ddb9429e131e8ec98d3580d7754da9440dae8d9aff1c077f2596fc0ec23d9dcb599f04bfde2d29c862f9eb3fd45e942d42addf345da8 |
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
| MD5 | 2bff5115aa3a009aa0d90677aa73a71f |
| SHA1 | 39685afb06a3a437c500c7ea296932c558303388 |
| SHA256 | 16a764e826d188da4bdbf6a1733e436e0c2849eadb04248cdb2e56ce1116b433 |
| SHA512 | a1f90a4b19a83f48038f63a7bc82c4c350d52391142e5a85ffe91163df6d887eba44d966b4c43c8e8b3ec067e6cc85db50876f09d4cee5de0a3b4cff2b97b7a1 |
C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe
| MD5 | e660771c8bfe53518fcbcde2dff47c0e |
| SHA1 | 2f49d6ed75c0914b13fd428b1673eb48467aa4f9 |
| SHA256 | 564512baafa7cf6cd77bab29945e71b002f3138036fd10293e5248c0954337c9 |
| SHA512 | a8efcbe6e8c03af26b006f31e4ad39c4a5038c6dcabfa4c4f771ea7e7d923507f037b53f2b3e038336eae234537203d6b3e9a344cf29dc833f57f1e8e9fc174e |
memory/4708-369-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
| MD5 | 71f64c0d200dacb7070d47cac70ffe12 |
| SHA1 | 1daabdb499dc711d68965fbd43a81d3dcc76f63e |
| SHA256 | 2480a7ee456117028b70a6e37febd0abe5ba79b9dbece5e74dff4f6a28b7e7ec |
| SHA512 | 84ce6cffcce286a6e99633d5193c9044160f71d9c9a40d8889851caad912cd0805069eb1d36fdff04523d4f9c1318fce3f1010f4fa48db66c5950f5cc818d680 |
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
| MD5 | fc6a9813f06f1c902a37eebc04196dcf |
| SHA1 | 036f73c992e8cc94c2046d1c0a5557ab3989ed6e |
| SHA256 | aef00576dbafaf09aecb2d50cdcb3fd21376ad7654e1c4a5b818718e46d82243 |
| SHA512 | d35bef501f691b20728c8ea7fc70ceb36c1fe22a15cfa134d26b5d662b8f5ca6e915eb1082f04fee4d18835fd05075773b3f7bb299addfce80cf242ad104eacb |
memory/5264-385-0x0000000000400000-0x000000000062E000-memory.dmp
memory/2332-388-0x0000000000D00000-0x0000000001108000-memory.dmp
memory/5264-394-0x0000000000400000-0x000000000062E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp
| MD5 | 556bcc07d119b54c0416768a7037eac7 |
| SHA1 | 2d1cad0906753e017ed8494617c0184e751219f1 |
| SHA256 | a20e4c11c4761572b1ae83ff068a7aae4da7f804e7ad14353a2cc28ebe2cca32 |
| SHA512 | d1f1f10bbc36a9d2a923f7cf9043cc407ec649b2c9763785d1142191e21d653a0caa2db391745c48feda365540705f14ca5bab1fbb7789698188a02dfbf78550 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idny5mpc.3hm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9f6fb901936025f40517c8ae6b55924d |
| SHA1 | 4a773cd966d3a4fd53d1d290c9dda04145ed5f91 |
| SHA256 | 28efb145b6391e2a5646ad54ffda05f552beabd3ff8415cd9b14781e0646fffe |
| SHA512 | a95e5eb9dfa623c8d1aeea4e040559bdddf0460e798e20e8c69f07afd8ad7b56a01d9c9fe8609efd6c005fd7198a5d97af306c48c72c8c44a2c3420b02e3efaa |
memory/5264-503-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cf22b3e5d2535f6b798496e4b5e2c9a6 |
| SHA1 | 8d46f261fdba0bb205bee025c39a15acffe49505 |
| SHA256 | 4925deadd57c68d6571c3ed856b80c2b715b8a6b13ed6fd9fd38f090b546dff9 |
| SHA512 | db546a5658f591596797863e999c2d0a112af74df595201b00eb968bb13b065436164c393f85e031c93cfdec36d9ccbba405899c416c1a0a5a044b4f41e8eb40 |
memory/2584-579-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4560-580-0x0000000000400000-0x00000000008E2000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f1978340315c52c98bcaa56ff57705a5 |
| SHA1 | feb35e555068ab97ab32af17484c378b40459816 |
| SHA256 | 760c880c9634acdcf93e67442910fc7187202d507b49b304587442d9b2edeb44 |
| SHA512 | e3bec039960201e7bb2d9724ab5f1fe586ff95fa664b631b7524e699dc22083d332e80e9d7911a8e87c2373af3a407124ae0bdcb3c2c8d8f8b8aafe111313aaf |
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
| MD5 | a478923284e88a0b46af24fcca5d12ef |
| SHA1 | 50e37a058f40999216433f6fe86fecac0073f067 |
| SHA256 | 94cb07e77e64bff7e1d66776c8a14a1c10b99cb270b6e78ff255c1a501c0615d |
| SHA512 | ebc6637b40afbc3f53a60a4f2fe8aef6451424783ce398d26edd6143e7d309facc42e0d05112475b3d952b3e063f0db6990a809b52fbd06e6bacd7ae8729b9d0 |
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
| MD5 | f5f55289d85b4d67e705a53a0620cc37 |
| SHA1 | a3b8a2d21fb294766011a3afb537402749b6cdd2 |
| SHA256 | 4b6d2d829badfe4ba981a3bc4043574f4e95581f959b04f7a3ddfb82ee80f8a9 |
| SHA512 | 59750d8b200fc40f51157efaf9801a18a1eea6ae9a4b32527a0fd771fa12524bd56537738d436992fa6481c5a78a1fdbb4a33d050aa850e0d0542ad02d416bea |
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
| MD5 | fa94dfb98f4c4382ef4ded21cd3d7023 |
| SHA1 | aed003c4cef4dc1a2ba9fd137dfb4c9d0c559421 |
| SHA256 | 286593fead42a5c9b4f5649947352ef37a6e8e5e8482b9a5e0ada13b6ef1d1cd |
| SHA512 | 1af7f0e1ae10f642fe390b5b6b2b80e8d83709ad24722cddca0b315c94f4f6aecbec76461e0ff33140f28a5b893c45faef1bd0992b7f3ccdbf6aa95c023771bd |
C:\Windows\rss\csrss.exe
| MD5 | a6d9c3f8d46431df33dbe03165f3755d |
| SHA1 | 2c1aa23563ba01afa1efd1d537b0109bcea873ce |
| SHA256 | eed160f7a6edcdee857bb9b021c02995222dbda9a31ae8678dd95f4faa1f85c4 |
| SHA512 | 6cec5a6fb535c979bc1dfb6a0d791fc47718103dcc1d94c3275bf81ad0a8b7963ea64c7cd4ea5b304690d5df8b82d4ee5d0ecb1abf8217f379a0f4d89e51a197 |
C:\Windows\rss\csrss.exe
| MD5 | dec2f70e1b89b47071883e3871f8571c |
| SHA1 | 1f7d245252d9074ef39e078a84cbdd9692bd3560 |
| SHA256 | d87f8c04c809e453b9d6f611f21692e418715abbf7c04bc799c4f0691f68cddf |
| SHA512 | 55230d64fa818cafa44441d5121e8903dfa52495e3972b3bd0b319a001222af67999942cdec6b6b4b55ca08a98d154344975fb975378496d74531d6440cede15 |
memory/5264-640-0x0000000000400000-0x000000000062E000-memory.dmp
memory/2332-643-0x0000000000D00000-0x0000000001108000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 33bd19375a87d3fc0903572a927d91fa |
| SHA1 | 3fc20287dbc49ddad57766e6c4e02bdddab9b56c |
| SHA256 | f9e60bf48b8250f33069cab67d435df6ddaec85d576b082733885f05f21ba168 |
| SHA512 | 75da77f8aff4a18278ba2bc07b184e8849ec9af626eca083fc6a1bea4a62aa3cf7318432b6e41f24caf4d358def9e53899a2119b72a391e3d0cb0ddf9a0302c8 |
C:\ProgramData\mozglue.dll
| MD5 | ace16e765ad1a43e2bc687ba67e3629f |
| SHA1 | 5ce1c5740d564fa542a7135339037dde49a12e2a |
| SHA256 | b8a3c0d9d8af6b5ee6143fb17c7498bb8f36d67ae7f0e7dce8ee10d442820016 |
| SHA512 | 99d2071b625fb7c9a060b184134c7ad3ad93a42d63c3db044a85c51fcec31c539dfebbb01ff25769dc5d0799897634f9bb4dd30288eb1584e3a9b6f03aa74540 |
C:\ProgramData\nss3.dll
| MD5 | b51c30b4004d8c5c1e2e2409ac6495b5 |
| SHA1 | 270df3d99046e7608e74eff4b77bfb277559159f |
| SHA256 | 62d55299a85df829bee3e7eccc4d70fd17f0001d5c24d5ad0436f874ee43849e |
| SHA512 | 610ecc122565e0a567ac08d600bb01beec3bdd3cb733f54cfb61d8365bff385477c55d4627683a1fcebb4e01b29efe054bc91ac202b5749481a24815b81bb357 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | e02980e43ec9a22a0553c1a4eecb9932 |
| SHA1 | 578c315cf25b6b48f55796a88a72ea93a66773c9 |
| SHA256 | 298a7059c00d3e7cb2fdff2603337fcd9c4cbafe2546580bc444cd23b96e7e97 |
| SHA512 | f512e903d410358829d81ca69e932ce843d0197a30fe95e942572b1a1141cdd74d6193f8e34d0a63958bd0b7c774078695db7fe85398a815eafe36a250c05dc1 |
memory/6076-725-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 0f8ef5395f959be9c10ab7d881470dd0 |
| SHA1 | 6231a703b0b77190a67f161adce374d0bc6801e3 |
| SHA256 | 523184bf3a0d17712b2b853c9af893a5e7ee12c74af05f91c922fbad2231b348 |
| SHA512 | 9ae6f3b6ea0d053bbe9987dffe6824b1d4319e1e0f89bbc9a62de87e63da4f6e24e86abdd51afa35bc438def0079eefc4f8d7113ab04385f9590b1295121b48a |
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
| MD5 | 316c40e6d840592dd0bb5aab9b6b2db3 |
| SHA1 | 158d51d041e2260321b14778f239d8d661de0cb7 |
| SHA256 | dc1daf0c4b2013926c09c37e740510ae97a7159dbc32710896d9e520e3c6852f |
| SHA512 | 295cc85eaf682e9bcccb5674427e503cc3f40da2062982f7cb8a03258cd26f8d814952f68ce5e2c55185d547e497705f460c95fcd84e329d02e48d02431a760b |
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
| MD5 | a6a3c76741891c58bbfebec613ffc257 |
| SHA1 | 29cd4d8d855d4966053fd353dc371f535492a90f |
| SHA256 | cc1524855615ff43d5412aa52d3e042cc64bfe461f94d9c5a56f78cc0cf5ebdf |
| SHA512 | 09cbbc6a5e8abfe3be1aa408d59e316ba2d4cf4e5ab388f08f7409bb6637e682f4a34a2d08ea238e35f7e3b4c076ed47c5a4062bdd00b46b2f80efe073c326b2 |
C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe
| MD5 | 2575c6611c94b447a7bb5696b1adfa1e |
| SHA1 | 182e2fdf174e754bb865ca9e705ade42799a1a19 |
| SHA256 | 11538a63306920993b96d0dfb2d73cf8569f75d8ade3007da2926585d8b6b673 |
| SHA512 | ee12ceecc9ce877735179192555cd347e0d96c784b1ef99a54e50268b3f503850890be5b4ccc66ef68d419219cbcf5ffec5c051acfa4b8c65e2952259e899660 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
memory/6136-789-0x00007FF71A5B0000-0x00007FF71AFED000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | c16871896bf076a6ab982e6a208c03b6 |
| SHA1 | 63c73d0b8a08bf7720122f49674bcd7871fd312b |
| SHA256 | 50e8c4db8563a180005662b1df703607e76fd52dd32ba09485d760d6994219cc |
| SHA512 | aeb244218866d012c4532a36d30f5a1254164e9ddcd8c83ddc3f3ea43a018b75213695fea4a0807843ef46cf6c80496c97f8f31a45f5bf5a6a0418ffa3bc35df |
memory/3816-820-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 74f193141ff6098db4f5e6d367866c8f |
| SHA1 | 87f6602c2da8f2cb0a5f371d2423fca687b9ad09 |
| SHA256 | 5fe1e6799f75d9e825ccc76544050d814d6220314babad1e7917477fe12b8063 |
| SHA512 | 90690dba6078b2d95294a9d1f38b1e38cbe143dd5097c863850d46d181a63119efa1a3e9cb460b5251d9f50289966853e49fd7b95915f188be29ac6fcd3a5f31 |
memory/5224-822-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-824-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
| MD5 | eb2af295a6a5f8f2f281f0f3b22dc80d |
| SHA1 | f9985d1c44263e89c86289e8d774b3a277e34dc2 |
| SHA256 | c57ca044090ab5b8192c091244cf88d6c66e377af61f96cf3e6ba07c59822919 |
| SHA512 | 62b32a53e427893550b8acf2b9af22863eb1ca61772a453e5dfd9865f4b4a52a48eb9ef09fa2d6364d64ce43197a4302207a53655101e7b3b2a90275d5179360 |
memory/5224-828-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-829-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-831-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-836-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-841-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-840-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-839-0x000001ADF61C0000-0x000001ADF61E0000-memory.dmp
memory/2496-837-0x00007FF7F08E0000-0x00007FF7F131D000-memory.dmp
memory/5260-832-0x00000000009E0000-0x0000000000A3A000-memory.dmp
memory/5224-830-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-826-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-825-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5224-821-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
| MD5 | b53745ea7d40e840b8a05308ea236707 |
| SHA1 | 2f87c0d2137486ed131c9dfeedbb014526ee5406 |
| SHA256 | f521ccc01a4853c53fa90172df92fb731ab625e176b97f40d00998de2bd6c7b6 |
| SHA512 | cd273d84786e2b1db21cf048069bf63c36572c53cc0ba4c9746fe9b9ba5a637bc5493be4e736e2a94dc6aac87116672ed8623d4ed4a9a17651b71a67b9787e19 |
memory/3816-816-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3816-814-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3816-811-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | b9dae1fb40aea1cffb7301a4e077ba1e |
| SHA1 | f5cd9d6bec2f697287822f3653f6cbe74fde02fe |
| SHA256 | a0c2c839b0c126da45f1f1674cd9c6bd6072fe5d518c7c12dfa4c3a2ffcc6af1 |
| SHA512 | 8c383297007ccd46c9ea605a4287838c7499cf42547701a707c275b7acc849343210329939ac4e39e1aa344cecb2000b6e327ff3d45ecfeb71679778bff829b4 |
memory/3816-808-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3816-806-0x0000000140000000-0x000000014000D000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | b46971f3901385029a4565d85b8ab50e |
| SHA1 | 4b00ffc3163395b343f7ade552b4bedd12160325 |
| SHA256 | 34d93e4900bb3619304981c96495c09cab7035ad1619847e222b890a1c7f8c0e |
| SHA512 | 8a9a297b7c4b4fe267f07efce98f6b634a007478d003e3cc2d0e87b0866c65f787327effc48a2b6ce08d255aed047b2542fa08e8332cb83557e33c4a81531f47 |
C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe
| MD5 | e32006f145039c6ba4a879eb8213a88a |
| SHA1 | d06d885effdbe6514d24c0d33394d5bbe234771a |
| SHA256 | 80549cc2164f1b3d4141b1b13ce17042c0f71c17a5e23d5149b5b623c87891c0 |
| SHA512 | 7ca3f0adeb4252af317e7d35369082f7229fda5a39a8de71d66cf6cfffb1112e8caabd63d78789ca92957d91905385273a5a46fb567841abb9dd4f0b3335fabe |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 26ad53f2518f3e78d38db279aa3a3b1c |
| SHA1 | 0d6899be0557e073b142246ceb14695f62600f38 |
| SHA256 | 5709694642727f8370ecf595ee0155a2d2bb40d0d85477394b8e1634041f4e07 |
| SHA512 | dc0277324288dfaea8b9d152790c8a472ebb2c3c23344b12a35f02c5043fd4b6570f4e1f39041498aa06c8211a918906a420fd4a48213d27820f1bf69ae71933 |
C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe
| MD5 | 24e058c9c9902c772471c3280431f510 |
| SHA1 | 314c21c9135f5c2fa76babd52ac7519ebfbb0176 |
| SHA256 | 65495dc1e4d554d49f35e8f65cba9dc6feca263eae355304b6d22e9dcd07af39 |
| SHA512 | b005d12ec28ee09f6093ab5c352096d4ce647a9e1278362af24078a779dc499740e1b5da2147efec992c3076c00ad478f0ad1df5ea395280fe4e38018a921de1 |
C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe
| MD5 | 90545bedf42c17674f2a8e9b6dfbb50a |
| SHA1 | 5fa2df335f6a5b33717de64b7496feb9d1b01694 |
| SHA256 | 53d720e1314fbd54b79ada0afe6a75e14e48e501583868d05a82350f6ab1f557 |
| SHA512 | 33b975515456ee1cc6e6f321972c44683e95bcfbbcec36e2792a19e89e119d9f32be68df0ac47772bfdc56f784fc03a10e80af05f7ecca1886ff55b285c884e8 |