Malware Analysis Report

2025-01-22 10:24

Sample ID 240121-bt1r1scef2
Target 633c983c901941da05e19f89ca8e9d33.bin
SHA256 99215ca6eef63aa9399c52e6579aad4caf12bdce85d327a1591fab6e1c223b8b
Tags
amadey smokeloader stealc pub1 backdoor evasion stealer trojan glupteba redline xmrig zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) legaa livetraffic discovery dropper infostealer loader miner persistence rat rootkit spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

99215ca6eef63aa9399c52e6579aad4caf12bdce85d327a1591fab6e1c223b8b

Threat Level: Known bad

The file 633c983c901941da05e19f89ca8e9d33.bin was found to be: Known bad.

Malicious Activity Summary

amadey smokeloader stealc pub1 backdoor evasion stealer trojan glupteba redline xmrig zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) legaa livetraffic discovery dropper infostealer loader miner persistence rat rootkit spyware

Detect ZGRat V1

Glupteba

Amadey

Stealc

xmrig

SmokeLoader

RedLine payload

Glupteba payload

ZGRat

RedLine

XMRig Miner payload

Stops running service(s)

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Creates new service(s)

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Manipulates WinMonFS driver.

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-21 01:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-21 01:26

Reported

2024-01-21 01:29

Platform

win7-20231129-en

Max time kernel

141s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"

Signatures

Amadey

trojan amadey

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 880 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 880 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 880 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 880 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 816 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 1472 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 2324 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1472 wrote to memory of 1304 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe

"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {55A22E86-0B74-4198-8B63-670F14C23BCF} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240121012923.log C:\Windows\Logs\CBS\CbsPersist_20240121012923.cab

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 lizotel.pt udp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
RU 185.215.113.68:80 185.215.113.68 tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
DE 185.172.128.19:80 185.172.128.19 tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
DE 185.172.128.90:80 185.172.128.90 tcp
PT 185.240.248.84:443 lizotel.pt tcp
PT 185.240.248.84:443 lizotel.pt tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 185.172.128.53:80 185.172.128.53 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 efd5e480-3b3d-48dd-8b33-90cede7d7d4e.uuid.databaseupgrade.ru udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 92.123.241.137:80 www.microsoft.com tcp

Files

memory/880-1-0x00000000013A0000-0x00000000017A8000-memory.dmp

memory/880-2-0x00000000013A0000-0x00000000017A8000-memory.dmp

memory/880-4-0x0000000000370000-0x0000000000371000-memory.dmp

memory/3032-14-0x0000000000080000-0x0000000000488000-memory.dmp

memory/880-13-0x00000000013A0000-0x00000000017A8000-memory.dmp

memory/3032-16-0x0000000000080000-0x0000000000488000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 8c36cdedb21883bff86e082a57ed1639
SHA1 5114ce74a63ca7f5c381786fa19b51d4b6de2e78
SHA256 0c46fd38bdae3cf9f5bc062173966770e843001d337b94af5c2cc7b20c61de77
SHA512 ed83f24476a17213a4e1147cde59885e55c1b593ed237aa7d2354d2485873edd87c3dca4177686630764be594b13dbaabdd659a65357f5f5854fdba1b16bb1fa

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 4d02ad56d89664c5a8318f6fad89c5b4
SHA1 d05bb520186ed520eb5d061dd6a53b3139af1844
SHA256 ec032c4f4264fb76a158ed96fe821e8e53624d6fbf7ac956c395ff32225206ab
SHA512 645449b3562b3549ae4ea9c47f71052ab1bfbb9db45740a011ed543ae9c1dafc4a55b45f963fa465f27e4ce3d6e20ac22658eee6a95c4c6893a213afd2ceda0c

memory/880-15-0x00000000056D0000-0x0000000005AD8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e12c85e7dcd7aef252a0b97c77ff8bb6
SHA1 c7c232506ae61196d3ff2b3a20144a30ec7a2e00
SHA256 faad0c3c44702a80099bbbdb48ea6d732680c2652c3a29d4971a4c13eb6ee773
SHA512 c405b70413bf479cb9aeb3670c15973098286fe4d857876108356666598663445732299cb572fedf3fd96087555d526fd5de63dbd0c936e51c846704254809a9

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 97b403eb563e491b0ac3d1092ee0d73d
SHA1 ea951a20eb75693045ca1f1d261c400b330cd372
SHA256 9f0bba96965b74fa5681eeaacd3382db67999ebacf4b1cabd99f599060f31201
SHA512 8dbf78c8b4b378f22c99bccbd89e6a81372d68f612b923676b332086bb8f8ce6e473a39f34b775c4855f8d66f159a4278adad25508d56932596a216c52be21b4

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 862f0bec16174e42297963ffbd188bfb
SHA1 6e2d0a04283a1e517dbd48aab179b1daad1c530f
SHA256 146e6fc6be06d2a8c1a21e94be944c165ad32b0704d7d9d212848efa55fac50a
SHA512 741a57201e651591057926b6ff29983ae94f5cd97ee3b475a950ab15965254db1666a0a90c561fe813426ddabc4c04083f28cbb5b82ee516878f7688e68e0892

memory/880-0-0x00000000013A0000-0x00000000017A8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/3032-28-0x0000000000080000-0x0000000000488000-memory.dmp

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 10e1636cd3801ae025509f07a56713e2
SHA1 9e7baaec086b4e41687668da3d87c91a7ffd5ed2
SHA256 e740d9a956390013a54628dc84a48e3527e84032ab9ebb65195d1229adf48e46
SHA512 65b7d0304570491e125b832931f8487d29f4bc8ff3f32904926ddf7539b0f97db20b0509cc59982a5f81fbe93edf44cb48b4a5395b72346fce9457351d0c8c20

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 1b3445b9bf68c6afe78d91f4c7ce539a
SHA1 5b9dbf648b201dfb42dc70eef9530cd48ab8aec7
SHA256 587094e7b0e23b122ea02c9cf68d805265d1611ce3943b228680fdf5ad2e7fe0
SHA512 fc22227cf1c3fa234934fb3d1955148ae5d4bbe71e4e78c4be6cd60c09977ff5caee7ff3b84be84710163b4e07a38e0a1068c081f173e4feaad32eeaa1e28abb

memory/3032-44-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-43-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-45-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-46-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-47-0x0000000000080000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 633c983c901941da05e19f89ca8e9d33
SHA1 82bc062a291c45b6e4ede5bf3bffbf85029d07d1
SHA256 5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608
SHA512 8090fe04a680a7d9a7d782120f65f2b81ce7b25ba42937f7e561bfaf9a228d05a8dfa35659704c3933ca4394cdbffae791f09ed43e49f2fb62ea84bcda4391f4

memory/2324-50-0x0000000000080000-0x0000000000488000-memory.dmp

memory/2324-53-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-54-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-55-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-56-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-57-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-58-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-59-0x0000000000080000-0x0000000000488000-memory.dmp

memory/1304-61-0x0000000000080000-0x0000000000488000-memory.dmp

memory/1304-65-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-66-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-67-0x0000000000080000-0x0000000000488000-memory.dmp

memory/3032-68-0x0000000000080000-0x0000000000488000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 a51af4c25f47724e1c9f66992dceef49
SHA1 0fa9421419deed01b57377fe8377052983d700e9
SHA256 c4bb0144fae93284dbedea9a428b7f6b01c2f8114161d370d7ed306ccaba7c8d
SHA512 0eb7ebbd542292d90e0e4a98714544e30148218c67cc2a4a3df946eab28ad92b7a97e8c5c9d8335f995be1d248fb7535fda8262edf35b074058fc014d145ad02

\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 6fc1aae355a0cb38a54d2a2364c9255a
SHA1 0176fbaefa5026b7edd93132aa022338f68b69ed
SHA256 f39ffd82ed6c2143222f6979d51932d03deed49ae916f583da636d59ca1e6255
SHA512 34a9a1d05d427c436ea8e82a4a824b0339e41f8a9bd673a9bae3111033d3b6dc099347e6b10a4946066b3955da7518d4e01ef68b9955e54dc6d778da9b98869b

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 842cc6351396e461f2c7df4414637638
SHA1 04d7674a80aa131d7cb200c2e662c456e667debe
SHA256 5cdd9e2faaa774891d36d3fea55747f9e8fe026386fa40b95913a764c87d953e
SHA512 5b8e6ebb32bb2b0d9e3f447e9176ee62ca3b86f3c6d3846f7d531dcf4e940a4cca37812a31adc4023cb111c5d7f9b0983ee60585c9e5c68b8126e1fff32d1259

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 46a0dbc503b77eaa7248b826bc29e3de
SHA1 ec586f5bb0907117a52b47b4d86e9020e10c10d8
SHA256 b5e5b8bcf93fba376d321be4c930fb303d7ff2d8284c14ca27132384346eeda0
SHA512 fb0774c7d4b30bcb45c3ce04cc8d14ca206879fa13a04d1109398e1100a41b7c51fce94a0fa6065874ef209e1c4cc738d5f1bbc16223f63a2678b8d6d8013417

memory/1676-85-0x00000000001E0000-0x0000000000860000-memory.dmp

memory/1676-84-0x0000000074600000-0x0000000074CEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 19dcbe3b32fed5c710c96a1490b28c02
SHA1 2e6934dc92d34282277f1985a7738e7694d56e78
SHA256 9840f1a449257875f67a88977c0938c4b3a91184a0aadd68ecb77af726149029
SHA512 58f119b5ddcd1f6524dfcab16a225931382a036c90775f4488b0596a1fecf26bca40bd29dcb9d3d85b29ecc7b2dc91a7d11c2039d21c69f18e2e943788c9704e

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 76594f4a6ab823c9936fb9f8ddabd6f2
SHA1 a7ee1e3c65697b463e3dd46f920d5bae820c20e5
SHA256 458e20116aa29684a300af8c3011dcef4d0c188e7f272cb431edae4056ef9ac4
SHA512 41486fe62eef4c458805a53a73319b3ada02d38122872a23db66f3621f7e35c0ca6b5a735e9598652cb5e3c466a4f4e8d8ccead4a4ba4ab67c34577777ea8d40

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 bc65b4e942fc566ae0a56ba7035eb7dd
SHA1 214d10c44b88e9403716504eb36a42a357da40bf
SHA256 7f8755a6285e4091439cc1449e260a05e9f1b2e3f5d415b7599711b5029a4f25
SHA512 6660b9eea07664edc58142948cb8128168d110f2aeaf626f43e468c935e2afa63946f8fb221c3fde2fa92f4dabf19817f79f6187e0226d420b247a7db1a1ba72

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 e50ac86f237b1270e612096af3177071
SHA1 a0e91ca2786264878291e50c9b08112285ecdd9d
SHA256 1f662a36532b634b34fcc9315bb392d9e4b3cb5b9d60d16e6befb9893785f2e9
SHA512 773b2bf1d8b09c34f849616f942c81a2e4af4b77a625a58f5132101e9d93fb71ea8620c8027c5b3b2de98885c77132421ace94ed4acac63c30196d68b8268771

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 d80dfda148a10e4feeba4a89af447088
SHA1 f1954c4f09c099dca1cc81be661433b1e34c7da9
SHA256 29d743c1bc71c32a0f672b756b0614dd95aa51c662991103357550be4b5ce696
SHA512 500b25b750f1dad229867f74d3aeef43bf88ae2e9db3bf50bdc06f87e65a93747fec1e371ffd41d108c8d7599fe855150d4eb24aa39b75ae13568d60ddc8d6c7

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 5e26c7588863deda966d6260364895eb
SHA1 1c8a3ac289375d550bb1ff09bd18e16ccd658c2b
SHA256 e00bdea92ad0ff9ea3070b88ae4b5a5db510a24af52f38c92dc6ce3bce071835
SHA512 e79fed6c9b17a503b18ca1014d825d1e296031b075c8b37cbf4c394c37d01dd584bbadff792102b037269e10d18474aa59d0109a14de044a9ada04caccdb6476

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 d3905ef542dc796793617e9698916c58
SHA1 ad6ae9a1d007254f4a8d5e381a0a0581a0a27f0b
SHA256 0ab13dd97299d22d89d2ecd908dd8933785b62c7027ba002af6926e98138a833
SHA512 543dd7a6a806d6dbae644aec6271526aca2e8a33175b76f18452169b7b5ec05f2a564ba0abb59424e865f85607c266f89daafc03cd54066a7756daff7bbcb22d

memory/2384-105-0x0000000000230000-0x000000000023B000-memory.dmp

memory/2384-108-0x0000000000400000-0x0000000000866000-memory.dmp

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 f908366591af50e199a909a2c7d5ff7c
SHA1 1ce9e49bec665b25ea44db29ddb165183f776adb
SHA256 c7b54b524fc3a14837c657d5b4ae3dc1f645baad24a67e19ea0ef7b92c9d2263
SHA512 753cf224b9ec8232398a8ef95aa5ae6ff52b5a227e6619a2f823a23c00aa017f2e4dc85a97e8fce3a3d4aa02f49e1da1fc485a8930e870879ecbaf0a19459ebe

\Users\Admin\AppData\Local\Temp\nsj3EB7.tmp\INetC.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/876-132-0x00000000FF2F0000-0x00000000FF342000-memory.dmp

memory/1676-126-0x0000000074600000-0x0000000074CEE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 3a977f92d7e133069dea09a0db1a1725
SHA1 86fbb29433813cd3fd7f8b9ee834e5586414a3ce
SHA256 06af282cb7b30f33c0e0b933723af322b39e538266db595ee0efa08eecc6647b
SHA512 2bd3f9b1b6c554060f16344a7db82d7b6f6fd108699b35e4b44bc1bb10cd129fe0d1fd2a3ff62390f38c787ed21e4ffc3fd44873f99ce23009ab1b7a55979d0f

\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 140ccb91b00a438261d30fdc9c83ece8
SHA1 a5ce2a1af142c0c8acf00ba311a8b81429ae7c8a
SHA256 e5642382bd2b52bbb10ec06cc0888f8ad3300f5281645904f563238f3661b0fe
SHA512 e7afd5eb4960c4c42ddd334dd27cb49f2c323e113887881b3ac2e34ad7e800ad904cc572ff480413df131485246376986bda3db46d5781b23450809936ffc5b2

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 d7065b0b403ffef3815f06f578fca5ec
SHA1 b6faf818b2de14492d6128378e8fc7d6c985cc7b
SHA256 6282de8bc3d509aebdcd7b818c66f78d973b42fb4ff3fc9672958001812ffb6d
SHA512 d77b9f907a2a0dc9d236c00221015089a12ac6f5b4cdccbd29ddd9bd97b616226c09683202f9ea54cafb9b848d02ece8f0d9bfe2ba17ee034ca849656f137363

memory/2248-118-0x0000000001040000-0x0000000001438000-memory.dmp

memory/2248-133-0x0000000002B60000-0x000000000344B000-memory.dmp

memory/2176-134-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2248-135-0x0000000001040000-0x0000000001438000-memory.dmp

memory/2248-136-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3c0e80a875b2425703c93fc997978379
SHA1 04f9f519d0eef2fc0dc65af77716939985b10613
SHA256 b1fa9269ffef97baa6047d1572e530a8576dd54e1066d198bb3a0e13a6d1dab2
SHA512 22164979818a5e1e6a1e51adee8d872d0ecd58138a9958f5d2d4ae8c36223ffde16af1bb12b686239783ed658213a70315c4db53839b092cf6214b1a972286e3

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0e8eda066055352f2d19d7f14c39a3a4
SHA1 40812f3e5d6ce7a62d5b628697e76bdbeac8d02a
SHA256 f87bd00d8280ba49e98631915d584d45cd1aa395ae4f2ac140671df86ad0dcf4
SHA512 2c882bc35d9fca120adc702418fbaacdcfefea08953542d601eee9c506314cf4ac811e73dda534ec484f730053c6be76d3376961b3719e1de5f0fc2758a38200

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f83fe380821a2353502c4a78a14656c9
SHA1 577b13478b9eddcce36433822c58ec27a59ba143
SHA256 61ede911dec8df1f5f9e09652e65ca97323d9f99a5c21eb811d1b00d1d7db29a
SHA512 05054c6ea654b1da046b4d385c3062be7b6ac20e2238810040fa259a436ed8cfaeb1f59e5c3b09e3285e4dec6bc0d8db8ceac67b637a171ee975c35f7fe1345f

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 97bb6246e09f623c1b1f21719a15dfdb
SHA1 7ed48747b1b6910c0ab66cc4e4605275006b0937
SHA256 82cddfce7d0aceeb7a2a13e7a8e085bf245aa1df08ef1f210c5121de220913e4
SHA512 010caf2c44f9a11c5f67f55ec6a82630a3ef4bd8ae3bc581775d23f37392697e0d61bc3c27b35dcdd4fcc8172467592b59594fc02a07e8206f4383a2bd9abf29

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 568406e45edf93dbc1baa2991bd32151
SHA1 7210324fe9c35ff2ff32260338168d32228869e5
SHA256 7d4e89c13c566f392bd11b7ea2d311a9ce1ff943735805e5f2df4d1e20acb550
SHA512 38119be78a385a1aa98229713c806bf896970dcecd5bf93660ca1c808e3da3af89698116b6fc6192baa18cba8ad43346269a4e1ec1a754bfaeabcd0c102e15a4

\Users\Admin\AppData\Local\Temp\nsj3EB7.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2384-103-0x0000000000940000-0x0000000000A40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

MD5 662ecd556188be87c7d759a6a0d729d6
SHA1 daa719b14668658df99c2a21077f2f444495e8e1
SHA256 27fa17ca2c4bc78aa3122258b31e2780d442adb63203c5578df6c6d387c8497c
SHA512 3a53fd88607c21536d51ac2c68796a59ffa93897c72e95571d40fefe47c433b45065fb354c197778ef2dfe1109d7fb57893fbe684702e7f22f8c719d8adc4dfb

memory/2520-154-0x0000000000220000-0x000000000023D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

MD5 fc882b0868b8f57ba553f1e6fa831d7b
SHA1 21caf47fdc0cac4ae29fb650b01b571928e9fc1d
SHA256 cf36d8bfdc432005e50a4b91e7f37518154ce8b45921f081bf633d50a5dcb412
SHA512 4cb8f06229344081e085851ee3f3eca286dd1b4e1751cdd10d13888bcb725f488b33e9e41bd775e442e122aec661fb5ca36e47122f8462d1567509255fbf9fab

memory/1640-157-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

MD5 48745d428c242471c7b1af621d62ed63
SHA1 2d847504d328ad5720f2552a4a80ecc6729c75f4
SHA256 3800d85b927700271067580ad6a5bc4722f6c134f7bdbcd2352fd99180bab535
SHA512 59f1e061d243ceabc92fdec4849dd76faa7a8d54ff0e5a49e3f4821576c3206d3dd8329faeb996400b10c7bcdd36e847fcce2d239071421515c3ce7560fd7ed5

memory/1640-159-0x0000000000400000-0x000000000062E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

MD5 7456ce192266f7feadc34351d39a976d
SHA1 9a0cccbfdec500eaf9803aa8657aa9b1a0ecace9
SHA256 420291de832c77b25c86eca212dc28baa4d9c40fa05d0dc96c3706339b436006
SHA512 5ace1139b25d73c963a0c460b6e9b0d1fd1f77b86ba9e6e2952bd5be6505349ac2053d7b9e66e71714d1658c9b8a9c472c740211e26b7f65ab6f4eceeb127658

memory/1640-165-0x0000000000400000-0x000000000062E000-memory.dmp

memory/1640-166-0x0000000000400000-0x000000000062E000-memory.dmp

memory/2520-153-0x0000000000A00000-0x0000000000B00000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsz41D4.tmp

MD5 556bcc07d119b54c0416768a7037eac7
SHA1 2d1cad0906753e017ed8494617c0184e751219f1
SHA256 a20e4c11c4761572b1ae83ff068a7aae4da7f804e7ad14353a2cc28ebe2cca32
SHA512 d1f1f10bbc36a9d2a923f7cf9043cc407ec649b2c9763785d1142191e21d653a0caa2db391745c48feda365540705f14ca5bab1fbb7789698188a02dfbf78550

memory/2320-170-0x0000000000F90000-0x0000000001388000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5da79819f3d97f52b54045375a694b5a
SHA1 fea25077880571b8bb0eb29c664f93eb18e6a268
SHA256 c6606046c0b22e37fb4e997882fc01f25ef1c2f8e77efef20628bbff0d4a773d
SHA512 6f571cb2639b0008db3a17200db881b421247087d6cd0c52b6cd05cbd5f01ff52abf3c6a47706c54ce38e5e153118c339061101b1a52e9fe6f439616c0188d40

memory/2320-172-0x0000000000F90000-0x0000000001388000-memory.dmp

memory/2248-171-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2320-174-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2384-173-0x0000000000940000-0x0000000000A40000-memory.dmp

memory/2248-175-0x0000000002B60000-0x000000000344B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2304-185-0x0000000000FE0000-0x00000000013D8000-memory.dmp

memory/2320-184-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2320-193-0x0000000000F90000-0x0000000001388000-memory.dmp

memory/2304-195-0x0000000000FE0000-0x00000000013D8000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 1daf54a1e16fcbf9369f934b97ea9562
SHA1 3e65d48cdc2cc7a5aa643ecf63dbced8e78eb0fe
SHA256 91e1bffde2d8971c6ee9f43be213671dd36deda885acc6f109baeed3d3aadba9
SHA512 05522015c8be08bc1db0d3c8d7e2e8c4728cce06fd5aa162fda23ceea426bff91d62c6ad6feb490ccf2dbe13d75e6364ad78c845ab63e6364b05ba3b1ed62cb8

memory/2176-198-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/2304-197-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 9e3fd5f73d5694eee22b487dcea4f595
SHA1 eae2efac54b9fa335d263478af020fa678246249
SHA256 a050a4f5f45f6c080e7ac5fd72eeaf7d565deafb90f3e62f8f99e0ede0ebc6bf
SHA512 006f0d1565e554f693f90a4a24823493d67c7de79c15fc5c509e2dc5c23003d5bdeb5b06dcbb67d6dbd383caaafed65e99c7ef71b5b491812cd766b61c21210d

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 d0a7150b329f1ab07573732b9347e805
SHA1 fc089f7ed078c457039dcfca1c8eeae9a25a1add
SHA256 a0b6dddbc710acc317d1768fdd02d6762f73917a69a9b8678629b5f8131c99ff
SHA512 09a543ca6791c9f7469ca537f1ffaaa5869e41351f1b878577625bb42865ac109d3cea549afa79913c3ce5132b4b9751822369e2f70fbcd5f09636eac9edef3f

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 491781f52b555858c202c6498260afa9
SHA1 a79a7e2faf4b0e2fc54539f3aeecb5024be23e8c
SHA256 1760015e2ca809ef0f383cf3f74987525ed45391e7372b99dc37f8e8521a6157
SHA512 6d802a9c7e53b28b1ce66d93147c99f8aaef930058ad077cff3264509be7f34d98c584abb4dbcda2df7adc28aa0b96f904cac86e24996af7d6c6dab203c24057

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 ec66061109132d2afdf48c013a7fc980
SHA1 72d9457042f2e0e6368cf15269467c88bdaf630d
SHA256 d7fd63847ae1f4347f8c4a4d57fa0d08248fb21ae474d133485cb92d12cecb0a
SHA512 5fe2806dfa2d6bcf048ba6009de9e5ea82c63c05230ef8c887556348a06018fb95c3e23da1ec7cac0e59daf5a0aa2962dc0f6f99239c142fd477b0181537d14d

memory/2220-220-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2384-219-0x0000000000400000-0x0000000000866000-memory.dmp

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 6e99a65d9ff24a201b168d360eb9842a
SHA1 ad80620021be3e5974a4679e57d063efe9fe1544
SHA256 98c38d2244822983318f0be07eb90392d92614d4f4b3aca2f056056f08eddf5b
SHA512 87c9b01aa1ee97a9b0f36d7f661a7072586efe94c009ea3d6796d7f07d262771e4406b86651fbfd9c74ec758aa926f2e9a05114998415c4ca2d0287fc98f5be8

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 bb469f0e8ab50fa252fa8b66e3d4980f
SHA1 85e87a3a210188bd0c8b93169b38c3c4e1cf3249
SHA256 363665e432b3bd59c200840e4283098e71a0288f559c6215e4235c0c3b5dd09f
SHA512 06c0cdec28758adb71fde58fa88b2194c232c405f771a86c6ed8b7bbb845881b074f93e40362ff3ef0b87f37d7f31753ceac96bc02e5be019da6307e3dcd335a

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 edc5a205f65bba75844e496806542a25
SHA1 7a4586eec2e95709706a03bb0fd7f9b155298ad8
SHA256 7ce376071a06ece60623c8b803b7855b0af15554e030e3c94ad988e33a6cbc0b
SHA512 3dc1244f81111074e51f2e7308ec372b5acc15b8cf0e1c6db8f9bea9a12767bd8f9a8c5d454c103a86ee79574ee393331139c27f583d58254e486dfb8b4eb3dc

memory/1380-211-0x00000000024B0000-0x00000000024C6000-memory.dmp

memory/2220-210-0x0000000140000000-0x00000001405E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 1e80230cd9426ada42a087b822208e53
SHA1 4bd9526ef9e476085c142d9c3e80dbe7d87de7ee
SHA256 f0822c704dd5033dc0cfdb957f75ff0472ffb4494e7b6b03bc8e7800bea3cfdf
SHA512 7e6354306914c5f4ba6842323d98d41cadb3d09af70a8d44a7b49a6c9ae4cf929443e554b913bf1433f5a92a0419bbe6572ac3986c6017526dcd5b2cae5791b8

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 ae7c45f7e0742e9cb5e15ed9837ed834
SHA1 d2a17d0befe2a9d7436916e9e200d35535ec3d8e
SHA256 35758f3e2e5e82d15d88b985f96b7e8015a4ea6d783149e060f7ec5fc37ab115
SHA512 50bdb658620ed021167164c5c50f18f58a87a071ee0cfe16624fb2991ad7cfbb8004cd7412e340f81a7f8039dea1913c28dd8ad8573d780f638bf3a967fd2192

C:\Users\Admin\AppData\Local\Temp\Cab5457.tmp

MD5 9e8a70a78112e3add0ce6b95b3b3b899
SHA1 ccfbb0290e95712d3cf97e5f2d33d5df33af3133
SHA256 73136a69737a7cd582265362864a6d0f7159deae651422840aaf88a9f60a50b0
SHA512 7af59f6ae125fdeb266335b0903f5d80f339fc15519d9f5c6c05ac86ee72590f5c31feeddcf981289a2f363fe6cdd716815c3f9b6e15cc00c038538a99d09c3c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 1f1a3b101012e27df35286ed1cf74aa6
SHA1 46f36d1c9715589e45558bd53b721e8f7f52a888
SHA256 7f0b1fe38c7502bea9c056e7a462ab9f507dd9124f84b1d4666fb7d37cf1b83c
SHA512 d6f6787de85049d884bf8906292b0df134287cc548f9f3fadd60d44545652d55c296ed50e72687f776f0bf6b131102b4bf9b33143998cb897f21427fbc8306a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05bda3e583239c89b4855a958ab1cabd
SHA1 c5d442f721ce12669ed9288b9bed1b15b04393a9
SHA256 588b1bf41c50dc3b60df02da466fbc808e58a9e39606d858a895adbc89cc14c2
SHA512 6de86573e72b8de086c753d96411d81275a3fa63f714a34d49342af66ef98d1543e55ae0c591fc694c1082fe915b03358f34ab604de4a79940410f9870b2b54d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 00dfcede93e66b869f9983f1dad60261
SHA1 e5d6162dd717e0b8b1b8390e5ece02c9cd7ac02b
SHA256 fb7f68aa89364143d5d56d8dd0b6f47c84f7b8337ff89b7644dcb4ffdea928cf
SHA512 8dbd41420290ce018a9f1359b6ead95b1408489ddddcf94c5b5f6fb2fcb81f52a7d1457e900c10efb7b92af5fcc06b6cae308444b79dee1421ddc4a890884f94

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 354e9fef8093169ab558b3f20c4bf81a
SHA1 b2293505f7519daa90aecd20a1e3b236f74be983
SHA256 ef8aab456cd4812c46735b308aa6e30d679289b8f2859c0afd0e9118c180f7a5
SHA512 9c26b8026958b65233a568675bd0eb4ca589289200fd198eb15f574bf69273212eff684011bfb048a3af659fdf7395871e1b6666e36e83b471f67335d5ba5b27

memory/1640-315-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 bc85c6f6982922acc1971cac44a73de3
SHA1 e99335b8263cd4a50dd3e0238197ba33d4aa3b1d
SHA256 08c0acb657ff2a712c626e0a24ee76aa89448044f64439baf5b7c19d6849c48d
SHA512 3a57a3649e7fdf288e83f4ebf65d31de4c31eb9e7e62fe1b872698665378dcf1127171be0b22bcb31526d017c61387f14aefd968a491fbed4176af9f4faae9ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 64e98ea298d6ce41015decc64355465b
SHA1 21c640af8e67cb8116f86a3e559026457e418fd9
SHA256 8c5072e70daf848dc355c41124cc6f54f6bab206847ebb5c7dc18c6e6b1c82c1
SHA512 e26a4435ab41415d3d3849cd3153ca8e92df548db864697d54c798f7f7c4e4ef3f483787412122e0273aad383225b359db9686297c70b2f5921aee2d146fa899

C:\Users\Admin\AppData\Local\Temp\Tar54B8.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bb344b796c6e006d03ce593b646c7021
SHA1 847fa7a8f7afdee7c6b552971abca9748642abff
SHA256 955d2742de2332793017668cd47a118d2cf0875dd6336864bbd301d07eafa9c3
SHA512 2524b9f55df55390afa0d818860251d3d086152766a4af292f7a4039a62f46252de404959aed462fbf49997c9cb1c8cd47b6f36a8c3550a24637e59281341337

\Windows\rss\csrss.exe

MD5 dd4faa88cfa8f2e6301d534510818961
SHA1 a8cdb64cddae3a1bcb79dfd9cbf026afdc3c9836
SHA256 b044799ee5d4c364950143e9eefe8d610c81b9a2f2dc1bc82488f870d0e8ca98
SHA512 d82284fc92810cb847fc492295074d64f8f2a9ae3f61ef0f08649f38ff82c2093649dff844831f71cd959576ec9f9b0faa001f4ff2b590357bea107a4b161fc4

\Windows\rss\csrss.exe

MD5 4b104719fc86f09bf1cde8ea4f31966b
SHA1 6f15dace86f853c4549f097bc6e50054c9f3b06f
SHA256 f0608b847a7e5a53eeb6dab01025bf9e8b23a67f3d9879db7ba99db2eab59620
SHA512 ee5595508abc1c08a10c873ef05ff54317e5f5a12ff8f0d789a258d37649561973fa35a9749738f7e3418cf38defad83dac2c5189c046bb8756d8c8f7c6d76e2

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-21 01:26

Reported

2024-01-21 01:29

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Stealc

stealer stealc

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\System32\mousocoreworker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\ms_updater.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zonak.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000498001\\zonak.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-162 = "Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-672 = "AUS Eastern Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1971 = "Belarus Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1891 = "Russia TZ 3 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-151 = "Central America Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-892 = "Morocco Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-601 = "Taipei Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2891 = "Sudan Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-152 = "Central America Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\System32\sihclient.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\sihclient.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4864 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4864 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4864 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2332 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2176 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2332 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\mousocoreworker.exe
PID 2332 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\mousocoreworker.exe
PID 2332 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
PID 2332 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
PID 2332 wrote to memory of 3548 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe
PID 3548 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 3548 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe C:\Windows\System32\sihclient.exe
PID 2332 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
PID 2332 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
PID 2332 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe
PID 2332 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
PID 2332 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
PID 2332 wrote to memory of 2056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe
PID 2056 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe C:\Users\Admin\AppData\Roaming\ms_updater.exe
PID 2056 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe C:\Users\Admin\AppData\Roaming\ms_updater.exe
PID 2056 wrote to memory of 1184 N/A C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe C:\Users\Admin\AppData\Roaming\ms_updater.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
PID 2332 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe
PID 4892 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4892 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2332 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
PID 2332 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
PID 2332 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe
PID 2232 wrote to memory of 2036 N/A C:\Windows\System32\mousocoreworker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2232 wrote to memory of 2036 N/A C:\Windows\System32\mousocoreworker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2232 wrote to memory of 2036 N/A C:\Windows\System32\mousocoreworker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2232 wrote to memory of 2036 N/A C:\Windows\System32\mousocoreworker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2232 wrote to memory of 2036 N/A C:\Windows\System32\mousocoreworker.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
PID 2332 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
PID 2332 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
PID 2332 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 948 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
PID 2332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
PID 2332 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe
PID 4076 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4076 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4076 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe

"C:\Users\Admin\AppData\Local\Temp\5c65af0cf527252892c5d4a90aaef419ba9c76b3da19850acf7d393ad3fdc608.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe

"C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe"

C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe

"C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe"

C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe

"C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe"

C:\Users\Admin\AppData\Roaming\ms_updater.exe

"C:\Users\Admin\AppData\Roaming\ms_updater.exe"

C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe

"C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe

"C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 220

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4660 -ip 4660

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv rvViOhNg1UCCFnraEXtuJg.0.2

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

"C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe

"C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe

"C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe"

C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 lizotel.pt udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
PT 185.240.248.84:443 lizotel.pt tcp
US 8.8.8.8:53 84.248.240.185.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
NL 80.79.4.61:18236 tcp
NL 94.156.65.198:13781 tcp
IE 20.54.110.119:443 tcp
PT 185.240.248.84:443 lizotel.pt tcp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
DE 185.172.128.19:80 tcp
US 8.8.8.8:53 udp
NL 195.20.16.103:20440 tcp
DE 185.172.128.53:80 tcp
DE 87.251.77.166:80 tcp
DE 185.172.128.33:38294 tcp
GB 96.17.178.176:80 tcp
DE 185.172.128.79:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
DE 141.95.211.148:46011 tcp
GB 96.17.178.176:80 tcp
PT 185.240.248.84:443 lizotel.pt tcp
US 8.8.8.8:53 server8.databaseupgrade.ru udp
US 8.8.8.8:53 stun4.l.google.com udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
IL 142.251.125.127:19302 stun4.l.google.com udp
BG 185.82.216.108:443 server8.databaseupgrade.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
HK 154.92.15.189:80 tcp
HK 154.92.15.189:443 tcp
NL 94.156.65.198:13781 tcp
GB 92.123.241.104:80 tcp
GB 92.123.241.104:80 tcp
US 172.67.143.121:443 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 104.21.38.174:443 combinethemepiggerygoj.site tcp
US 8.8.8.8:53 187.175.67.172.in-addr.arpa udp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 172.67.174.43:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 174.38.21.104.in-addr.arpa udp
DE 45.76.89.70:80 tcp
US 8.8.8.8:53 43.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 94.156.65.198:13781 tcp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
PT 185.240.248.84:443 tcp
US 8.8.8.8:53 udp
N/A 185.172.128.90:80 tcp
US 8.8.8.8:53 udp
GB 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
GB 104.91.71.134:80 tcp
US 8.8.8.8:53 udp
GB 2.19.169.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.201:80 tcp
GB 104.91.71.134:80 tcp
GB 96.17.178.176:80 tcp
GB 104.91.71.134:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.210:80 tcp
GB 104.91.71.134:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
GB 96.17.178.176:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 94.156.65.198:13781 tcp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 104.21.5.215:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 udp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 215.5.21.104.in-addr.arpa udp
PT 185.240.248.84:443 lizotel.pt tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
NL 94.156.65.198:13781 tcp
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
GB 173.222.211.107:80 tcp
BG 185.82.216.108:443 server8.databaseupgrade.ru tcp
US 8.8.8.8:53 udp
N/A 5.42.65.31:48396 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 172.67.177.31:443 paperambiguonusphoterew.site tcp
NL 94.156.65.198:13781 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 31.177.67.172.in-addr.arpa udp

Files

memory/4864-1-0x0000000000090000-0x0000000000498000-memory.dmp

memory/4864-0-0x0000000000090000-0x0000000000498000-memory.dmp

memory/4864-2-0x0000000000090000-0x0000000000498000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 f0f040aac317339e457924378d7036c5
SHA1 c12561eeb011a9baae2288ca81e604d04841dc3b
SHA256 13d6eedae7c789ecc9d77304fff86fc6f2df37fb28c22fae3e54d86842d1bea1
SHA512 fbc9bfe5eb7c9956f1d85c71e163ff1f598e69d33ccf30e207581b4fe95f03a9d8372e1514c711c26cdd0f8fabeba307cfbb4241f00d7771bc8a0f3d35f6890a

memory/4864-13-0x0000000000090000-0x0000000000498000-memory.dmp

memory/2332-15-0x0000000000D00000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 8844d90c795f320af90151cc7b3e8e22
SHA1 300fe3c5209cf18772be5e43212b0f2495cedd7b
SHA256 1beb32f2d0a2eecc655c3f4a9ae6e686e6362d462d54140069610d2281cfb5fe
SHA512 efbd7c94149430e4e578c9d603d6dbc0a1fcbc42ba96a0be7620ae7934ad72933cb3d3ff2c5afddcd6218a3ce7d1b6f989f9def2e781bd769ed926164d5a9151

memory/2332-16-0x0000000000D00000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 eb333f172f23ebd178501b307f202134
SHA1 08d1a9a9bb95486c2144b8a93110fee5e60e7130
SHA256 a4a9256d58bf34ec02afa89c0c453c32b81ee19326e29dd2006813544f486bc4
SHA512 0e0a0bb7b00f91db2b611058365ac6b8a54cc05568dc8aeed48f9e95615fd3e487d5e8d24e38090ef458cce23cff32f641ca39fc8d391eb8442394edaef195d4

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 8c36cdedb21883bff86e082a57ed1639
SHA1 5114ce74a63ca7f5c381786fa19b51d4b6de2e78
SHA256 0c46fd38bdae3cf9f5bc062173966770e843001d337b94af5c2cc7b20c61de77
SHA512 ed83f24476a17213a4e1147cde59885e55c1b593ed237aa7d2354d2485873edd87c3dca4177686630764be594b13dbaabdd659a65357f5f5854fdba1b16bb1fa

C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe

MD5 8d5ed9630b0aad76bea937c8008a1aa9
SHA1 a384063bc10511f303a0d3d401f9293b8ffb74f2
SHA256 7c12a86a9e69241ae6bc099c3c6d157b9f2cbe999f375af0ed867511cce5e964
SHA512 a6e30e26d3ef70be2927f7b8a012fe3f325f9861bae5afa58875f2f3818f67b6b90e0c9c52b4cafc0c2f2ef94519a9b236847cfb5edc6ca6e6bd23f6d0ada77e

C:\Users\Admin\AppData\Local\Temp\1000486001\322321.exe

MD5 4c374666fd80d3f3b1e63fd12c1e7cc2
SHA1 ec23cac925bed1561e5fc84aeb62de12c2b6ce47
SHA256 f5f2788fd885a48eb38517740e34e1c015d8f1215f763c7c95c5a4712118ae26
SHA512 8279260af7ba234549b7ecfa42edd393621ec18fb0ec635eb2d8311c4259f5c2a2b0b9b55fc39c6b8b7821b25ab2b89efb4fd5c9550fe97c69680d4b54639e9d

C:\Users\Admin\AppData\Local\Temp\1000487001\crypted.exe

MD5 ece8e2177083eefb49d5e0185b899b93
SHA1 ea29f48483d95897da5af016c47ca99f825871cd
SHA256 5e88119a34553c24625c42dbbb35b9c969a051a54478ab9227dac4ce720a703e
SHA512 4cd4a45cba10387b7e977ca05a3f44efb0ed3911cbd22d2ec00d9e24a9d0e0a424727ddfee9aec71454fb52f0d85f6a42b95656ef232e0538e18d97a5f32646c

memory/3548-64-0x0000000000130000-0x000000000018A000-memory.dmp

memory/3548-65-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/1588-69-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3548-71-0x0000000002590000-0x0000000004590000-memory.dmp

memory/3548-67-0x0000000002540000-0x0000000002550000-memory.dmp

memory/1588-76-0x00000000058B0000-0x0000000005942000-memory.dmp

memory/1588-75-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/3548-74-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/1588-77-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/1588-78-0x0000000005890000-0x000000000589A000-memory.dmp

memory/1588-73-0x0000000005DC0000-0x0000000006364000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe

MD5 d9a805f6e7cbbd52c0f47e1a364fda73
SHA1 6c06acccf19f8d31b6e99f1937e3b757baaa5ded
SHA256 12a870f240ce1e870ed51d932bd0982b49777db3aeea03ab69c4ff6df28d3e07
SHA512 7825a747e99b68ed14d641cd29cd462b32f111c61d893fafecb7d1a04ebc81ccb39f3c70bb441a33009236129ac07e19de7e73968052d915072c0fbdc24c5a2f

memory/1588-88-0x0000000006990000-0x0000000006FA8000-memory.dmp

memory/1588-89-0x0000000006370000-0x000000000647A000-memory.dmp

memory/1588-91-0x0000000005CB0000-0x0000000005CEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe

MD5 dad914c1b058745ec0a8689f307f5e78
SHA1 84351cbb84c016623de9d1a0029963a7ce601c27
SHA256 eec48de4cbc210718fe28d0c19f42765fc7c2c40fd9b01f50c25c12df757ffcf
SHA512 0f72b65f000fc249b8bf37410f692da808710a08d19bbe219a11de6076da133c3e01d13554041d39b78960511612b9482e0ebeb414aebfa64fe0eb552a3c14a7

memory/4892-103-0x0000000002360000-0x00000000023A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000488001\legnew.exe

MD5 5afd0abdf589796afa275e234eb5dd48
SHA1 c05882e170685c8f88cc37d87579e0d2cf72bf72
SHA256 40bdacfeb06cb0572685662768030d9b93fc7c9a2e12b981c2f1ab46e230b654
SHA512 74099012026c1cfea5f200976ca01886a159d7596de32e22a24a0be2ea749d9498ad64ee1ecbaa83b4e8f414fee0ae099ee42fee89329ccfe8072f48767eb361

memory/1588-99-0x0000000005CF0000-0x0000000005D3C000-memory.dmp

memory/4892-105-0x0000000004A00000-0x0000000004A3E000-memory.dmp

memory/4892-106-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/4892-104-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/4892-108-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/4892-109-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/4892-107-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/1588-90-0x0000000005C50000-0x0000000005C62000-memory.dmp

memory/4892-110-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4892-111-0x0000000006370000-0x00000000063E6000-memory.dmp

memory/4892-112-0x00000000065A0000-0x00000000065BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe

MD5 9cab7da3713242cdfc416453f5cc59de
SHA1 0ec38a077cb0cc483af1a875595aefc4d58bf96d
SHA256 8eb9aea356218ac085f60ed399e65d27104f7dff92705ff4e195c4aaff99c6ca
SHA512 d6a64c28649d6f5410f1c0644a6b2c4630fb641cc81e93576a917b661dd79d8446f296a12470f49ccc81d0a1883b0b561d155edc8e5f825026f3861b492b2b5b

memory/4892-123-0x0000000008050000-0x0000000008212000-memory.dmp

memory/4892-122-0x0000000006B60000-0x0000000006BB0000-memory.dmp

memory/4892-128-0x0000000008220000-0x000000000874C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe

MD5 faa5da3bb93a6ed8770e8371dcb4dc12
SHA1 6a513e5d2cc8c45dc42b7ec8f26e41707171a33c
SHA256 6bd95134220fe1a713b11af95c0247d96f0cb65eaffb9560b253a5629262490d
SHA512 326a51bd5d9b4164b739da914c942332a9811857efdbc5a8bb51e08d0595f7c2e9400f772ade74e1206466fdc4558d8683ba4386e20f0fa556348acfdd87ec9f

C:\Users\Admin\AppData\Local\Temp\1000489001\newbuild.exe

MD5 343b40d00a1621d19638756a62381efb
SHA1 08870501ebb777b5c535788bf811658ddcfc4d69
SHA256 18a278964513e4cd912ec696c181762a1026c48a898a09c0dbae94a808686c64
SHA512 00ee5027ef2fb7a4a9eed46eb0c3524f9a1fc7daf69f531d80141d9e48f13a37d63fd77d87f8c9150b029aa1c64cd79bdcb94da4ba7ca9fe6feee0d03657d38c

C:\Users\Admin\AppData\Roaming\ms_updater.exe

MD5 95fc2737ab13f70835a03fe2fc322fb9
SHA1 d1058c7a7f8fd8e065cb2ac4c43dda5890d566a1
SHA256 71667514d0ac30838264265cab7ac706d1a0c63b532c57841a2aefe29eafd900
SHA512 3c1544bb4bf8ab9fc9c9ce3453f7065a718a64cd9b74e675ca178001d69d3a1a5896c7fbd29ba1d0937a687549982dd2b0c3710b14b02ee548496a844d3dfc5a

C:\Users\Admin\AppData\Roaming\ms_updater.exe

MD5 1742329c3caa2d4a3786a45e0cdf9887
SHA1 f7f77ceed58e2bda7e421dfcc2fbc21d9cfccca5
SHA256 f13490640de8281eea567545a98b060f006712fc979614776278a48ae0837dc2
SHA512 9c3615d2f66af5981d14d72e9b689713a542e09aeba649dc34710be6fae1556b64da6f5d3fa26f3a104bdf97dce8c72f9b75eeda3dd1ece7620aa5f7669bfdf3

memory/2332-149-0x0000000000D00000-0x0000000001108000-memory.dmp

memory/1184-150-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/1184-148-0x0000000000E40000-0x0000000000E92000-memory.dmp

memory/1184-152-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/2332-151-0x0000000000D00000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Roaming\ms_updater.exe

MD5 68170840ada51291a1b5d81bb0e0b1ba
SHA1 7d2424047126c61d77519f057dcd7ec8e587270f
SHA256 e9389524608a627a41ac061a7cc3b705fa562cf889a72fdb413b3a2120f879b1
SHA512 bf8a1df5d806a37776e2d7ee4adb1765389d4c62d927786e1277fda64a5773fe7b2d5460a928a832847646930deca19a8c84e7578ba9045fc04748923ca23fd8

C:\Users\Admin\AppData\Roaming\ms_tool.exe

MD5 02aaf9ca1fea131617439290cdd02fda
SHA1 2ec756e4ed1a66f944f0a780e903b66f86433de3
SHA256 0c31969fea39ca5bc586cce2d78610db6e7974ce5151d424f75152ed93afc0c5
SHA512 7ef57094a147ba515942a2afe8fb81783959684cb54a034add13edb1a13331233e9a6d9be683f1e8f9af9ff726d528a55b0014faed261b6dc6663e121c41bee8

C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe

MD5 f41dfce8b4a263aa727d32ba103efadd
SHA1 708599d7c7c6c6fb24add223c0e0fa5172248f83
SHA256 08add940e5dddd664ee956c1fe862ce31b76cfec406c2749b0393636a41bc270
SHA512 4aa527487193d7dcaf84e7fe8219ad045fd0e0539169ad1b6db203decbecad04fea517bd885d5ef231660190c821416153cdbcc7e9e3cd8287a4111862f16d17

memory/2332-182-0x0000000000D00000-0x0000000001108000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe

MD5 2a2005551903c809e2bbb6d69f361833
SHA1 4c7947f868a4ce9d8295970ee750dd3689966d88
SHA256 e4b0cb8718d4261e3f23a025354320d2088b6eb8c7ae4badfab77969c5f18af1
SHA512 a1937a38e30ae1057126a208ee2c552d2db0c04936d338d123e1eaa5d3e7c1051dc72b7a107028a60b17fc177a5d602036d5ad3f896f4c9a66f7bf3a526d7ae7

memory/1596-184-0x0000000000670000-0x0000000000C78000-memory.dmp

memory/1596-185-0x0000000005540000-0x00000000055DC000-memory.dmp

memory/1596-183-0x0000000072DE0000-0x0000000073590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000490001\data.exe

MD5 9e42c76613c4f79a87125f4bc435d599
SHA1 4181d508ff7191f7b66cbf4a407c8ada176b1c98
SHA256 228b36d9dba0433a8e7f9324cb70ca6e7297ab013f394b6b63555633a26f9b30
SHA512 71b7fac3caabc25676465337c86545b20e94c6ecef6b7e592fed0e8a84896b61ce55463801b89fcd8cbf2ff029e928b327db574e95e5984cbfd0994394c53b60

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/4892-199-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/4940-198-0x0000000000EE0000-0x0000000000EE8000-memory.dmp

memory/4940-200-0x00007FF85EE30000-0x00007FF85F8F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe

MD5 8a81072aced17c4b3680dc4b58337e23
SHA1 d4b99132345ee8295ff73f0f294888554bbd405d
SHA256 bdcec318453b16d38a5fec9bfa1cec1dc40399a53819a87b2c366f26f73b599c
SHA512 9fac1d53cb82268859278468c2b5dd817f996c877bc575909b093b17da323ea96b74c8ded713bcdebe1943e203e2d5b35889b9ba95e700920a411be98f0e49c7

C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe

MD5 8693fc1c13ab5e40a13edff8f59b223b
SHA1 1bd7b93349d848fa5749e4abe2d7a66d2e2a67cf
SHA256 82254b5c975192f973d941572d18bbf09e396ca696bf40210f5d39848935f4fd
SHA512 a3bf239c3b96c0e2736015a07ab4e5ce3085408cfb8c4c188762308b530cef60a364143769e4d15b17125d5d0b6e46d764c55eeeae681e52ebc3880a1735629b

memory/4992-220-0x0000000000AD0000-0x0000000000B22000-memory.dmp

memory/1588-221-0x0000000072DE0000-0x0000000073590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000491001\2024.exe

MD5 3c88e52acad3ff4b6409f546263af199
SHA1 5a851373f0e587a3a72b1b38d0402ef34b3150e5
SHA256 767d57e798c1a436a82f4238312b154a2ce2c01a013170d82049257ba915f65a
SHA512 28db4881cd2b19434930e1b3ce633b1a9860d2b556de6dd48e1a7839ae89ea624fde4a4654fe371ed6b59ae3f538fc1fd512806604f2f8796b3d58fa8ae496eb

memory/4992-222-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/4992-223-0x0000000005650000-0x0000000005660000-memory.dmp

memory/1588-226-0x0000000005A30000-0x0000000005A40000-memory.dmp

memory/2036-227-0x0000000072DE0000-0x0000000073590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe

MD5 8012b988154b498d8f197cc70a1ef0f4
SHA1 8ab61e32fde0b2fcfa853f6fe09b6156ce9e56ce
SHA256 d7b4944562a290b58469dfbb5d12b097d1001e2895aef47fb31d00965a076931
SHA512 4e796b880c39f94ba799dbf716971ab230433fb5af8637fd455268c4a528becd38c70ecabb3c86826185c3879bf74274bf1fec1fc93420980c51c8eb87fdf370

memory/2232-225-0x00007FF676DF0000-0x00007FF677085000-memory.dmp

memory/2036-224-0x0000000001370000-0x00000000013C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe

MD5 7743521c4822424b9b2ad8ee9a571e1e
SHA1 d9c46a01e793a15c685f1f1a27ea4c2aae8f6dcf
SHA256 c771287b428f4f3421740744756df2ed7a753276adcafb9f3ecc61ea476e3d40
SHA512 de973085a1801dc71ca15f446ba4c02972420c5d60a2ed9d1e8a5cd2806d07bf28a86cb0d24b2b90d79a9a31f4b72488b826d235183d57fee41635e42b172e29

memory/948-244-0x0000000000030000-0x0000000000098000-memory.dmp

memory/948-245-0x0000000072DE0000-0x0000000073590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000492001\crypteddaisy.exe

MD5 0a5d951dc2c8e0df209f1bbfa4bfb21b
SHA1 6ed881e541041f8dd3866a8d75e512aea0b9197a
SHA256 f54d7a0c85094f12a8a6f519b75a99f91e402777aa735e3697c4b9c2fefcc181
SHA512 072c623eec195ba79f29265fd7e69cde6532dbaecd9bc4bfbd4776c1b9f763111834992bb7cbf938ae3292a0dc3780e9a7a4ba6c98337cc1acf1b5c7204e9c99

memory/1184-248-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/948-249-0x0000000004930000-0x0000000004940000-memory.dmp

memory/4444-251-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1184-250-0x00000000056D0000-0x00000000056E0000-memory.dmp

memory/4444-255-0x0000000005770000-0x0000000005780000-memory.dmp

memory/948-254-0x0000000002200000-0x0000000004200000-memory.dmp

memory/4444-257-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/948-256-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/1588-259-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/1596-260-0x0000000072DE0000-0x0000000073590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 3c3a96368474d263f5ea019bb148f2e2
SHA1 59df3f80c5bf185c4614b6bd1fdbdd9ba98a70ff
SHA256 1c951cc45d6d7c65d8986608fc122707c5b514d02c35dda902d07b1d3ff30dc9
SHA512 43ff378600b9feda6a5b71e025932a207bed40483421a7c5a4ab0f00b1f7f2d538dfee72cf1259253cc357da8f00fe62d1a6f00f01473694cb636b5e2783d574

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 e4c746348135449eae9c34f8323e5428
SHA1 ce8a89cf9b4c040a15e50b4b64c1e10a64369d52
SHA256 2fefe3df9f5827e3158c1c1fff8f9eee5c3fa764d3ac357936103ee9563d501d
SHA512 637b2d85259188bacb820c5460cbef826e857e0f9b22750de9446211a626313c86a4d92dcefabfc30f82a8d4f6dcd459be261d92b47b5e78f52b2f75b8342530

C:\Users\Admin\AppData\Local\Temp\1000493001\latestrocki.exe

MD5 1d24f60f35a9eed03b162c1a217bcfb4
SHA1 6e02b81826873c0da073454c4405782051caad77
SHA256 f8c9a3651c2a36bddad283697b5b0125d7117d9721745263913e8fb214118283
SHA512 53c2d2ca5be30405dda254c2bab497f048e0b215e8fe130ebd6e9e0f09294209c57502dd77068c7264da619225792bfb376ad2ae9175a49c18164cc6f238f6fa

memory/4940-280-0x00007FF85EE30000-0x00007FF85F8F1000-memory.dmp

memory/4076-281-0x0000000000840000-0x0000000000EC0000-memory.dmp

memory/4992-282-0x0000000072DE0000-0x0000000073590000-memory.dmp

memory/4076-284-0x0000000072DE0000-0x0000000073590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 39bfa7ac284abd2170579ff0cbf4df07
SHA1 dbe239f5489b5ff7b3b18675eeb324b41122fdc9
SHA256 127c01dc19f54347ca4daea88c3fba0545f54b03ab829d756f6e9abcea90ac12
SHA512 f1ebe8884b3a3c0f7840b1f1ce50de9e1e8287b74f19045e35a5b264b749c9d034426d18c98624f33d9c5b8fe5bdb258f34b1d4395bb642e1bdef40afbb4eede

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 0c42f46dcf1a569710e97ba682312c4d
SHA1 696c8842c252915c58411a0b11a5744058604ba1
SHA256 975794ad879e756f3682e62c325fdb7850373f9dbe414ed55a8e52593fdbae49
SHA512 ad2bb1783ff97fe0e02f5dfd138d8bcd56dc7eaa669d0a494da61658435cf09ee44fe3fd2aff9a17c107fee88e73f6694f34e19dbcb88d29f36db70457a09990

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 be3db74fa2b8975b403c99aaaf7c0441
SHA1 f04097079bc70690c3e455d7bde1360e792daa08
SHA256 a87f4c2172f8861fff002afe34ee8b56d2a03393adb3a60da2d1a583a2b98803
SHA512 b48646bf9bbd5ff66b6e4c9b3a6092d836c1d1224db3a250627ec53d6ce2c80ce22a1538e47824a6b7e98f37dfc4c296975f17a223bbea34bb78edfee1e3ffde

memory/4660-302-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7d7bd18e7b132670a1bc101437dac26b
SHA1 de74700742904966645530328ea0cf81629b472d
SHA256 b831b62279d598b3447bcb8f5c85baeb426bbce2358a6e6217022f6e2c0b7879
SHA512 9f360c563f4e6ca7fac5aff6f6900b29d4c9e81e694be972f8fa8fcd58b9626b210f47cb670fa2f3cb3b91d264dcd4d342b21f0e4074010fd3c6893cd7f12166

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 4c32362fb51825667d5972cae30d33f1
SHA1 b6102964ecdeac0e0447756ddb5decb1597a12af
SHA256 d5342b0851bec4f7871100558db7de18c64e4212ff19af51c35007678e8faca9
SHA512 f0475e31c3c73ebb6010f99e749d9ced75a75064a70fae5b5d6a7518b1aabaf6ac19f09cfac5ce7e945cbd82edccd6c9459349dc7e8ee93c0dc30adf0e0c0f37

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 abdbc17e4495780a3905abacc9f96f18
SHA1 e9dac12503a223532286b748fa53bff8725dfb86
SHA256 542474aa4e04ce767c0eeb16961aae2a6f279272daea9ce9cb9948bf3132f38b
SHA512 a83e4be8c4113f5eac9945d69147dd839df652c538769d8c4f204c864cf9ff0500692c5b6d31a877bbc6b6ee1cd6f17f835e815b105eb3a671b45c1342f79fa1

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 b399f5e227591bf3df4e0527e781d308
SHA1 8c2f3b02a2a5a5e185aa27b45f53bdc3fb8c80e0
SHA256 215ce80936c60b578c1a4a458289d32e9d30dfc3f446768e42d7fcb5e375664f
SHA512 f8c9d607a3c40159f4e431ebe59ed497db09f6298ab72cc43645149bed1863c456f498edae42db56d4770ca3296b58c41dd741bc303a59d20cff0a6fa75f3107

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 ce009f0680a40acc686b8c0f2f31f61d
SHA1 8999433edbe645a3aac4b4776fd94856f86cba98
SHA256 73aa7d77c173000f4083d50606ca6cf3c71faa204e53910655693f0a3aef246d
SHA512 f3845d6406175cf4cd30c3ab4316d9390015bd21bd36238e1b522e0957bd071aeb111a012388adcb9cc4d2b02f27351010a18586bb5c2d14c8513feff82fa980

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 1d58ff4ec15af321934e53d037a423ba
SHA1 2c4afd59880e889ab6dce065996792299aff96a9
SHA256 1f1d8c38526673a2c4eecc63c7beb858665444fdccd8ab5e472202ab1a950d97
SHA512 a602d9411e453c50faca4e2ac330d3cf9db829930e398bc2344f494859b63db0f94dfbc4c3d47bed10d938747654a2a17a4f47426c2a6b9bbfca0060bc73066b

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 78394ad4787f4e98965fbbb62d079fef
SHA1 2bf8bc202db6b9dbf03e2b852645947e216f0c23
SHA256 437fa9b74ff9727c08e8c2dd997f9a36229948d4d4f04f06c8816b2fbceabe5c
SHA512 27621d6b4421e5ab8d2cf9c31be6b626f649b5d30caff6274c9fa02bb244a4f94a036f2083722b030dada67f84bbcb4a5d769925ec30f4a81fcec87fe40b98eb

C:\Users\Admin\AppData\Local\Temp\nsd9ACB.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 f57bf6e78035d7f9150292a466c1a82d
SHA1 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA256 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512 fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 43c66bb7924057abaf91e8ac6cc54072
SHA1 d05479ac2b8016f9435a75c5ec9506ff42b56563
SHA256 35852b3d65c820d9d95c4b5105b5f8ace19a951932111c8b6929b0651591288c
SHA512 69b9b5d98e2d098cd48c645bd0dab4dbeadac1614a9e3e373c03c4c171a676188a2874524b2231404b18c742d144d1f4f7722f44daeb4da733eafd42c17d1f62

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 3124cab2fcb69e98e2daf40f87a1b631
SHA1 dde9cfb0dd07e25bc5c993c2e6870d2cb714b247
SHA256 57a42bd71a3f39e1d7849b92ed05f8ed53f5a64fe7eeb0aac5d8371e2dcedb6b
SHA512 32eec8e39730108dea14ec81b7cc595c4e0403ded2263c7152a65a003218c36886f3464747431a741ff3d2a0bcf8ff5a0510421651688be321ff075f5b481805

C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe

MD5 a2730f3c9afc9ba81e578c5862c93001
SHA1 d0c27e6658447fbc982d065eb900e1eec97c54ef
SHA256 981d5a305f4c82ebf1d4173444ba41154a6f3e7f5c5603af416bea6d6ca12425
SHA512 c9b33fd1bbd5df1a4484ddb9429e131e8ec98d3580d7754da9440dae8d9aff1c077f2596fc0ec23d9dcb599f04bfde2d29c862f9eb3fd45e942d42addf345da8

C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe

MD5 2bff5115aa3a009aa0d90677aa73a71f
SHA1 39685afb06a3a437c500c7ea296932c558303388
SHA256 16a764e826d188da4bdbf6a1733e436e0c2849eadb04248cdb2e56ce1116b433
SHA512 a1f90a4b19a83f48038f63a7bc82c4c350d52391142e5a85ffe91163df6d887eba44d966b4c43c8e8b3ec067e6cc85db50876f09d4cee5de0a3b4cff2b97b7a1

C:\Users\Admin\AppData\Local\Temp\1000494001\rdx1122.exe

MD5 e660771c8bfe53518fcbcde2dff47c0e
SHA1 2f49d6ed75c0914b13fd428b1673eb48467aa4f9
SHA256 564512baafa7cf6cd77bab29945e71b002f3138036fd10293e5248c0954337c9
SHA512 a8efcbe6e8c03af26b006f31e4ad39c4a5038c6dcabfa4c4f771ea7e7d923507f037b53f2b3e038336eae234537203d6b3e9a344cf29dc833f57f1e8e9fc174e

memory/4708-369-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

MD5 71f64c0d200dacb7070d47cac70ffe12
SHA1 1daabdb499dc711d68965fbd43a81d3dcc76f63e
SHA256 2480a7ee456117028b70a6e37febd0abe5ba79b9dbece5e74dff4f6a28b7e7ec
SHA512 84ce6cffcce286a6e99633d5193c9044160f71d9c9a40d8889851caad912cd0805069eb1d36fdff04523d4f9c1318fce3f1010f4fa48db66c5950f5cc818d680

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

MD5 fc6a9813f06f1c902a37eebc04196dcf
SHA1 036f73c992e8cc94c2046d1c0a5557ab3989ed6e
SHA256 aef00576dbafaf09aecb2d50cdcb3fd21376ad7654e1c4a5b818718e46d82243
SHA512 d35bef501f691b20728c8ea7fc70ceb36c1fe22a15cfa134d26b5d662b8f5ca6e915eb1082f04fee4d18835fd05075773b3f7bb299addfce80cf242ad104eacb

memory/5264-385-0x0000000000400000-0x000000000062E000-memory.dmp

memory/2332-388-0x0000000000D00000-0x0000000001108000-memory.dmp

memory/5264-394-0x0000000000400000-0x000000000062E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\nsp9FEC.tmp

MD5 556bcc07d119b54c0416768a7037eac7
SHA1 2d1cad0906753e017ed8494617c0184e751219f1
SHA256 a20e4c11c4761572b1ae83ff068a7aae4da7f804e7ad14353a2cc28ebe2cca32
SHA512 d1f1f10bbc36a9d2a923f7cf9043cc407ec649b2c9763785d1142191e21d653a0caa2db391745c48feda365540705f14ca5bab1fbb7789698188a02dfbf78550

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idny5mpc.3hm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9f6fb901936025f40517c8ae6b55924d
SHA1 4a773cd966d3a4fd53d1d290c9dda04145ed5f91
SHA256 28efb145b6391e2a5646ad54ffda05f552beabd3ff8415cd9b14781e0646fffe
SHA512 a95e5eb9dfa623c8d1aeea4e040559bdddf0460e798e20e8c69f07afd8ad7b56a01d9c9fe8609efd6c005fd7198a5d97af306c48c72c8c44a2c3420b02e3efaa

memory/5264-503-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cf22b3e5d2535f6b798496e4b5e2c9a6
SHA1 8d46f261fdba0bb205bee025c39a15acffe49505
SHA256 4925deadd57c68d6571c3ed856b80c2b715b8a6b13ed6fd9fd38f090b546dff9
SHA512 db546a5658f591596797863e999c2d0a112af74df595201b00eb968bb13b065436164c393f85e031c93cfdec36d9ccbba405899c416c1a0a5a044b4f41e8eb40

memory/2584-579-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4560-580-0x0000000000400000-0x00000000008E2000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f1978340315c52c98bcaa56ff57705a5
SHA1 feb35e555068ab97ab32af17484c378b40459816
SHA256 760c880c9634acdcf93e67442910fc7187202d507b49b304587442d9b2edeb44
SHA512 e3bec039960201e7bb2d9724ab5f1fe586ff95fa664b631b7524e699dc22083d332e80e9d7911a8e87c2373af3a407124ae0bdcb3c2c8d8f8b8aafe111313aaf

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

MD5 a478923284e88a0b46af24fcca5d12ef
SHA1 50e37a058f40999216433f6fe86fecac0073f067
SHA256 94cb07e77e64bff7e1d66776c8a14a1c10b99cb270b6e78ff255c1a501c0615d
SHA512 ebc6637b40afbc3f53a60a4f2fe8aef6451424783ce398d26edd6143e7d309facc42e0d05112475b3d952b3e063f0db6990a809b52fbd06e6bacd7ae8729b9d0

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

MD5 f5f55289d85b4d67e705a53a0620cc37
SHA1 a3b8a2d21fb294766011a3afb537402749b6cdd2
SHA256 4b6d2d829badfe4ba981a3bc4043574f4e95581f959b04f7a3ddfb82ee80f8a9
SHA512 59750d8b200fc40f51157efaf9801a18a1eea6ae9a4b32527a0fd771fa12524bd56537738d436992fa6481c5a78a1fdbb4a33d050aa850e0d0542ad02d416bea

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

MD5 fa94dfb98f4c4382ef4ded21cd3d7023
SHA1 aed003c4cef4dc1a2ba9fd137dfb4c9d0c559421
SHA256 286593fead42a5c9b4f5649947352ef37a6e8e5e8482b9a5e0ada13b6ef1d1cd
SHA512 1af7f0e1ae10f642fe390b5b6b2b80e8d83709ad24722cddca0b315c94f4f6aecbec76461e0ff33140f28a5b893c45faef1bd0992b7f3ccdbf6aa95c023771bd

C:\Windows\rss\csrss.exe

MD5 a6d9c3f8d46431df33dbe03165f3755d
SHA1 2c1aa23563ba01afa1efd1d537b0109bcea873ce
SHA256 eed160f7a6edcdee857bb9b021c02995222dbda9a31ae8678dd95f4faa1f85c4
SHA512 6cec5a6fb535c979bc1dfb6a0d791fc47718103dcc1d94c3275bf81ad0a8b7963ea64c7cd4ea5b304690d5df8b82d4ee5d0ecb1abf8217f379a0f4d89e51a197

C:\Windows\rss\csrss.exe

MD5 dec2f70e1b89b47071883e3871f8571c
SHA1 1f7d245252d9074ef39e078a84cbdd9692bd3560
SHA256 d87f8c04c809e453b9d6f611f21692e418715abbf7c04bc799c4f0691f68cddf
SHA512 55230d64fa818cafa44441d5121e8903dfa52495e3972b3bd0b319a001222af67999942cdec6b6b4b55ca08a98d154344975fb975378496d74531d6440cede15

memory/5264-640-0x0000000000400000-0x000000000062E000-memory.dmp

memory/2332-643-0x0000000000D00000-0x0000000001108000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 33bd19375a87d3fc0903572a927d91fa
SHA1 3fc20287dbc49ddad57766e6c4e02bdddab9b56c
SHA256 f9e60bf48b8250f33069cab67d435df6ddaec85d576b082733885f05f21ba168
SHA512 75da77f8aff4a18278ba2bc07b184e8849ec9af626eca083fc6a1bea4a62aa3cf7318432b6e41f24caf4d358def9e53899a2119b72a391e3d0cb0ddf9a0302c8

C:\ProgramData\mozglue.dll

MD5 ace16e765ad1a43e2bc687ba67e3629f
SHA1 5ce1c5740d564fa542a7135339037dde49a12e2a
SHA256 b8a3c0d9d8af6b5ee6143fb17c7498bb8f36d67ae7f0e7dce8ee10d442820016
SHA512 99d2071b625fb7c9a060b184134c7ad3ad93a42d63c3db044a85c51fcec31c539dfebbb01ff25769dc5d0799897634f9bb4dd30288eb1584e3a9b6f03aa74540

C:\ProgramData\nss3.dll

MD5 b51c30b4004d8c5c1e2e2409ac6495b5
SHA1 270df3d99046e7608e74eff4b77bfb277559159f
SHA256 62d55299a85df829bee3e7eccc4d70fd17f0001d5c24d5ad0436f874ee43849e
SHA512 610ecc122565e0a567ac08d600bb01beec3bdd3cb733f54cfb61d8365bff385477c55d4627683a1fcebb4e01b29efe054bc91ac202b5749481a24815b81bb357

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 e02980e43ec9a22a0553c1a4eecb9932
SHA1 578c315cf25b6b48f55796a88a72ea93a66773c9
SHA256 298a7059c00d3e7cb2fdff2603337fcd9c4cbafe2546580bc444cd23b96e7e97
SHA512 f512e903d410358829d81ca69e932ce843d0197a30fe95e942572b1a1141cdd74d6193f8e34d0a63958bd0b7c774078695db7fe85398a815eafe36a250c05dc1

memory/6076-725-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0f8ef5395f959be9c10ab7d881470dd0
SHA1 6231a703b0b77190a67f161adce374d0bc6801e3
SHA256 523184bf3a0d17712b2b853c9af893a5e7ee12c74af05f91c922fbad2231b348
SHA512 9ae6f3b6ea0d053bbe9987dffe6824b1d4319e1e0f89bbc9a62de87e63da4f6e24e86abdd51afa35bc438def0079eefc4f8d7113ab04385f9590b1295121b48a

C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe

MD5 316c40e6d840592dd0bb5aab9b6b2db3
SHA1 158d51d041e2260321b14778f239d8d661de0cb7
SHA256 dc1daf0c4b2013926c09c37e740510ae97a7159dbc32710896d9e520e3c6852f
SHA512 295cc85eaf682e9bcccb5674427e503cc3f40da2062982f7cb8a03258cd26f8d814952f68ce5e2c55185d547e497705f460c95fcd84e329d02e48d02431a760b

C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe

MD5 a6a3c76741891c58bbfebec613ffc257
SHA1 29cd4d8d855d4966053fd353dc371f535492a90f
SHA256 cc1524855615ff43d5412aa52d3e042cc64bfe461f94d9c5a56f78cc0cf5ebdf
SHA512 09cbbc6a5e8abfe3be1aa408d59e316ba2d4cf4e5ab388f08f7409bb6637e682f4a34a2d08ea238e35f7e3b4c076ed47c5a4062bdd00b46b2f80efe073c326b2

C:\Users\Admin\AppData\Local\Temp\1000496001\Miner-XMR1.exe

MD5 2575c6611c94b447a7bb5696b1adfa1e
SHA1 182e2fdf174e754bb865ca9e705ade42799a1a19
SHA256 11538a63306920993b96d0dfb2d73cf8569f75d8ade3007da2926585d8b6b673
SHA512 ee12ceecc9ce877735179192555cd347e0d96c784b1ef99a54e50268b3f503850890be5b4ccc66ef68d419219cbcf5ffec5c051acfa4b8c65e2952259e899660

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/6136-789-0x00007FF71A5B0000-0x00007FF71AFED000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 c16871896bf076a6ab982e6a208c03b6
SHA1 63c73d0b8a08bf7720122f49674bcd7871fd312b
SHA256 50e8c4db8563a180005662b1df703607e76fd52dd32ba09485d760d6994219cc
SHA512 aeb244218866d012c4532a36d30f5a1254164e9ddcd8c83ddc3f3ea43a018b75213695fea4a0807843ef46cf6c80496c97f8f31a45f5bf5a6a0418ffa3bc35df

memory/3816-820-0x0000000140000000-0x000000014000D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 74f193141ff6098db4f5e6d367866c8f
SHA1 87f6602c2da8f2cb0a5f371d2423fca687b9ad09
SHA256 5fe1e6799f75d9e825ccc76544050d814d6220314babad1e7917477fe12b8063
SHA512 90690dba6078b2d95294a9d1f38b1e38cbe143dd5097c863850d46d181a63119efa1a3e9cb460b5251d9f50289966853e49fd7b95915f188be29ac6fcd3a5f31

memory/5224-822-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-824-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe

MD5 eb2af295a6a5f8f2f281f0f3b22dc80d
SHA1 f9985d1c44263e89c86289e8d774b3a277e34dc2
SHA256 c57ca044090ab5b8192c091244cf88d6c66e377af61f96cf3e6ba07c59822919
SHA512 62b32a53e427893550b8acf2b9af22863eb1ca61772a453e5dfd9865f4b4a52a48eb9ef09fa2d6364d64ce43197a4302207a53655101e7b3b2a90275d5179360

memory/5224-828-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-829-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-831-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-836-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-841-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-840-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-839-0x000001ADF61C0000-0x000001ADF61E0000-memory.dmp

memory/2496-837-0x00007FF7F08E0000-0x00007FF7F131D000-memory.dmp

memory/5260-832-0x00000000009E0000-0x0000000000A3A000-memory.dmp

memory/5224-830-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-826-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-825-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5224-821-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe

MD5 b53745ea7d40e840b8a05308ea236707
SHA1 2f87c0d2137486ed131c9dfeedbb014526ee5406
SHA256 f521ccc01a4853c53fa90172df92fb731ab625e176b97f40d00998de2bd6c7b6
SHA512 cd273d84786e2b1db21cf048069bf63c36572c53cc0ba4c9746fe9b9ba5a637bc5493be4e736e2a94dc6aac87116672ed8623d4ed4a9a17651b71a67b9787e19

memory/3816-816-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3816-814-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3816-811-0x0000000140000000-0x000000014000D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 b9dae1fb40aea1cffb7301a4e077ba1e
SHA1 f5cd9d6bec2f697287822f3653f6cbe74fde02fe
SHA256 a0c2c839b0c126da45f1f1674cd9c6bd6072fe5d518c7c12dfa4c3a2ffcc6af1
SHA512 8c383297007ccd46c9ea605a4287838c7499cf42547701a707c275b7acc849343210329939ac4e39e1aa344cecb2000b6e327ff3d45ecfeb71679778bff829b4

memory/3816-808-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3816-806-0x0000000140000000-0x000000014000D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 b46971f3901385029a4565d85b8ab50e
SHA1 4b00ffc3163395b343f7ade552b4bedd12160325
SHA256 34d93e4900bb3619304981c96495c09cab7035ad1619847e222b890a1c7f8c0e
SHA512 8a9a297b7c4b4fe267f07efce98f6b634a007478d003e3cc2d0e87b0866c65f787327effc48a2b6ce08d255aed047b2542fa08e8332cb83557e33c4a81531f47

C:\Users\Admin\AppData\Local\Temp\1000497001\flesh.exe

MD5 e32006f145039c6ba4a879eb8213a88a
SHA1 d06d885effdbe6514d24c0d33394d5bbe234771a
SHA256 80549cc2164f1b3d4141b1b13ce17042c0f71c17a5e23d5149b5b623c87891c0
SHA512 7ca3f0adeb4252af317e7d35369082f7229fda5a39a8de71d66cf6cfffb1112e8caabd63d78789ca92957d91905385273a5a46fb567841abb9dd4f0b3335fabe

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 26ad53f2518f3e78d38db279aa3a3b1c
SHA1 0d6899be0557e073b142246ceb14695f62600f38
SHA256 5709694642727f8370ecf595ee0155a2d2bb40d0d85477394b8e1634041f4e07
SHA512 dc0277324288dfaea8b9d152790c8a472ebb2c3c23344b12a35f02c5043fd4b6570f4e1f39041498aa06c8211a918906a420fd4a48213d27820f1bf69ae71933

C:\Users\Admin\AppData\Local\Temp\1000498001\zonak.exe

MD5 24e058c9c9902c772471c3280431f510
SHA1 314c21c9135f5c2fa76babd52ac7519ebfbb0176
SHA256 65495dc1e4d554d49f35e8f65cba9dc6feca263eae355304b6d22e9dcd07af39
SHA512 b005d12ec28ee09f6093ab5c352096d4ce647a9e1278362af24078a779dc499740e1b5da2147efec992c3076c00ad478f0ad1df5ea395280fe4e38018a921de1

C:\Users\Admin\AppData\Local\Temp\1000499001\pixelcloudnew2.exe

MD5 90545bedf42c17674f2a8e9b6dfbb50a
SHA1 5fa2df335f6a5b33717de64b7496feb9d1b01694
SHA256 53d720e1314fbd54b79ada0afe6a75e14e48e501583868d05a82350f6ab1f557
SHA512 33b975515456ee1cc6e6f321972c44683e95bcfbbcec36e2792a19e89e119d9f32be68df0ac47772bfdc56f784fc03a10e80af05f7ecca1886ff55b285c884e8