Malware Analysis Report

2025-01-22 10:24

Sample ID 240122-dalvvsfcd5
Target b7668e16e00cfa7aab4fd5833311a9d3.bin
SHA256 17e0f247d5bc524d51ffa9876da7a3ad2138703528fac3463e340ff938b715aa
Tags
amadey redline zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) legaa livetraffic discovery evasion infostealer persistence rat spyware stealer trojan xmrig miner
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

17e0f247d5bc524d51ffa9876da7a3ad2138703528fac3463e340ff938b715aa

Threat Level: Known bad

The file b7668e16e00cfa7aab4fd5833311a9d3.bin was found to be: Known bad.

Malicious Activity Summary

amadey redline zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) legaa livetraffic discovery evasion infostealer persistence rat spyware stealer trojan xmrig miner

xmrig

Detect ZGRat V1

RedLine payload

Amadey

RedLine

ZGRat

XMRig Miner payload

Blocklisted process makes network request

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 02:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 02:48

Reported

2024-01-22 02:50

Platform

win7-20231129-en

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1748 wrote to memory of 2244 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 2244 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 2244 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 2244 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1760 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2244 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 2244 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 2244 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 2244 wrote to memory of 600 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 2244 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 2244 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 2244 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 2244 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 2244 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe
PID 2244 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe
PID 2244 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe
PID 2244 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 924 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2244 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe
PID 2888 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2888 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2888 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2888 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe
PID 2244 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe
PID 2244 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe
PID 2244 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe
PID 2244 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe
PID 2244 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe

"C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

"C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe"

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

"C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

"C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe"

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe"

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

"C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9957989F-708C-435A-BC49-BB18B97968E4} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 88

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 www.fleefight.it udp
IT 94.177.48.37:443 www.fleefight.it tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 141.95.211.148:46011 tcp
NL 195.20.16.103:20440 tcp
NL 80.79.4.61:18236 tcp
DE 144.76.1.85:25894 tcp
RU 5.42.65.31:48396 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
NL 94.156.66.203:13781 tcp
DE 20.113.35.45:38357 tcp
DE 185.172.128.33:38294 tcp
DE 45.76.89.70:80 tcp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 udp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp

Files

memory/1748-0-0x00000000009C0000-0x0000000000DC8000-memory.dmp

memory/1748-1-0x00000000009C0000-0x0000000000DC8000-memory.dmp

memory/1748-2-0x00000000009C0000-0x0000000000DC8000-memory.dmp

memory/1748-4-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2244-14-0x00000000012F0000-0x00000000016F8000-memory.dmp

memory/1748-13-0x00000000009C0000-0x0000000000DC8000-memory.dmp

memory/1748-15-0x0000000005220000-0x0000000005628000-memory.dmp

memory/2244-16-0x00000000012F0000-0x00000000016F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 f67d801c5cd84c5097c8ba49c3f36d64
SHA1 9f0de82c47472a99dcf4bac522ba16c3ca1dea18
SHA256 6761e14b95267d2b1ded644370b447111cbf0df1ec9c6a500dabde23954176cc
SHA512 65f891631efd2c62520ef1fff83499fe98422c61f6c5093a32ea466701366612a1650f982fc94ed9de47e3075870dcd35c2d476b59f57c659b5781aadbbe759f

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 ee24ae22da2d027f6002e40352806eb8
SHA1 cfddcc1361b0fea08994035f8eca090bd08f67d8
SHA256 8cb8b85d5e0621ef9cbeaef5cc31a5857d51f34e5c5456d0bf4e3811bed3ee53
SHA512 800eb69331491f6c0c781f9dc669481e9479b6dbf156078c1ff7fd3b80e2d1bbbaca31c515aae0c418203fe5320faa6fd4d3c6efa131a8e462704a2fa8534858

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b926af0d1b1150627a53af966dc2ac02
SHA1 c0981cc599bddcfaa58bf7a96cb903970756a936
SHA256 a15bcf22e4bbca2111ee8c194b8cbf16f07f69c225fe78eadf8081a747ba9a85
SHA512 53658c942e1a9ac66e0ced4bebbc7b09c97a26e315352406d0ed91e142853ea0c2d71651869c1646d184b16f3392385bd4a99807d999fc8c03c14026aeeba556

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 c15bc8a29020a97a08e4003a05956877
SHA1 7ecedfbdc4d14f7bedf5ec4979051458103c7e0b
SHA256 007b40b86fa555a75f1a0946fb0f0bc9fd903d1f5a3625ad3d61120593e34f0f
SHA512 c2bb8b64670d7ff4688f1b64a9c8e66cbe59ccd52e8e9504658957ccb33b9266805396a9989d6930828993e102f53f9a99035b2e26c417449276f194c0060be1

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fea6821a5b7b509c5f933aba61b7fe9e
SHA1 ddd859685b1a74a54c6e47e9a88e85848f7bc401
SHA256 78f811075e9a848b6c88c2335c0edca460fd50c94635fc3b9577045fc5c96d96
SHA512 ab57165bd80430099f8b810e50d7296538ec7abb8cbacff4c2f63fcd1c9f074bac09f1ce17385b1c7fa1488c00b02b213f1d10088103c6519b654cefabf0becc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5773db1447fa9dc00204724ea8027355
SHA1 24e3c2a851ea71cd8cd6906b03980d1b7289107d
SHA256 b8704b90c64e8b799d84bc9eff413f4c9a159bea4d6fcc73b710ed5fa695c5ad
SHA512 13a36108028b594f92e7d158ff82e52f9cddd18d319144b56edd3a065b5b1c6f78252747ae2bbb9560b7825703548935f741c7a154d0e8039ee0fa0a2c6560ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 18a3d9725e1574c5761ccba31286121b
SHA1 0579515b65506f4af73cac2c5a56676df1e78e60
SHA256 e2ba973415560cc8b5cc5bbafc856329d22b632914f57a43847589872a385d2d
SHA512 9d96c344b2b16edb00c0770e5e770eb085aae906adb00eb34a21736d49e7888ad6bf0c988d0073c5f02e0ca2f5e9b00df5bdaf7492d204dc6e38db1034f2f896

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\Local\Temp\Tar1663.tmp

MD5 f6973ba54628779bd0791b3c96a431b1
SHA1 b89ec9ba86282ab984950e5f2253ba4e03e4bc88
SHA256 a64dbd39bb86417a5229c3fe0fe9ab2a691c03b08f5823435dae709d45543750
SHA512 ba2f20a8f1bc058e310ba377dbf34423a947e08d069a56486567e10c2548eb0ff58a59d16248b161c89c297c201751cb90de7a0990d1d3a1a8324c54a1b7edf7

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 ea50786a0aaf6fce8c8b3408fe157b04
SHA1 49ed8e0586922759ce280c9003b3b9a61363c10e
SHA256 d68cef15167a20ae94fc26142935479c0db37c818bc294e4848299dfa42753fa
SHA512 e33eb8ea31b5cda72f43f583c9f559c0018f1c76246b6a33b63acfdedcdd842ee5fb7ab3990d91fbcb8dee699659cad1158f1d095165ceccd2bc6066275005c9

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 ec3426151b2d4cc7c2e809dd3b79c53c
SHA1 ee95d8a4bf07928a9a8e0f804be5ff1e88269297
SHA256 0f6a2d699089f3f55ad22f40489ae3165b9bbcbfb4b05c70eeaa2be9863b43cc
SHA512 f4cb734f96b31106be636f68be412bc8db9454bf52940e8e96f1552489f3df899668a783abeabc1cf9143a0e3e0a710cd8b1f7ddd99b42f40dd8b57a32802f5d

memory/1760-141-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1760-140-0x0000000000970000-0x00000000009C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 0570e8b92c6d2087b59a4e59e38ec32d
SHA1 6382aa9122ab3d3e50f62253517118c5f944a949
SHA256 b18305fa6f5d813d509cd7aa2e06e924b2a7ee389886fbcb64a5529625d96c7a
SHA512 28dc9882ce6da2fc69588b03e803d016ed1e2b579214efcea702611843653394cb9a62ff8162a89ffa5860ab111126c3aa5cb0a6989a94886e513c949b981df8

memory/1760-144-0x0000000002170000-0x0000000004170000-memory.dmp

memory/2928-145-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2928-147-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2928-148-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2928-149-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2928-151-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2928-153-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2928-146-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2928-156-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1760-157-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 9b54dfcf937b7be0238d18a9864af9d4
SHA1 ff4804908f964cfff302570f37a82fb80eba73b8
SHA256 c2780f65d5120c267e6e40a1ded9dad3059b616bbbafe862d377126556917756
SHA512 07a36b6fa2407eb48c249dc16850affa5ecd60b4729dd98a173d54593679eb78355dc5c3ff718171548b353723cfa12a3551856490dbd3b75828404c37e76d5d

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 22420333fbca3625421d798c7992256f
SHA1 fa6fb72fc7955652bd742637c98e8db5cbdf908c
SHA256 cc8ef8aaf54bb68566f80f68062c9877e46df6533d49f1e433cbe505363a75c1
SHA512 75cd343c01749530287611545d86e3de5052588c1b9135eaac01a50bf6c9ee90f4dfb776b34f429a019c17b185e2b1e1e1197261dcd191598a680870207326fc

memory/600-175-0x0000000000630000-0x0000000000670000-memory.dmp

memory/600-174-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/600-173-0x0000000000A80000-0x0000000000AD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 c11fe573692244976b5c187e709510b8
SHA1 c854b06c5937a8ddf2402eafd44e86232829b8d0
SHA256 d549fe111d6c423bd6dfd0763077b2fc017bf29046edc5622e409c888d8d9c00
SHA512 2f11a7a9560f30ea8e0e8f8b7c18802541005bf9ced14991edb1d0889379c620fc02109a9f2b02d5319cb0d2e93241dec2cc111a86fceda63cad83490460d74d

\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 901c5af8f3c883ab60b7835b5b149a89
SHA1 6aef68f04dc554cafbd5f8c3439ad454e1133844
SHA256 7ac357150ca69bfcb8ed9fb18075635011dcdb7acab86f171083afe11a5d0503
SHA512 21c10028a7c70440d833ee641d233faacf6887a1c01884d15d3ba227fee6abc58ad53466ad56d9e5286d171c8e9d51eceec8723c19de969039cb8dd7f4218aac

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

MD5 fb2f9da999c5c125d5ffe7789d3eae5c
SHA1 c1d234ce89eb4949692affaf63a086780933627b
SHA256 a0373b0992f50a6c200faed6c28f9bc7e2e4ee8a0209df5438efbacc8dfff278
SHA512 779fc5fd384918d6da3302db24af35a501d93c4ec908fe5194c313fee5b6a96b80ce0c7399a45d8f060bb6ff7e0cd1837625cb52ffb070d358f68c76e73091db

memory/2888-190-0x00000000046A0000-0x00000000046E0000-memory.dmp

memory/2888-196-0x0000000004820000-0x0000000004860000-memory.dmp

memory/2888-195-0x0000000004820000-0x0000000004860000-memory.dmp

memory/2888-194-0x0000000004820000-0x0000000004860000-memory.dmp

memory/2888-193-0x0000000004820000-0x0000000004860000-memory.dmp

memory/2888-192-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2888-191-0x00000000046E0000-0x000000000471E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

MD5 9e9317ecb9c809031f5ac7a7eeaba1f6
SHA1 a88fd0bb17385749947ab2e93a4ca52ebe477029
SHA256 90cbfbf32ed7c43ef6e22d895551c1c4dec35b497e5197cbce6b034dba8d89a9
SHA512 0f6eca9b645b35a155e56a9f22e27ad3dec841c23d700534bfa613642ded8d9afc77ee58221c17270bc5e8360443d7aebf68c0d6295427147610f2a198704013

\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

MD5 a038d27f27ea1d68592e34e97160fc58
SHA1 a196592160921dfd188c524965229ca87a7da013
SHA256 a0008e52b334708890daffe6dce78f6ed9b8ad3a773fb662c6bef5c8d6b61d0a
SHA512 f2cc516bf7629c273cfccb9e6febb5e74e3ac9b135554bcafe837250611cb7c7e0844bf3ee661dae6f9d41d70013630befee76d7b7d774959cff5f48cc0bf1e8

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 2ed4af85c1f9ac802b7ea70861b65fd9
SHA1 fbde7ab4fc143bd721c9217ce893f435d001207e
SHA256 d187d7c9c83c2c3ea07d56f08c8b13f49a8fbe9c50bfd87df474252a3f280ae4
SHA512 315cf58d18476b28b7b74bf3825abc7c611cd1c2f1ee4242513b1c29da43cbadf43e3c00f4435768733f9e2c1242b7ebf5317156802c3764fad7e5df9278f816

memory/924-212-0x00000000001B0000-0x0000000000218000-memory.dmp

memory/2244-215-0x00000000012F0000-0x00000000016F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 e9d32b9f57d910816defc652f7bd79fa
SHA1 b68fe1c4427e7add4e543aed39a0f355c5671e11
SHA256 f9b9365ec54a458e995f7d45f53183021d8a1fd45f6c15043c22cef33d7672cf
SHA512 7e4bd17d2b309ec6aa72bb2a297c7729043c2c6b33cbddee00307e31ba83ccfe5eab3d5e076a33d3f0f8022425391c669a0d63a2f6775943145d5624467312d3

memory/2244-218-0x00000000012F0000-0x00000000016F8000-memory.dmp

memory/1616-219-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1616-220-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1616-221-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1616-223-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1616-225-0x0000000000400000-0x0000000000458000-memory.dmp

memory/924-222-0x0000000002260000-0x0000000004260000-memory.dmp

memory/924-231-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1616-230-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1616-228-0x0000000000400000-0x0000000000458000-memory.dmp

memory/1616-217-0x0000000000400000-0x0000000000458000-memory.dmp

memory/924-216-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 3c55952900b12dac36d6f6412e8c55f9
SHA1 774f50de761a43f8a0fd371f3ed209b76220d349
SHA256 f8777fb91e1f3b9a91ab14e7bb8b54750937a8f07cf129ca884754e08c3eeaa3
SHA512 5fcb0c048ef9e2fcdcc91158173b81960a5c72ace26bfdaa5cbdeb350184964d2cf4038b605a336a5500c9a237316a45c3b3a33edbf6b9dfe13cc2fd76a8e5ce

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 406fb409ce09b641650362ee52d8995b
SHA1 6083cdaa56d756b657ea81eda759bd962321b094
SHA256 2665443087bc115fe36b749842e8711eb1a4f8dc922a87d230217ba9664db4f0
SHA512 ea355dfe9730867560069b43c7f08f5188b7e07ed321709932547ede499113562131d58752ebddd720023f0a8c44250cff06ce1dddc9a062c217d97fc6ca4191

\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 111dd0a1acdf3b22efa12b08ae28e1e8
SHA1 d51784f8ac73e70a520100c6060e2f516ac0ad42
SHA256 ead2eec2c92d322bb3425ad6432d62a5f0a5fc6a72501929ac1b3afd3f91d8ad
SHA512 11e5723d4b4f9fdf85a3195ed5a43936c299b297f88f12a415384a8a99634091172fc87fb81e0bcda0dc10cdd3b6bcf52f2ace01e92e15cfffa0f0445cc5c4d6

\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 3b589fe80c3aaad28883986a5962cf79
SHA1 a3b047542814547906c08c6f36f920eadbaacbf6
SHA256 69ccab8daad688f4ef5f582e7c5408ec3b0818b8954fdf565343dcc700341380
SHA512 e17d0b9669a00a9489079ce3e3092d69184b3af47044fbfe316bb7717662a40fa1e779e18fe7498c52644fd35ecfbcb5dc388fec3730507c09a28ddb78d75cee

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 d66393888bc2e4a695bc03e8b8a377ec
SHA1 5d056fce9876a6ad965bc3a3acf1513d26d9be1e
SHA256 65ff39e9e17626482f6407937b02963e2576ae6f0f5226c5589c990082c8f602
SHA512 9e06eaec1d617a0b4c674b807cac20a8a30e9ed91a277aba5876e76309d33aebdca47935c104265c7cf2a9f91f27457bed0b6d49ac4f2e09cba584a03c734b4a

memory/2664-249-0x0000000000470000-0x00000000004CA000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 819806d0b5540779a935d3fa45698f4a
SHA1 99a2bf758df8e9e7df20a9c31e0dfb2f80f35e5c
SHA256 70e05342b724c0bce02bb6b6251c4ad2e2f571e05a46f42b78769c87ff8158e1
SHA512 e8c5a06b9fc9681532eb740c0fbcf3e1811c9aaaf208d15e58e5d225cf891ad91896871a187d9d8034e03a223dccb89cc6488b9cb06efd4c862096dbd298a096

memory/2664-254-0x0000000002190000-0x00000000021D0000-memory.dmp

memory/600-255-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2664-253-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2888-262-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1732-263-0x0000000000F20000-0x0000000000F28000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

MD5 e21bd7262e432c861dbd37965bf3b3df
SHA1 3c90db2c0cd152b02e0b496c2f2a35b1e636060a
SHA256 a8443718a01be52bdc068ce2899e679fcfda87778da5e53138744977c85d83d9
SHA512 68fdeeb53647c7d2feae8a28f1db479bbf0766d841ea215178e6a4f3bde33cdd76aeaa26eac411c8aa8841e7eefcc287680324364783a0d8349872a38265c350

memory/1732-273-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

MD5 df9a0c954f8d091167080b4532efbad5
SHA1 f4c1a5ad1dc01d55b65662fb35c56f09c2bae2fc
SHA256 6df7e3d897d321892d05bfe386dd98bf692d7b96d32584508e9cc5707a255ef5
SHA512 657a1210fa7992338f997676b8c0fa48e9f9a9671ae0428379852165bd9be1aa17293e8d0fdd75203f0be433199059a093f7457f8dcd9f3653194408f86b3f27

\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

MD5 e173544398587075827c80da381bccfc
SHA1 5bb778226020f2659ead1fa1cfb51b144a5ee556
SHA256 576126597567a9eb2b3ec92ad2b6b3244e863e7da8b9cefbf193979ad0c822f1
SHA512 504727ea306951d1b51133af9e3754a03cac00564778ca49183fb90d2ea1d1b31f0bb4f7bca2ef0fd83ef9775d34e4449b11605cbe804dc7ef73f36023d05144

memory/2664-281-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 4b5ed71a7351419882d19f4b0e377876
SHA1 fc025c8962a1d89cb2eadbd11da3f1032859692c
SHA256 bb95dfd51859690c0885ef3bd168d57ed97a86a39c69ff12c5e8aabfcf49274f
SHA512 ea2137303710e3647f367976cd7c75feadfce6e06354f60fa2f1fd5ee5710a25f82cfbb60f02293888ce330d7e5a7242adf226bb29a091f5277ce238ac0dcd40

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 3411886e91bc084293407c2dc85ac72c
SHA1 a7119c17e7a6fbfb5699307093e576af645595c1
SHA256 ef28a1dbc29d52f65058fafa9a2ba3deb5e657c25c746298f489f350cb1d2cae
SHA512 bac1844f6ba79394acd500db99e25f41f97ac83cf04d7c555b3e2c64ba32a38f3b473356a404b15093bc34ccc84f809b8f8a9aca9baa88ccd6e86ab9c6b57bce

memory/1604-297-0x00000000009A0000-0x00000000009F4000-memory.dmp

memory/600-300-0x0000000000630000-0x0000000000670000-memory.dmp

memory/1604-299-0x0000000005060000-0x00000000050A0000-memory.dmp

memory/1604-298-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 0830bf977a575d9922f9e77a224d510c
SHA1 cda62a171ec74011f7145b0839b40db16aebc64b
SHA256 5c90e400c3bd0d13531341bcd87ee3b23fc969f887ae2f0a59be73d2ebff57a5
SHA512 4720f91b5521d7e568159ab1cfde9ac7d1dec3d4ccab4429be744758b422e65afbdf812b01c4481f6a7eac2ad237f8b6af13576e9aca89ab009ff2691ac6fc93

\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 5afff85af4900d5f981580d6cd5d099d
SHA1 f81eb00c122187cbe1e07bd36af44e2e1ef5375d
SHA256 e3e5a63356b4006d733900906db6b4e68e3579b743d0a4979b730cbc8f32e8cc
SHA512 52bb4a1ab38fd8fbe900b8a5205bb5ae831bb3962ed6366b9365b78b17d468ba54ad0a024065ee16bb98b4459ebdc6a6a3ee422c5366b5bfb7600e8cf1244e48

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2244-309-0x00000000012F0000-0x00000000016F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 122c0ec24b6647968cfb9bde52f60db0
SHA1 f0bce2517d5db29e0d13cd6296658e02f999b4d1
SHA256 eafce50b8de91981c781e30868c85340250ace771c2770f9c9b3d141bb5950bf
SHA512 b6f422a277e4cc67f49117e6e3080c691dd1067ba3a08af2ea352af5765ff2e23db876feeef6551395277da2314da676540629531b4a1e4e2b5daeec5c5a1c03

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 c46e2c245cb661ae41b90e33ce268b8a
SHA1 43d63278533126117c1b1fd45f513a266ef5d05d
SHA256 2278cb9a19fa985d3c861c0b2ab9051adbbdbd91c7fff7f803f203b3cca150d0
SHA512 fad5a9344ba4345ec15c4ebf47cf61fd8ed1979d11c65ea76e13a814de54fac7ebfedd3501454f60c1ea49ffac492a067502a7754d5c60aa391d7297ac4965b1

memory/2244-328-0x0000000005A80000-0x00000000064BD000-memory.dmp

memory/1900-330-0x000000013F0F0000-0x000000013FB2D000-memory.dmp

memory/2244-329-0x0000000005A80000-0x00000000064BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 835086c6a1f042b9877b44ac4c7a3040
SHA1 b9daec71ed5e804f3cb44bfa4714428734e9447d
SHA256 80e7f0f72a3136d84f6b4c2273c8681ec2281b19c6757ad7fc9c8e1b76e484e4
SHA512 dd8eac53716f545f94b76e4908863fb349a6f833af91afbb0270c37a3f5bef1fd6d4145213cc86da9754be399e506793a563be987af6a8c654ac5043c76c17bc

\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 cb95fd2a977e970b0d2a6ae8fa3997ac
SHA1 acb90db99f781205c1251937992e68ca2e9d0a41
SHA256 194da4c35060d240c65eef66c76eaddef30e1c673096e846b4af1dee1944a214
SHA512 40a5e5ba40aa4a6d5ea2de2582c0b4fa2d04b7ea231a69ba3aee0eae9333f4b63b4db6a64cdeb0d259e25b2467eef1d340e08e7fced60e7f5d18fb328ae905a7

memory/600-337-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 9cdd7cf7b8a5f3b4ea2a911b17bec617
SHA1 eddb82b0e97e2b6866a90c035a75cf5b37772ad8
SHA256 240b49485a0377a846bc3001020ee1f84804ed9c3d878a8035884d3fdd888502
SHA512 56beff209936b7fadd85ef9914c2e5d072e7a79db4cb729f9f487bbe39e67b40cd707c5c5c4054bb6900c94f9a6930d23532c7e34b51d171b083007be3790f67

memory/1736-338-0x000000013FD80000-0x00000001407BD000-memory.dmp

memory/2484-347-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-350-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-353-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-355-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-356-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-359-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-360-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/2484-361-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-362-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-364-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-365-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-363-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1736-358-0x000000013FD80000-0x00000001407BD000-memory.dmp

memory/2484-354-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-352-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-351-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-348-0x0000000140000000-0x0000000140840000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 18fe27ab3518108c0c5777cfc15e868c
SHA1 f2c1c9343e65faeb084e8f8fd2fa40775e96117e
SHA256 62c005623532b917c6038ceac9a571021560d68b3962bfc11293fbae2a1e14ab
SHA512 e3c10bdeb9abcea6435848c763b815dd3c9fccd0616990dfd85a682f701578acc53391e08067c71b6466451ed0d843dc93168d8e1db5dda973672c4b90e90222

memory/2684-345-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2684-343-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2684-342-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2684-341-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2684-340-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2684-339-0x0000000140000000-0x000000014000D000-memory.dmp

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 7d14f259d1bb1267c1d965b9839abf0c
SHA1 a0f0875c4afa5b7e9e59823cc6fdeda5bfe0c8e7
SHA256 9ded2e234e8390fe25792b88c744ed53cc32b894c7f5bec8cf7c3340030c1db2
SHA512 33d27e77109a66f274d4c4f83c8eb26bb00d2a34075377afd6992d36421569993fdfc65729a25bc6de87188d1610c5ce531de2cbd6c3e280c8cc5bf78161498f

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 222c043c66c341c3d8275ea2b829d6fd
SHA1 e7ab8717c426a8fd1a4d8dccf6516617a4be441b
SHA256 ef8581520e130ebc05dc086dc4dd242314a5cce36171e414576e71443413d3da
SHA512 6c861fea572b1cb7ccadd269d40864fc9475d41c0458ad91c0ff5cdafaa7ceff64c1f8501e6bb25c7d57161581ab28f8943c705e8aa1750aa670ad5daad9c949

memory/1900-333-0x000000013F0F0000-0x000000013FB2D000-memory.dmp

memory/2484-367-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-368-0x0000000000450000-0x0000000000470000-memory.dmp

memory/2484-366-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

MD5 03f1b1afc507fa50cbbd68306a632749
SHA1 0b028e46c50ba2596efa001baf87e6bfe493b167
SHA256 50d9598d9c4c1d7f97e69156fa1fe63c155ce58880968499a6de1efcc1d3346b
SHA512 6e865cc2b8d58b9cc9e86f6fafb14d493360192b802b98986755a927f94713081e6dfa860226c5db3ca0ca0e498c1ca67c08df3c15700c5051afa9e45ab974e2

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 a12a28126ebd42fca5aefdaa48952419
SHA1 aa5c848c09dbb41bfdab97fa694a925e9eebe110
SHA256 bd24112ac9dd9266770cf69aa31c513673dc7e68ec43c9713574d41471aa2008
SHA512 31dc0effe5e95a9cbc49292a953df31a5eb285c2c3cfe5003c7923fce1baae672c3bb9eee47bbc1285f25c8ed939e779c8220812994d584e6a5df90fa99b73f7

memory/1596-384-0x00000000008D0000-0x0000000000EF0000-memory.dmp

memory/1596-385-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

MD5 42f54ef66cfdb5538b99a8b70d2ebc5e
SHA1 4d241ff68e5a399f21c016927494029a438c2573
SHA256 35e2c16c44bfb2adae54c51cc83c494fa74ee22cdfe331e6c9c0698a1f037a11
SHA512 b5f8b6f3ed3f2453ffffb78351992d83b8d593fd91480891e01db0558d31e4e766ead4f9db417f6cf3b91115f5f772c6668dff719712f7860eb3920523f6f1bb

\Users\Admin\AppData\Local\Temp\1000521001\store.exe

MD5 fd963c52b3079b70d5eaedd5241c4d65
SHA1 b43f3df6dfcd4d19c460be2f81ee38e91067dfff
SHA256 7d97b3b6c1a760446d493e86bf229089fd1394d22fc76f368721188d482d05d9
SHA512 624680608d372a1b3d7df81a790a0556998bc1b24d74561a2bca83edeb522576074c2861e0434ad3b777ba45c0ab94b9b93bdf19d83435a519c7f6215b4de49b

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 d8e0a998d3cd08e1d887bff6bb68fd71
SHA1 065105e643ccccc3de8177dbc4762114a2978f51
SHA256 b1947e9f13032f1205568593e0fda2a7d30d8f3fd74e50f9a01f9d2f993220c9
SHA512 05dbb9e711dd69bc24bc8868a009b8530cdfa84d813c5ec0741e68274d9ca906059a8d6df98a4460bc51af5e0c620eb5d156dbee7376ae324b8ed5ebdbf72702

memory/832-401-0x00000000013C0000-0x0000000001424000-memory.dmp

memory/2764-402-0x000000013FFA0000-0x0000000140235000-memory.dmp

memory/832-404-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 09963d28cdee175868b16ef07a763124
SHA1 f0cd5f7f37218ea54ed76048724439cc22938749
SHA256 42e72eb2f68f0a6f3e414030eed8d3011b23c6a7fadfe7ffc28bb2d3932e6454
SHA512 0a240f51917933add6c47bc15fcce1dd38f2fe19276fb31932d195146114f57df65c5705e629e4308c53ad40df0575967374614cd3132fd54bae94c80880aca0

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 6c04de01281f5df50046ea62671d532f
SHA1 b40b925d9f35e9862e35bbfcef3b510591685f65
SHA256 c1f0cd14e728a30b03df11949bcbe93ed6adbf212c13512c974e82a539363222
SHA512 468dabe57c640ff8a93d933777536d0ec18d74b3fd5af554a3a11fea972c8cba8fe2aeb766e47a8a09c5caea0fa562a63c0a1fac811318e7183dbc987f60c3b3

memory/540-407-0x00000000000C0000-0x0000000000112000-memory.dmp

memory/540-408-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/832-410-0x0000000002830000-0x0000000004830000-memory.dmp

memory/2356-409-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

MD5 7d60bb9682e74de56b31c6c1cb726ee9
SHA1 eb60f9d1e8a5667d289abb63460cf7bdc760dc94
SHA256 4dd7af13a07d3b84676563a150b8e2f930ff2dfb53d7cc4af4b5c6136963ba9e
SHA512 e35f91cec6a9285f3fd5ccb487e87527c95c97086e3f16cd9bab12041b35a3d8bf56de38411a02c2bde910945e202fac04084441af48a8ba1c006027e3c3aa98

memory/540-443-0x00000000047E0000-0x0000000004820000-memory.dmp

memory/1604-450-0x0000000005060000-0x00000000050A0000-memory.dmp

memory/2748-454-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/2748-455-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/2748-453-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/2748-452-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/2748-451-0x0000000002120000-0x000000000215E000-memory.dmp

memory/2748-449-0x0000000000490000-0x00000000004D2000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85bd10cd42ee016d3561187576ecd945
SHA1 c68656d6dcf34ca21beac0879c4211c318aa7e98
SHA256 da76bca9d33f14da36408caf7e0d61041c5e06cab30d9d4c303d4232d401892f
SHA512 5eb456dca8522d01fec68a3486ddd0bc24ef5c3a2bd2d118cba53df46646d0fb38a23bfe9fbb1924ea68dc08a6adeb84d577f5d1f49b0f460cf9042214f878a4

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 139590060fd9eecca9f47d78650aac04
SHA1 9da597cf3011729d40581e042ff44df4d8557ea4
SHA256 e46942f4eb80734f205d2982911e634a507679e2ed0f1d54a3f649d2923dbca1
SHA512 3cb1eb08dfcde7ebab1e0e9ba04da364e31c4d826e9a00c83da14d6d46f9340c6442874dd61c1166ab1aca08e1eeeab2e644c97c87498e96b2d51a4b8a253ef0

C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe

MD5 612e7aa8ab411f1ba9b61764bafcd29b
SHA1 7e72a0e1b3818148c68d9e6af6037fdb9d5440f3
SHA256 9c0ba7f058835d09e3f2895281f0c1ffa5b118e5bed23ca158920ea6c3b5bc25
SHA512 63b848eaa581203612eafd7742d4b6206a19b4448552b6da24e02aa23a39a9c607f7011dc1c046939e520c4e0a86fac47ca49e3171cf03185e1b8ec39a2225c4

memory/608-485-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/608-486-0x0000000002280000-0x00000000022C0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe

MD5 b0d8873a73af52f708a3edd2f0c646d5
SHA1 00a564a89caac119f667b2a9c6a16b5ed466f271
SHA256 2cdd080843c92278e52566a656da13844232cc14c11de4136d5c1d917a2d10f8
SHA512 a1377acef712ea7c9650c8696dc8ce706e9e80c35dee7cb79cb47b5a3843c403c70012a6d24a98df6b2a1982593eacf2eb1844596feb04388475f91b45f1608e

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 69f756d45520be915017d7108ef6a392
SHA1 00fb638bee6657185827b8b37256c0b10971d6c6
SHA256 5bd05d7800a95c093cc9dac446c6774520818d3b8bf92850bb76fb7ffa5f2d2b
SHA512 8f24f348cf729537d53c5f04b1f2e38597ad0e37d9127311a2ab513bb2311f2b7a52ffd5315ae443182e623e568ab2c617d7ab720caa33cdbf4be415f732c21b

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 5954b26b32e7a5b770697a3cff355776
SHA1 2d0326ce0407113d5b1600a100b62ed0db6d2a00
SHA256 b014e2d5e3f0488db5c7ade30d041c3b655e700722a0ad5177d64c5aeb74d8b2
SHA512 d27637248d07f789d3079007e9a1d73e03ebe8528d2d206f027408d61236802dd07e81487fbd9c5e1e0022171779258a73f74574c2b3ef862d390057e4aff947

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 9a1063265cd7264679fac73b9ae93758
SHA1 d960cd15935165f41905e089cbe8d8f472d3b816
SHA256 a6fdd8bf6238988debd505cb0adf4a502f04e2c7948e12ab278277becfd7c41b
SHA512 6cb0eb92a520f928375c76c1b165729e0ebf01e9499e2440f119ac66cdc6dd8bd496503bbece989c49aa5e3aa010bce7a0b404d7c7601a1324cbff91d8873a46

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e2a3e9251a1f86a00453e5512d2df705
SHA1 ddb17b7eae7aae5665565538f09fa986b288ef5d
SHA256 06d2580acf06c6a08fb4fc2f7824231f6c504c66668f82a5619660fbef704e46
SHA512 628545e36392e6ea8a1eea78983b0730c16064bbb56409d033c2a2063d0582641345e7509e541854983a3f0d28b0d6bb9917ac6ef0748a1adcbc0aedd7e0d465

memory/1604-456-0x0000000073DA0000-0x000000007448E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

MD5 3787248c46c683a80811d938c0c4ab53
SHA1 3196811f29218840e6c812669a7f80b059ce346a
SHA256 2ac1a8e4aeff0bac38564ecf135e2a343c9b824e415428dcff3539fffb8befa4
SHA512 a64934229f08e30f18ef881f4672cd083a1a2b3ba452751dea8f143edf7670d196b53b871e6d162fa2f9c8ee1da85ee2766bc049a95995931f27b1f651028e55

\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

MD5 8a23b2791c7da5c8f2a73a4e23c672b8
SHA1 8a0f2506cfc88f994cccf2f07aac15f53a304b0f
SHA256 131e2d422aff29082e8b487780421076710f7755d9a0655ff8a5adcf7d424253
SHA512 85620a69f8689b597f7a439aa77b684ccab9ee39b3d42cad42e29db217355e3767405afc01b502d2c85cbcd45eff19ec0a5c4465c1c3d8450af50111471663c1

memory/2356-444-0x0000000000400000-0x0000000000454000-memory.dmp

memory/832-441-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/540-440-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/1604-435-0x0000000073DA0000-0x000000007448E000-memory.dmp

memory/540-426-0x00000000000C0000-0x0000000000112000-memory.dmp

memory/1732-423-0x000007FEF55D0000-0x000007FEF5FBC000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 26580fc42028fa3e3be5d4cdc69a6743
SHA1 e44f7b51637d7d17e27fe4e26c0d7784184809fb
SHA256 48339d37a23bd7c434a1aec862697b34c904c2d7620d2793f68a9953ae54b60f
SHA512 dfbbb2b8d751cade105dc20a94a649b736b8e32417ffd1e5745e1d042764ad331a0578e4ff7642b151a8408fdd3ab4ee1b95f274244f0c04abd004925fc4d3b9

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 548e329adf3e40f22d433c7dcc3313ef
SHA1 6001a348a71063eb16b0d4c71c7bcab3ccf109c4
SHA256 85f25112dbf7a1b2212d8a6c33813206fa8af9df8747af55d50d4c2ee54b1d36
SHA512 a0dd65068cb85953dc4968ebbce0274ec2912c25e01a236b0d5dbd8fe90728007b03b1e098e79b21375700dc54b9d05bf4355fa33e3555b7fac49843285b3a83

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 babfd14cd26fd9fb6a91ab5f4017614e
SHA1 6a5270558b89afd8d7f367c384bfe0521e6ca236
SHA256 c288378eb369457d330b8520b084d8bcb6e2d47e6728e0c8bdff9999d228d06f
SHA512 2e8844eff20273cdf6409566f274cb01435f23da26fa0935e4e6d364c344f6241e7866f7e660b58e1468d40213c89f6d799a7f8358d22b2860a41ff240d6799a

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 321c2eae8807d089d266a0f2981c641c
SHA1 7cc4f1839d94a1c70c8fde45491e49023a00c2a5
SHA256 f35b04125c0ffae10f813e5d60db7b0c5fb577ceca86ab576d4dd245138bc64a
SHA512 9a2df7f2015e5c679d4ee81c1e6851a024ba47a51c3c246a6ec77ff6b9e9a546951ef83d9d44d313b532b03f03b8920f293651c64fe48e715ef4356ad1c136ce

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 02:48

Reported

2024-01-22 02:50

Platform

win10v2004-20231215-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4400 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4400 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4400 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4824 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4824 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4824 wrote to memory of 3860 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4824 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 4824 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 4824 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4896 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 4824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 4824 wrote to memory of 4804 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe
PID 4824 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 4824 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 4824 wrote to memory of 4684 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe
PID 4824 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4824 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 4824 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
PID 1964 wrote to memory of 4664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 4664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 4664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 wrote to memory of 3500 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4824 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 4824 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 4824 wrote to memory of 1104 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 4824 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe
PID 4824 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe
PID 4824 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe
PID 4824 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe
PID 4824 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe
PID 3500 wrote to memory of 4092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 3500 wrote to memory of 4092 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe
PID 4824 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe
PID 2100 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2100 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 4620 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 2224 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 2224 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 2224 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 1960 wrote to memory of 2224 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe

"C:\Users\Admin\AppData\Local\Temp\3954d6aa2f5fdf62fd9ee50c08eb85a4a3efc7393f7c9ef930bc38dac4ab7366.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

"C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

"C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe"

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe"

C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

"C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe"

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

"C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe"

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 www.fleefight.it udp
IT 94.177.48.37:443 www.fleefight.it tcp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 37.48.177.94.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
NL 195.20.16.103:20440 tcp
US 8.8.8.8:53 103.16.20.195.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
DE 185.172.128.33:38294 tcp
DE 95.179.241.203:80 tcp
US 8.8.8.8:53 45.35.113.20.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 104.21.83.138:443 paperambiguonusphoterew.site tcp
US 172.67.174.43:443 tcp
US 8.8.8.8:53 187.175.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 43.174.67.172.in-addr.arpa udp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.167.17.97:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.167.17.97:443 tcp
N/A 52.167.17.97:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.113.35.45:38357 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.95.31.18:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
N/A 20.114.59.183:443 tcp
US 8.8.8.8:53 udp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
N/A 172.67.175.187:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 104.21.38.174:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 172.67.133.222:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 222.133.67.172.in-addr.arpa udp
US 104.21.83.138:443 paperambiguonusphoterew.site tcp

Files

memory/4400-0-0x00000000004B0000-0x00000000008B8000-memory.dmp

memory/4400-1-0x00000000004B0000-0x00000000008B8000-memory.dmp

memory/4400-2-0x00000000004B0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e49d1d983b9923d73cbe4786b0f4c468
SHA1 7161c7ec4e76420924c8c459b56aaa2f82ee00da
SHA256 cf5177d3fb28a5cb49c9d57d6598478f2c6072bc42facc11dcae6c7593a7a4fe
SHA512 aa82cec3e0ab180426728fbd0baad8630e2be9cfd1bb085ae79a47c856292a006b32ff2c6b66a574204a09e9c1e0ef786ddde35afc7ba11f32421fdbc454be06

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 c21d3d94cb93014ea327b3b44d7718cf
SHA1 ac21393d192dd03fc11ccfdecc3ab374408b9913
SHA256 c1e9f15bbdc4b684d8481d46bdd4813c53ca4cb23e945f2f7d0845fddc53435a
SHA512 2591c68bd310f9f840eeeec921bee0ca29769473e6f933855bc5325166e7aa5645cbd1e68e43a8e38a1bd853d814293e5b2aec2b6cd2ae84e5dc018a964ebc69

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 d3dabe63edf04f9daf06442a05665857
SHA1 275319bb148a3fadecb34e4d48979f98226de9d2
SHA256 b5f1c8b1acb55770ee04e4fd0e8cad6ede7f508cf8a662e037d83894789d1251
SHA512 6f724830a05c24467835717e305aedf2ee8b2422746335108c6027cc34005ffc1488fd68a9b8ca999477e41d650791cdc6d935b04cd258c28b86697516a66461

memory/4400-13-0x00000000004B0000-0x00000000008B8000-memory.dmp

memory/4824-16-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-17-0x0000000000120000-0x0000000000528000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 c15bc8a29020a97a08e4003a05956877
SHA1 7ecedfbdc4d14f7bedf5ec4979051458103c7e0b
SHA256 007b40b86fa555a75f1a0946fb0f0bc9fd903d1f5a3625ad3d61120593e34f0f
SHA512 c2bb8b64670d7ff4688f1b64a9c8e66cbe59ccd52e8e9504658957ccb33b9266805396a9989d6930828993e102f53f9a99035b2e26c417449276f194c0060be1

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 685a4ddd3d55f94a49dcdceea65afb1a
SHA1 b734e35118abb94e7c7aa7ebee9f9251981ae312
SHA256 bde4687589bc588b4b50c092fe8e1e7665be07d8f5b5c1614514cdd744e37ea5
SHA512 966002606e2caf72fe5aeb2b2471442a8b635316ca040faffdd46545fd3852fca60d79b63b7cfda14d68495426b6e3b47113e55bb87ccbea20d3152ec4ae5a64

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 14f0bb71dbc4a7b8d2bab07b4f47e35c
SHA1 0e22fa6c21defec7fc17e916d5951f43e97acefb
SHA256 5f48ef87a96be659766c099cb77308b9219eb29f8c0ae5072cb9d570328899ab
SHA512 7bd3673cb2f447f6a40968dc0facf364c1f0f717fcd70a718d895b30efa76f43ae69f1638dfe30eba6a182d8fd2a14b31b46d134176110ebddafe13aca31766c

C:\Users\Admin\AppData\Local\Temp\1000508001\rdx1122.exe

MD5 37b99dc14a8aa6e81d338f29c87316e2
SHA1 73da661a4e33ddbf06f9492603a03691f9351f59
SHA256 3a83cf135e9a5f5200860ae4ecdf72d628a75339eb77584dc0573346a32a0e69
SHA512 eb66a54d7531f0fc5af11a8f2e997b0731299ea5c13ca35bab879fce884bac50ee0f1fcefd159216167af4ee847f7fbf33cb1fbbfde1f5d0c9d919dcb60d1601

memory/4896-45-0x0000000000380000-0x00000000003D6000-memory.dmp

memory/4896-46-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/4896-48-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

memory/680-50-0x0000000000400000-0x0000000000452000-memory.dmp

memory/680-56-0x0000000005590000-0x0000000005622000-memory.dmp

memory/680-57-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/680-58-0x0000000005750000-0x0000000005760000-memory.dmp

memory/680-59-0x0000000005580000-0x000000000558A000-memory.dmp

memory/4896-55-0x0000000002840000-0x0000000004840000-memory.dmp

memory/680-60-0x0000000006A40000-0x0000000007058000-memory.dmp

memory/680-62-0x00000000064A0000-0x00000000064B2000-memory.dmp

memory/680-64-0x0000000006690000-0x00000000066DC000-memory.dmp

memory/680-63-0x0000000006500000-0x000000000653C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 e98289c579b5fdfd21a86525910e2ce7
SHA1 d1643240f6d72246faeef296da9a3a2bc9c510e8
SHA256 6127652041d880168c0ba411579641c323693ffe7fd5982be4557445f83b9bcd
SHA512 569f6f83dae831324cf3bff8ca958dbc521329c693b13fd3724a6414fa0d7f70709be1c60d2eb5bbeabf61a0ea94b56287d83fe476033d43ef29ae9ef6303347

memory/680-61-0x0000000006580000-0x000000000668A000-memory.dmp

memory/4896-54-0x0000000073400000-0x0000000073BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 8811dd7245ab5cf02b8df4775a552575
SHA1 a9916b700b5065117d8e127f032db5c384a2618a
SHA256 2bcc161a18327aae52bb3b8ceb0aad228c689510ad0b5f404a1f7857c0365b18
SHA512 a2b85a3dc665d8238ec5cf15a15251140cb0b0f296fd19fd43924f8e806cb7c82736e47c2539c0996989f5c2f484d9bbf6aec00298c4accc561d83f56ee760ec

memory/4804-84-0x0000000000B60000-0x0000000000BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000509001\2024.exe

MD5 d10e8febf623375b2cae8d378b12ea41
SHA1 8014e14750cee36fbf494a17e4ae56f251f6bd93
SHA256 a600bb53d3c81d45b3a5768bea69337cef3e925274c9bcc3a78bf072c54a1ec9
SHA512 51b51322561164fa43754421214f44c7ec81d2c42abfa2d6ce4a978526b72e0909db88ab23ab1b5a87fd1a4712f1affd16b6ae8c5bf2b9459a7e55cb442d22d1

memory/4804-85-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/680-53-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/4804-86-0x00000000055F0000-0x0000000005600000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

MD5 d3688e678d2e0f2089e7a37c46bc5929
SHA1 b7f4d777fe9b88b91302c5eaaf25840aa33587db
SHA256 c42469d3ad3001403d88044efa93c31e25f4a39c50b7cb84de9ac7cb2aaf5edf
SHA512 3995a10adbbb433276c3d7083615526feffb87ccd30199653f3f2b6c247cd80733a28f2222d4ec7fb26c950afc389ea4e8fcfcb081e3b8319a5096e906363033

memory/4684-106-0x0000000002330000-0x0000000002370000-memory.dmp

memory/4684-107-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/4684-111-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/4684-113-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/4684-112-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/4824-110-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4684-108-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/4684-109-0x0000000004B10000-0x0000000004B4E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

MD5 3b8212d9d6fdc390c9f5c9262563c34f
SHA1 1e609b7396ccff4efa6c4a58f00f1826afb10c70
SHA256 b7bc7db05aeb57af30283f118d3fb8d3406862de660552dbe6c930516dc6a579
SHA512 c0ebb917369977c5de47a4c4081817f9a9b09ddabf990170b60e836cc971aa937c3ad073bdb5e40f301890e5511d950e54b8952fc310fb42dada27f439fc713c

C:\Users\Admin\AppData\Local\Temp\1000511001\legnew.exe

MD5 aa129d4cb62a3cdc3aaef4d00dd0fb09
SHA1 22315f160db579299981f0258dee24048d6315bd
SHA256 959c0665b2761e61578da1a0821750a5f14427cf7f7bba4631976d571c07886f
SHA512 c7af2d9a2f58bfcbe76a1bc9a7a6681bedf86731c99147c6755d5ae1f7fb8c389ad43168ded744625f9e9423715b975e90f9ed1b7a0f7030e31ba72d42ead51d

memory/4684-114-0x0000000005B00000-0x0000000005B66000-memory.dmp

memory/4684-124-0x0000000006300000-0x0000000006376000-memory.dmp

memory/4684-125-0x00000000065B0000-0x00000000065CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 8e439d3aa81f8cd972876ecc21f2b694
SHA1 1d7199dd441328490ec8a7147826d10b51d5aa8e
SHA256 049c6350deb478ecdf1c227e8609f4309d51082bc39daa92de9ba2a106ebb5bd
SHA512 95c25ba29e01dd59755731efae5f2cde1102bdb3550dbb37385b187ee500f3468bfa44aaed4c0a9c6a64880dcc7f320ce91a2da62a213ff86ecf6aee74072575

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 a1bef0f17fe59e451a50978adc0667dc
SHA1 ab2dc84dd48e685fa9696cdbb4707759289f463b
SHA256 0ea229e73ee8b9f468e2318bc06ee78d3e1773d2da54e8ebefdff49089c55b6b
SHA512 83ff36569d6b07a0f163c7cd70ab8c6170afe53a24a2f0630d9c57c9e0ba8724d473f20623543cc8b85f3d585f65a7cb036585de2382d69c6d8cc34664af26bc

memory/1964-133-0x0000000000F10000-0x0000000000F78000-memory.dmp

memory/1964-135-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/1964-136-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/3500-138-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4684-140-0x0000000007080000-0x00000000070D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000512001\crypteddaisy.exe

MD5 d5255ca9c15142482ded7841d0c32c39
SHA1 f3de25602959437b0af0590995fe8aa5b2b161f9
SHA256 f42d29cd24b289cdd29cc083012270ebc5a73f7eba156574dcf12bcc377b6fb2
SHA512 0237423c1ddb46036dbe8613560af213c2f87d3d3c1a3efca313e57967fc80d7090e26975b423ac86a02aeb086eb31fdc2c63a0ed68b000cdf0e4bfa37d9f7ac

memory/4896-141-0x0000000002840000-0x0000000004840000-memory.dmp

memory/4684-144-0x0000000008130000-0x000000000865C000-memory.dmp

memory/1964-145-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/4684-142-0x0000000007F60000-0x0000000008122000-memory.dmp

memory/3500-147-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/680-148-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/1964-146-0x00000000033B0000-0x00000000053B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 e102b0acd200679fdbef45008064d799
SHA1 ca0492000622eef655c66eb28385849516bf705b
SHA256 bf715cec62bd2b0ad2dca3ff3dac6155f22f7913faa8e05933b4c6bdd70db948
SHA512 a8afce445955428f272df018b8c1f9516a892f5a64eb9fd9ed6abfa7a013b61df32af120ae1e98f267e97a95ea5142b7a51fa1bd13bd1fb768a1735612296adb

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 385dc24e1999dedead3aab0e46df3651
SHA1 fc2509339678e28d8dffd368735f128a50d2cca1
SHA256 5c88ca390e0fc5d27991bc42fb17f3b91b04233c7655ee524f8d619608c882f0
SHA512 b6a8021234d5493d962dcd92c13609a43247119e6470a5c347c64692f310378e7a5e9ab7973757e525321b50c70138cd57348558fed96385f51a98a77537d489

C:\Users\Admin\AppData\Local\Temp\1000514001\flesh.exe

MD5 bcee746cc578a275e8dec62cafe3fca0
SHA1 7519235775fa3f36fc9e8b8ebbe0686a2b901d25
SHA256 3ac40754a15623a5c0a82c716225d0890edd93d1e41c892061d7fbc3d04c0366
SHA512 67e6ecaba5fe402766237059b35dcd3c0ff6284d3593dca7d23d58bfcb501f3ca8cd943ace0d2a6c27088022f62174e4a384d25761a3b1f64b56e96450f984e6

memory/1104-165-0x0000000000900000-0x000000000095A000-memory.dmp

memory/1104-169-0x0000000073400000-0x0000000073BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

MD5 b674a85f3a9c5db4bbb95601a498d6ed
SHA1 16b4a71c8014e259882eddab9f9582fbc140b85e
SHA256 8da1e693e78b255f91728dac17d5f7c6c163835fdcfa7ec622cd3d4ad67e698c
SHA512 4c7e703c8909242faf67024187d4fd782f5016c3e1d0ad6e59a62cfa78548f98b8e76347d71c2f9df2e5947bfd8dca7112553cd0ae57d210ea3bb893a0cb87c0

C:\Users\Admin\AppData\Local\Temp\1000515001\322321.exe

MD5 5f3f50e290bc7c9459aaff7700cb7d9f
SHA1 8d7898bfa5f9824508213dfee6f4585c67076ac7
SHA256 095d402b4522e1f6efbc00dcba32c0052f4bbe1d265e044e82e500518ee55fdc
SHA512 38b1079fa40b47db4d4abdbf0ee6f91c2e91a1837c5e272134ff220fb9a0405f20ca75e9267e83ef3fe41d34b428c6d2842207b53d9bff69bc184f386dcbc697

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 c6aa6b0bcb80aaed4fadc9db40db1e70
SHA1 857f53564cf5100c9a3004979726c3acd83a1981
SHA256 b415781859c620c423165dc8e384088d5de956046368c402bf9212945c2dd7fd
SHA512 2f1c7287f6e16c63ed9e2b791f4f45fad2653c4d2d4a622d89035f6566be900e671033a5dc74c1f33501ce6ecaa7638079a569077e6012aa87271d210d7b31f6

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 d97033bf19d63a7812a8c1e8bac31e35
SHA1 4b6a34daabfab8f77cedaa2f2c62ac2d500c3861
SHA256 a1dda0bd6342520ce6798b0a0acecd0e62556dea47dce390d9cbf6b4a698d60f
SHA512 fb72816bd1ba110bb5cf78baa92754beceb7c9a62726b77c3ac89be80abdc22574f88319b2db859a00b94818e2bd21b9514ce3e190adcce7370be213097ad4be

memory/5116-210-0x0000000000AC0000-0x0000000000B14000-memory.dmp

memory/5116-211-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/4804-212-0x00000000055F0000-0x0000000005600000-memory.dmp

memory/4684-213-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/5116-214-0x0000000005660000-0x0000000005670000-memory.dmp

memory/4804-209-0x0000000073400000-0x0000000073BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000516001\pixelcloudnew2.exe

MD5 daa62ed02372bb8c7f0dbdc3e4f6c467
SHA1 a05b396019cf3208b258080c30c9450e3cc42819
SHA256 d32c272368770a00bbc25102bfb08918f60c1e2036421c4c2d1f3bd015696a6b
SHA512 ab82aae6a741dbae0d27ad784922ecc5b646b408bdb4d2e42da2ad4e812c801890ffeae8823aedf0ff997898ea7d2497f92d9330b9b19fab599f584f8bcc0203

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/4092-239-0x0000000000120000-0x0000000000128000-memory.dmp

memory/3500-240-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/4684-241-0x0000000004BE0000-0x0000000004BF0000-memory.dmp

memory/4092-242-0x00007FF91F490000-0x00007FF91FF51000-memory.dmp

memory/4824-238-0x0000000000120000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1104-226-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/680-244-0x0000000073400000-0x0000000073BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 ad68f33a66c80e861fed6856ab97bf36
SHA1 e99bcc57df288502d58cd17de5935002d5af4aef
SHA256 75ca46727d525b4e1f5fdd4c5bdf60b23d481cec7562e1fe7fa198eee29fccc5
SHA512 0406f2760044e6fae64f4f6ec4bab4a19dd73fa8a566ac4badf3be2eb7b7d23a6358c2f48a5a7772eb4abb2626b69e55e1ff6afe244650a0b870c6f355b2fadb

memory/4684-246-0x0000000073400000-0x0000000073BB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 8cacba16b3f7ee63792f8b57bc414da4
SHA1 13edfc7e3e20510fe01e0c9a3ef36a7cad30648b
SHA256 7f169e132eab352cc666678168b2f45c582b1abe28976c0ccede01daf3c0a801
SHA512 9df6912daee85b364c85d020c94874f9b9eb194b5fc686cd215640c16d2fc7f378a26145e8965535c4c5c19f6289b0199b76d7719dd72295a3c6cc623b45fdc7

memory/2624-266-0x00007FF68EE50000-0x00007FF68F88D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000519001\Miner-XMR1.exe

MD5 b863452967b7c38053d19c75e15e2142
SHA1 3299777abff58d2f67e413aeeac627b013bee52d
SHA256 6c4992147faf6a60bfc433132d7fa5f9d4742cdf78768f8109904d371f032cd9
SHA512 1ce5ebfe25640ed7e4c502b45bc1e23c69ffc8e4076d8155d658af8403fa5f6a97f6ae376d54e2c8ae7d3c345af1723272906d9d9a68af1c39d0cc8d8872ef05

memory/2624-270-0x00007FF68EE50000-0x00007FF68F88D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 ac858ce94871cdbd1718a54d45df7fac
SHA1 96d4c587b6b7676e67efeb6aa6a8db061b9ade0a
SHA256 88c840011c3a086c808a5a4e6ddd3444ebd97a7bb93350d98ab856049c53281c
SHA512 5be8816d59811683e12db27ea4b736ef18ad767fe4de31874310c3862d52c60da23866abe0187b69edf40c7073a2d9c26ab7448fa41ac291dcc7f76312cc3f7a

memory/4620-281-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2224-283-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-282-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4620-278-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2224-285-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-288-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-289-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-293-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-295-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-296-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-298-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-299-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-297-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-294-0x0000024AFC500000-0x0000024AFC520000-memory.dmp

memory/1960-292-0x00007FF7B1230000-0x00007FF7B1C6D000-memory.dmp

memory/2224-290-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-287-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-286-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-284-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4620-277-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4804-301-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/4620-276-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4620-275-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4620-274-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1960-273-0x00007FF7B1230000-0x00007FF7B1C6D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 9b9f08300fe6f18a220c0c123411e2d7
SHA1 f6cc8052442f0728a5336802c0083c689456396c
SHA256 9d1418261538645daada37f82d6c8cfba46eef97da0cf341190a92ff9d3ca84a
SHA512 909660f06aac234045a09c4527fd525a459f4ee2babc922d4420d6e2a413cb619e82e77bd8fb464d77676cbc40442e7b9f5ca8b5b037bf0ba851279c65d52415

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

MD5 65392b9314cdf10f388e3e4052fb5588
SHA1 68ab00656e1064fd5ac12b4521c7a5c93fc2e894
SHA256 3c95314ced782f5c021cec71df5b273ff971bdb4daf762105a2a8518ea52f5af
SHA512 0c2f0da9eb53e9d8b75d8a2a35998948dcaddda9377489b3c413a1aa9ca82f4633212e465ff959d0b4936cb75b2875b2717a6d667268611b4235c5a7a1c7a72e

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

MD5 d4e417daa13b5b10cb28b95009df5d0f
SHA1 ce439f7538210d8df1abfa9b7dd9a8a1dee916e0
SHA256 a3c1356d88c580d7ddd42b85759516ad7ccb8464c45cad0b06bcd0b76af4d51c
SHA512 2b695338ac2f5c9052076c29c84c242f9670ea7a76feadfbab4d2fe0115d0857ea4fae9e08e55fed8c42acd9d23928ce2e75a73207d9fd6cc3aefdc5bb580976

memory/2808-321-0x0000000073400000-0x0000000073BB0000-memory.dmp

memory/2808-323-0x0000000005690000-0x000000000572C000-memory.dmp

memory/2808-322-0x0000000000750000-0x0000000000D70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000521001\store.exe

MD5 5ed818b7f6fd404477886dd131720c12
SHA1 39b2ea694bcf9d7de25ffcb0c8445e3f4dee70f2
SHA256 3e0ede888b5a56d2dc794c86f177f2a5b2bd693df0c78c15214c2204ea07db7f
SHA512 12986a39f8f5c970873ab0176ba39f36e2063fdacc4d780d1e49dbdaf49719a8503d9f975df6049f3346c748937ef98256bfa93311642e51ac5e69b7c4a6cdec

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 380838785d16a328b2566731d8694f2c
SHA1 becef63454c5e03f39a9138e44a9c01d38aae31c
SHA256 fff2c6581218a165046c4e863950d3d1d89ad6f55cd55496180183cc777edc78
SHA512 42a16bac4405f07a4f49f83d9a5ec15076a37d587f3673d7ca5c80cab7205967b98f6e5b86efceab36cc80a23bf47fcbea11e45e635e9f0965460ace50a8e773

memory/2800-345-0x00007FF6BB070000-0x00007FF6BB305000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 c2f6d54b35f6e74ced4da2694b92cd95
SHA1 47f7bb89f0e9a3f985cf2b1ee97fdc20f1622d69
SHA256 2021a8a3239cdc8ade0b2290f4518eb255b5bd1f9aadeada128f4801d111448e
SHA512 a5793560ae64aa6f794bf6616827514ed2fedbd257c567a2a9fed02b76680146f59bfa4ffab379bcac0bb8bf114f39f9312a8f3d20bfb6e0711086ba0458ccc7

C:\Users\Admin\AppData\Local\Temp\1000522001\gold1234.exe

MD5 5ed865640766f69edfa31aec048a129c
SHA1 1a3dd6dc9d9f3e6d1a90ae52f5f61bdf05e22d56
SHA256 6aaf79d864f12cae8771360c2d7e508dfeaa1aa5776ed9bcacdb264041248589
SHA512 85eea3b2b12a47ebc94f6be1d42c89664e013760b421f8894c9a2b6bc51378c54168025af61f6d508501f2dd1c28c2153675c938e55bcdfffdfd17bdd0ecbc15

memory/3716-351-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1816-356-0x0000000000B00000-0x0000000000B52000-memory.dmp

memory/2800-359-0x00007FF6BB070000-0x00007FF6BB305000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

MD5 0ddd11f8a80c031b79abfbffeefddfa9
SHA1 d64a4acf7496966111e43455399f95f0ca9418e1
SHA256 18ead736b56caa817ae21a3f41aa9af8f291c31be9c3cc3d7f6a798496e13b8f
SHA512 d10799378e9afe94ee056b8f01eac4dc3c55dc16a7ef0fd253e68da0d44b8c638e4b8f504e4ae75dcf3d2d5aaa47380704daf42bb96241f3464efa839311ce61

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

MD5 4e5d91a42f0f24542f9ac17970acdfa6
SHA1 cdd8aaa4a91be20c741ef544e7d1ee94f37208c5
SHA256 acb62e9f16a42a55b9cbc0502f1577a400722b69cddd3ed760752ad49cd6a545
SHA512 b3d185c75af6f64200be3002349c00599bb3455b9930994bf5d17e4ef8904b1afa7003babf812f3a7195ce40c2bc368ef184e1759d3d36a856f0f33ce3c8c7ed

C:\Users\Admin\AppData\Local\Temp\1000525001\leg221.exe

MD5 043d13175c414ba29cddca0c8e8d60b7
SHA1 c4e3fa2bfc58e55e46a414cac79e2ef8281e1b3a
SHA256 5f6e7d877eb45281427ad5354ab65396f0619dd93d238500958d13076d791736
SHA512 bb3f48819934bdd613c3cae95a5cb4d90d545e03ec1ad9119e62443640b72675351192abc5c7806998614abe4d2cc30d7f531ff9577bfaf6382326d28ffb86c2

memory/4824-383-0x0000000000120000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe

MD5 fe8c844ce75ac789adbc175bcae49204
SHA1 69585592fac5056dfcb9898a1f6f6cab8595cb41
SHA256 d2ead0c069eec568c4b925cb908acfcf9859303d80e26f653691d719c1f0b3c8
SHA512 6e2ada8a68aae992f1e764ec4cdd244e213271ed5336426bf4bedb53ba6c40f77782282816d1d9fb37bad0e09a924bf80bad2e0e384a1b03b37a8051dac1983e

C:\Users\Admin\AppData\Local\Temp\1000526001\leg221.exe

MD5 38d4b4ba1611a1f228c06232dca3f20d
SHA1 362122c757d5876c69c7c114cd3f4d048b24c6a4
SHA256 ff1a8e0c3b5b2d81abe038f44e7f796ddc3cb77d699a255369c39f14364a17a6
SHA512 7c8866e7763fef960fef392525a2088f55013d2948b3f5c4e2020fe24ce4c8bdee772a8c1610ab00dbe44781a832da4cecc19a43829746c67afc3d57f2a188cb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 27b0f10b4b3926847015baa52eeee7ee
SHA1 e6b47f9833d54f2dc23e29fec334cddaae840f41
SHA256 c33b5233b256e8c573f6570519d5e816eb0f57a2b1b5a6246f4094390542683e
SHA512 0831e5a3eaf88607e8c613d32d663c520d6354bf68bb5fc7cc92eff285f7c9b89ba539d2a52b28d5ba5db870c8b98410337f716865f21898251892b8bba80ad0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 0fabf90386155218c8bc646e72093b8f
SHA1 3b2fbc3efafc7606e5243a1d075cf81fa4c14be0
SHA256 87ef52664a65d64a4705cd77307fc807def0d0d00f1bda6c9722fcc0eab12b54
SHA512 81a2f55e7e1faae328926128dcc1bcea2dd96a00a70f88bfd2c00a14f99a3eb741ea39017376e0bb784a7c961b4088e53309473bca2c5a36cf36cecee39a439b

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 3bab7390418c217c356e23f68fd4e98a
SHA1 8614e15abe14bf4b893ee09d09f57926fc791f2f
SHA256 e0d750a2a3b68c14930547a4b5b1105109f887fa6fe50677ae2187e457770ed4
SHA512 a52eccc6947720a77b9b07d9ce805ce92970c2e239cafdfa29a0670d6dfcb9d8a7acfdffa16af0ee9fe1f07f71c5f8e0d4687ddc4bf88790220653b683fec0b9

memory/4824-431-0x0000000000120000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log

MD5 dc98d835b78a2b1c32a0a1743d639b96
SHA1 02cb8b728270a2f1e8dc89b4ab48ff9dfc59b9c2
SHA256 494b72088e8abddb47547f005a33a2a978d150938aedb4103e430ae972517e53
SHA512 0a298142e605bb3e6f75d6407e8fa3e571847ade581af8cd5f48851b13640d8ad303f268f506c1076f181d950b31843cc7866686fcd9b4b20af25f081e3aa2fe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 2f4bcf2b9336a9e6ca47abb8c3372c63
SHA1 0c64e6a3b12f50eab19e17f5679ed406895b301c
SHA256 747f2fe00f5395f750fc3624ce446e4f9768f7aad602f4333aba88be42d984e9
SHA512 4b0099f4cb32133bfa88ebb9fdc871a92a674b8fcca93cc9dd0a082269dd95d6884571762917b05bfb8dc523a3009b39929f3d41dfe9cd115000285cacc5eb4b

memory/2052-439-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-440-0x0000000000120000-0x0000000000528000-memory.dmp

memory/2224-441-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2224-442-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 5328d3b35ed23b3d43f9a42671d1ff7c
SHA1 d11a39b36c4cec7f5ebbe31d820b395b0d8b4e3a
SHA256 3c04b9ccc9d95e7b6bdd50049dbe78cd6c67bcbb20f0c60291a49d63cea7890f
SHA512 b843093c8a4b20892657dc1a94fb3cda2b68672300a45c976df95d811b561fc3287f57f9814e2f8c759003874a1e80b1d249b5afd15c250502c048b5282c049a

memory/1964-460-0x0000000000400000-0x0000000000482000-memory.dmp

memory/1964-464-0x0000000000400000-0x0000000000482000-memory.dmp

memory/4824-467-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-469-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-470-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-471-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-472-0x0000000000120000-0x0000000000528000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 1cb30d6b034e29d6f24ddcada52e3b6f
SHA1 f32e2f804fac001904020f7ff94175b7ca65fa7a
SHA256 049a6df5f5d15fd77b5e9dfc4fefbde45f90ca1e9a55cc3de5caf2610a6efd16
SHA512 2390fa2c0fd25f9ef019adad04ab96cfc6155b4c2607620ef30393e0a99ce2b4b32db945a4ebe00cced24ad988cf2979f7cc61762addf35963275bbdd754de49

memory/4732-477-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-478-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-479-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-480-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-481-0x0000000000120000-0x0000000000528000-memory.dmp

memory/4824-482-0x0000000000120000-0x0000000000528000-memory.dmp