Malware Analysis Report

2025-01-22 10:23

Sample ID 240123-csezlaffc8
Target amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe
SHA256 fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
Tags
amadey redline risepro xmrig zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic evasion infostealer miner persistence rat stealer trojan discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b

Threat Level: Known bad

The file amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro xmrig zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic evasion infostealer miner persistence rat stealer trojan discovery spyware

RedLine

Detect ZGRat V1

xmrig

Amadey

RedLine payload

ZGRat

RisePro

XMRig Miner payload

Blocklisted process makes network request

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Checks BIOS information in registry

Reads user/profile data of web browsers

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 02:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 02:20

Reported

2024-01-23 02:22

Platform

win7-20231215-en

Max time kernel

0s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2056 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2056 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2056 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2056 wrote to memory of 2084 N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe

"C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

"C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=flesh.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:348 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {E69EEF74-AB9B-4385-8C1F-154C457961BB} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 92

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
GB 96.16.110.114:80 tcp
DE 20.113.35.45:38357 tcp
DE 141.95.211.148:46011 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 94.156.66.203:13781 tcp
NL 94.156.66.203:13781 tcp
RU 185.215.113.68:80 tcp
NL 94.156.66.203:13781 tcp
NL 94.156.66.203:13781 tcp
NL 94.156.66.203:13781 tcp

Files

memory/2056-1-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/2056-2-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/2056-4-0x0000000002600000-0x0000000002601000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fbda2166923d4d3c912a2d051a0bdf3c
SHA1 9600dfe21df0c9582830bdd30e175b676b6db7f1
SHA256 9740e16c05c4737ed448ca105f6552f43e57cb9b7136efe6ebe3db5df9641f49
SHA512 fc0026f4f9a9aadd7b0ad3a712a63879cfc3a4ff8a6b88176ed885e1898a6bace4727d9a80780f8cb63cdeaff49a93864cb375054a3a33571ce614422b3a9e04

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 7f21c485291e5e3e8609f6191687261d
SHA1 78cdde83ab6339e071d9a4b04f0051b334eb5aeb
SHA256 e440316b70ab4b11da420d37226f13070bd699d8652587c39f8d2bd04cfd27b8
SHA512 04bee2338c6d73d3242488f4a2cec595c99db0e7ca9bb79292b5e13280b8106ae4b03d90305bd97a2722e1feb4ced33446189fe3aeec09b70a53f5cbf0175dad

memory/2056-13-0x0000000000CF0000-0x00000000010F8000-memory.dmp

memory/2056-15-0x0000000005490000-0x0000000005898000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 776e4105a2fccd60a82396538c2bced8
SHA1 fd793d6ab77db33ba0539dab718991b863b14e95
SHA256 2de2deebe1a4d204f50e7b4085a9df37459073765b3ae311798d090f2a1b2c25
SHA512 0b595f1d566d69532ef4ab464982c52275a68a34a301c65fa73ab3838477dad04bbb9effbfce9f3d42f947e69e674aa026ad086b3c2cc8ea06f22acf2a67c7fc

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

memory/2084-16-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/2084-14-0x0000000000830000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 4f2261b1afe3308e8814fac324aae5ad
SHA1 20fcf5b05811a72bc454662023a1e11e5dfebc69
SHA256 ffef74bef377d72c45c74778e65524a23961dabba372eace0fca882a3301cd76
SHA512 00a8b7ed49c963536894f8507cf5ed943a8d208029cf33f483f7b0b0dbeba7d737fe9b35407c4ec7513f4fbdcfd7752d91665352a718e6d08a2653a88bcbaf2e

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 d75314df2865f6af237f954d50a38036
SHA1 bbd9ed9da82a899bbe31051777a494ee04b40b35
SHA256 d056fe50726981720e352657b32ca7816b36f07de854946be4c22f1e5b6946d2
SHA512 242831254ed74f45e83102f00da17ed15511ab334b17d31a5802fffc965357154a717c84c944f109efd8613a4c385e606dac28c13a6ed6180014a4da23fccce6

\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 14c8f2733e1f3729ed4dbdeca77bb19d
SHA1 af7ac48da357080e5d63f5d1c46a9cc395ff61c5
SHA256 7d95a34ca0d3f4b8320232f753cc820d48c4bde4af996560535550a8308f1381
SHA512 db1a42fdfa075d39c49fa05f03e8dd6abbc3aa858c94394bed8dfe7861b3436b52d1e9674b38d45ad39f37874fbf04a76fa1a8e247276362d5343419d587011d

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 14d44188e0b9d0669ebb6e912bcc914c
SHA1 bac21f37e76e5efca68e003d8655438d96eb967e
SHA256 72d312c044d72a03b6f0abab7b102bb6e903f26b787decfd2a2b2b51283f8ec1
SHA512 5daaf21200d555ae2d92ac9285731b53f778324c43ef2aaa16a30b4d4b52252db7ee5b1eccee973768b131f320bdfbb756340b3d07416fefd60bc6be30d46e45

memory/2084-34-0x0000000005590000-0x0000000005A73000-memory.dmp

memory/2712-37-0x0000000000980000-0x0000000000E63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 b5b757de2c02452da34399d3fa64d4af
SHA1 2778a805737c6d35cc4253ee5c4f94454409ef38
SHA256 987fb7275dc893cd189679cec172415654aadebe739e139eb5b909ded232dc36
SHA512 3d033a08b2d4a5cf5d3b191cd9bca0bf4b07943723c18547ac5ba6b04ab76d6b81c4b964804d1325bcbdc6bf16af28cf431c7debe9fa4f10c3f99f7d420e87d1

\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 273a9a6356b7e527007a66e2fd6aebbc
SHA1 d8db7181e12f4eba2c799e205e33b7d385d0c814
SHA256 b38f904c501f2315c3876c7436c6e28c90f457ad90ba2bb3ed3be0010e79cd34
SHA512 2ede8336ae39c34bc772bfb82775d679f6d78f0eac30e8fd3a4c749b565dae176ab3d0f48e24764b8b84125901babedd00311396ceb037efd86dae09b87739ec

memory/2084-55-0x0000000005590000-0x0000000005FCD000-memory.dmp

memory/2796-56-0x000000013FD20000-0x000000014075D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 6c50193cdd2f48d86c97d2e88e530124
SHA1 1215aa1c019724a53716e48798619d07654a2c57
SHA256 8c8dcfb7652be0cdeb9dca6012baa1bad54f20efe744f3580c0f8a6f52f1cbf6
SHA512 f9a5e4bd738ef6f3a67eb096581cec1d23c8d778afd0defb0b235f1efc27843dc5f616989d5ccc9734f0b77b059b0653b2a83892d923c709ba2541a097df4147

memory/2084-54-0x0000000005590000-0x0000000005FCD000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 c184e413af0c12886a09b4cc4ca1b1a2
SHA1 7010c0e8f8a69e6d21ae5f2b9f8bbcfcb12ce41b
SHA256 a6b1d4cea0af016379cdcf4e15e363001913ac08ccd071aaf3a48d9b66c28bc1
SHA512 4ae15db7a02faa06181d3d06345157071327d6c8d904b950fddfa70097958121984e085a58f795a6761e0135d9e2d5672a0a168410f74bcc3f5c71985f6708ce

memory/1532-63-0x000000013F920000-0x000000014035D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 4a35677a46de1122bf473ee1d3e7e497
SHA1 b596c1e322138c04315340e34a442c3a561f9f4d
SHA256 135aa01d467cb5877136a95f7f6126487507a286c4a6f4d00675a7cb757bf6ee
SHA512 fa82e508ad00b4203cd1c55e7e50af051c2687bfb1e29097f2743529c41792aac6f7399db7b4c02a81ed97f9f4e259324e5e9c2498463aeafc21eda67f6c8ff8

memory/2932-73-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-74-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-85-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-87-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-88-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-89-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-86-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 0250b42ac410d959e41943a5d6cfc91f
SHA1 f80a67af99c774d69698799f4cc98297781946c7
SHA256 d28859f4d827a7ea90969e1e23cd9072399266ad92c4d3b621eac668bde56dba
SHA512 1f84eca493a21a91bb9d003e9d9d3d30f56b6b8ee8618fbfbd5da4b15363f9ba4818ff52faae31efa807609b8e2fabc90443dedf34feac00651ce489f4000dd4

memory/1532-93-0x000000013F920000-0x000000014035D000-memory.dmp

memory/2932-91-0x0000000140000000-0x0000000140840000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 4194dfda2e0e0e6ed52bb57121fea7be
SHA1 04b8fd724804a5db18e248ac46e80f6c0bc64aeb
SHA256 4b996033282a05db5188775c9159e952158d4d8a1e835d53015318755caf661c
SHA512 84d8c6a085be566e0f93fdf0ac6a3bffa89b5b3be3d36abaa0f1649a8612622f72a3f7c9c258abe25408bfff68c09ce925cae8b3efe5814f95f3ee32d99d5289

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 b7e05dc11c470215c4611ee714868046
SHA1 da9d9fd7d291336035a0a9adc22f87eb799bb1c5
SHA256 a17d562b72c1911f488c06bda8b33cef4726dc5dcd570dd29b2dab5cb770539c
SHA512 20681d7155e70cd887011e8207564dfb3d6be320bbb36f1b8cf55b0499f4e0a78496d5124dba124072fb3d363c4fdbcf4a772aa37564006403f2507eb442e600

memory/340-103-0x0000000000920000-0x0000000000A1A000-memory.dmp

memory/2932-102-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-101-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-104-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-105-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 93d33d34c79ea589c52ae3b43f4af658
SHA1 aba0491c96d053e428b4572e8ba228120a5773b7
SHA256 90a77ec3458d8f0d9ec6f78a53c298ab75409082af1b9bcba879d1fc12b29715
SHA512 267734afe23dc222514fd6ab42524f3f54712c6ddd09455ac6a691bd3de946f165910d17db12a8755b7c9c686363453fd590f9fce110d5f8a43adbcd25cbd9d4

memory/2932-95-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/2932-94-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-76-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2932-106-0x0000000140000000-0x0000000140840000-memory.dmp

memory/340-107-0x0000000074140000-0x000000007482E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 f07247c1a0c309c226210837275076a6
SHA1 3dd190db619a22246d1c715e8da9759d87687616
SHA256 65a9ed05850b5ec2c7d43990fa5bf6be5f79191d38835f83c1d62aaab78112aa
SHA512 9908ec751ab0aeceb31be50cc23c5d7195c319a5d9d27c9e5a8ee1b380da5686167e15086495b75e7b1550de8da3ebcfa675ba3286451403f6fbdfe03b107359

memory/340-110-0x0000000004290000-0x000000000438C000-memory.dmp

memory/1120-126-0x0000000000980000-0x00000000009E4000-memory.dmp

memory/1120-127-0x0000000074140000-0x000000007482E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 b9a2774d1c74e48d9af1d51ab5a049f3
SHA1 ce506e007444f31eb0b0474b954ba24de8600b92
SHA256 d81ba6eae43063b28d40bb0729e72e978870dc2de517c5918b60b148b7e24dc5
SHA512 ff5beca92cfc9cc62291f8554128319d1bb21de05020a17ca0631626c50cb177e6764b558994884d4e7880963d1c118d4398c875215257d23fdf63338c34ef05

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 34f5e04b79f2cc6d9bd386da92e7420f
SHA1 1bc6ae662b8b0d37fc18e48be4f23fa1b091c12b
SHA256 b4cc2f6951c007d02863f67d6e6be1c5e3682953e987b2324ed2c2f3dc415ca6
SHA512 61f4cc74eaea37dd08ec69671c7592725d1ae8e7ac8e2c238180a823d76a542052f1074770d27d5a2db4391461fa8b9a7b941a4e41b1a6c601d3779755480d6e

memory/340-123-0x0000000004E80000-0x0000000004F7C000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 fa712ab8adbe668c84de5bb2fbefb044
SHA1 6972ec301303c9a763ea24051f7166beb2f7d581
SHA256 48fd56b12122d946a8ff3a17b1644bbfab2dd6531321037a28ebfc185959f848
SHA512 e633a285b5027810485ee138ce57a36d288bc06f38bf4e535183e41ed660a8fef34cb67218f66c1a23b687890805186b423db4e511bcfb8627839463f196f669

memory/340-108-0x0000000004B60000-0x0000000004BA0000-memory.dmp

memory/2072-70-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2072-68-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2072-67-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2072-66-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2072-65-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2072-64-0x0000000140000000-0x000000014000D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 c164aeafb5225644ccc0265efe4680bc
SHA1 c4cbe905e81b382803688c34f68b50db8d11ebf3
SHA256 815871c5fbdc2f99fc5d6703d0ba43577b50dbf1f6282d26b2178d3b89cea60c
SHA512 eff53a0dce544eace5ac6b73d84140a57a1ef18e54cf911ea0ed5855b3adc0085b3b81efab0e6e3348f694ba4ad560a815026d8dbebf1d97fdf8d82acb1891a3

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 219b7bc2773985fc648e216856d19cdc
SHA1 70a7741a27990fd8eb60695f2bba63cf2e8426b8
SHA256 f0c815ac9bf6ec1f809a28aa40898503a788f72b90841ac1705da20f867d11e5
SHA512 638230ec35fd4056736c420ac375487ebff4301d54be79d538c662ef0165c2ec1431e867b779431e857c284e793e79d3e18a6f575cabe4195d752016d918a532

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 8c8bdeedf4eb82c5bd3334caf9ef6984
SHA1 1ebc0d2c3262b0862d171845b19bf1753cf26cb5
SHA256 ff2dab3639307c5d9b49b13f62e568aabf6e01fdee594d4aac60b7cd4c4e3837
SHA512 f729d4d487462c98ead8a5954856970b54773cf22ebe049b433bcbd88fa3a7d9c6dca12cdef51bb33ad1f6c4a919b5d63297ce2e35d83ba0d782d1fdf7797d6c

memory/2796-59-0x000000013FD20000-0x000000014075D000-memory.dmp

memory/2084-130-0x0000000000830000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 a77f054c4f7ffc24d381a677cebc1205
SHA1 3fffd2e716824d40a74f56cacc45dbd92dd4fb9c
SHA256 0fd8f5de2ed1742a1c3446f0bd01c9388d0e7eb13ead47481bdace69f2e723bb
SHA512 ab6692ef5cc8d607c2b7da2053c2ba91981016e551f7b8da9564ed4207ca3447bea9d3ef35c10b59e25af79c02cbc8109eb108919334c705c94ed52161b39e56

memory/340-141-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-142-0x0000000004E80000-0x0000000004F77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 633617891fb84b688398d08d3e1bcb13
SHA1 a486af93f56ebb04f4f7b1695f51da5af8fd4653
SHA256 4551f1e48c13d4682443fa0d170e2e39c6aeceaf5f51b168a02d5bfee36d6837
SHA512 47f79165c796ef81a7d3316ff958edcc121cb3a740108c933870484b5521fb5661d5f7d48a0f3f35dcb53c2e05e446d91d4b0ffa0415fbfdfdc8e19ca95b4477

memory/340-145-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/1120-131-0x0000000002270000-0x0000000004270000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 96df2693bded933178c349e7e7ce25d7
SHA1 ef0ba135926742270c69e74f31a44f514fe1c95b
SHA256 31e45caafd405e882f3d5ed102658a5b1ec3e79230a47fc92261c9db565a480d
SHA512 88ded2c97630beee6e574970499ee2d93d4e3bbbc8d05821f846cbc17104bb1e6d7cdf2bdb24f8491bf1f764c1d76f65b294b649aa7fd7acde10c9b6891ccd00

memory/340-153-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-155-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/2084-159-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/2084-161-0x0000000005590000-0x0000000005A73000-memory.dmp

memory/340-164-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/948-163-0x0000000074140000-0x000000007482E000-memory.dmp

memory/340-166-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-160-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-182-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-184-0x0000000004E80000-0x0000000004F77000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 65e6f6857d17ffd2bdda6c63c64448c0
SHA1 c594fe2151ebcd6fe2b7102bbe4a74f6772eb27b
SHA256 a10818f492ec6708a7ca04a54168a47e94e28d0bbb081c8049777ca1bde32050
SHA512 3b53c34e210fdbe29b4b5aad9579baef6629ecf1114e6a26a56d26cda20e9b4328bac677725d3a65cd8e0cf83f1892d57ed13772fb69f6ad12d217991410a386

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 dfae3d4bfd8141704aa1b9deae39a230
SHA1 b6fedddfc128e71817ba1ba43ecd27f0bdf19588
SHA256 f9ca0e312959b27a877e10857c35a40dc126ef0f8f8a747e964969f8a19796f7
SHA512 ecbdd500731b439291cbee3d184dd61b06a2751fae25425c5e52a2a03681da60f83f70a060b4d7c59d01307a7a94c1f83de10b0114d0a902a08819fda27aee62

memory/340-192-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-194-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/948-191-0x00000000025E0000-0x00000000045E0000-memory.dmp

memory/340-196-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-198-0x0000000004E80000-0x0000000004F77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 101d03279a3728171f719d3762b12aa6
SHA1 b3bf37bedb5d22c7d2384414912e99aa7696bf6a
SHA256 f1535b325e9e9f3166b04558804f6d42f048d9d6af9d45b2cefd62c1e03d0cc4
SHA512 43e7847ae24c49e638d3b69a4012d34287323b7af1ee09326ff0f8cccf5c7fb3edced2321be02cdf524f233619e21449fea2436442f0839698722eebb6afdf8b

memory/340-200-0x0000000004E80000-0x0000000004F77000-memory.dmp

memory/340-202-0x0000000004E80000-0x0000000004F77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 e8f7d0943b2319d515e53703b965be7f
SHA1 0f4880a095d930cc8a5892fc733b2e4a3ffe631c
SHA256 2e43c845ca1ba213afc968dee3526a89a75fcf94b42858804fe87da562234674
SHA512 ad111ea9cc1e138b08307b61f560d892ebc55cae507f7582d6c68a69d1f18c911ac05cfc12e60bd3e886f5f30181ce4f21db8328bce29ba4eed504c936e3e708

memory/2712-181-0x0000000000980000-0x0000000000E63000-memory.dmp

memory/340-169-0x0000000004E80000-0x0000000004F77000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 f343b6f68e235c61d7ffc17b5a514ac3
SHA1 d935817c1c170c7c15227072b922f9ceca45d49f
SHA256 8460d88e03a14cc918e292a4dfbf7036acb4699c0d6aa9530792eca8bed37c02
SHA512 3b29899b026cf2128ae103fe775cba3721e5427204cb734cf2473073b67681389b04a3f860c424ca1374dad7653ab37d0ccb42f998d2480deeda2adecdcef605

\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 62b179d5ccdb070da2841b8356a4e11b
SHA1 762ae153201da6e7e548650df5098755d564fb20
SHA256 e184cf6966de716347f42476995827a61eeb25c387a50c8c5e840d6f13a0ceb1
SHA512 fe038dd3cd5b203c0edcf499b32369a516fe8a0ea3c7c93fae5d4ac71f87a6003bde06232dc878b0a1af419ed3c7ea3f8290acfd3adf30cea2dc2b74a644eee5

\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 8fbea9dc1ef1d3b779d73cf24578d82c
SHA1 a2260cff716f240e0239906776e49b536c179956
SHA256 d40ca3a3940106a2ff3110b481f2f52fa6f41d09d64bd72169abbe90bd1d6087
SHA512 61cbf2269c43cf89a9d7cea712160c322f8bed9ee288d498881df5b9e76337fb3cd95a0f05fae8d443014df73d3feff14fd28b016e0bb65ceb6aef2720707d64

memory/948-158-0x0000000001180000-0x00000000011D6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 ef97928ed1b83256ad18bf391f3ab200
SHA1 4050e2188e8d18d1b6932e64da9277fe8f834f5c
SHA256 ff10029f98921d6e572b1bdd6c388f223fda7a423946033f6a0e31a36349bf3e
SHA512 e3c9fd16de61a3fef5c8f6552dfddd85e68cee9ff03869ff70935e2fcf873fd3fb86f5d8c49f8d0216cb405e802b6effc647af59fbf1c0af87d99c4609f938b1

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/340-147-0x0000000004E80000-0x0000000004F77000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 f1e2caef0fe600fa32da9058c9275f1d
SHA1 b6222e0454dcbdecb0867be62c75156907e3d239
SHA256 5389f2f9bd9a370f056a9ec0d7b2f19df2ce4b77c5f9b79f6ae697e7f167e93f
SHA512 becb31ef2166c769ef89a213e636872fab59decf03ab6d7897354ec45b40f5fe9139d2b4583637fe97311eab89d81c9ccaa89ae4c779319b7d224cc08489397e

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 989e9d69cefb06a46e4b6f65ab959304
SHA1 3d46deb2c32ecae307ab6006be2e930e9210df2a
SHA256 0d3e6aa978a25b48300193c4d3ad853b778e948dc312feb20f2e40d67d77b070
SHA512 89c52cc98ddf1925944becfeda0ef5c1c974087b680b0e4c47e59ccd0590e63541813d32455fdebd7c6855d2dacc74c95a5f60f2556e579a55d67ef67810848f

memory/1612-267-0x0000000000DB0000-0x0000000000E04000-memory.dmp

memory/1612-271-0x0000000074140000-0x000000007482E000-memory.dmp

memory/2084-291-0x0000000005590000-0x0000000005FCD000-memory.dmp

memory/1612-298-0x0000000004540000-0x0000000004580000-memory.dmp

memory/948-304-0x0000000074140000-0x000000007482E000-memory.dmp

memory/1120-305-0x0000000074140000-0x000000007482E000-memory.dmp

memory/3020-329-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2932-332-0x0000000000510000-0x0000000000530000-memory.dmp

memory/296-330-0x0000000000400000-0x0000000000454000-memory.dmp

memory/340-431-0x0000000074140000-0x000000007482E000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/340-465-0x0000000004B60000-0x0000000004BA0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 01606c3e5adc346274c3c32ed9b008e1
SHA1 ce845ed1eb6bbead075c8ba50b0f1f9b8ce5838e
SHA256 c9e24aa365874247dcb628a8587812f4680abf0a519d1c1be1accbccc35ae2c0
SHA512 4f00affdcba975f3e60dab3e74f7a37bb030d415349e0618c7a607e88ca3f269791363e90e964236e6b4b8582a87362b27b1d6dd9857cee76896669eb7c384a0

memory/2084-482-0x0000000005590000-0x0000000005FCD000-memory.dmp

memory/2084-483-0x0000000005590000-0x0000000005FCD000-memory.dmp

memory/324-484-0x000000013F5E0000-0x000000014001D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 ef67ec7c1557590e6277ee14b0277862
SHA1 772bcf566b60af8e3b45df2d1e2088147c8c9bf9
SHA256 9d73aaf41c07e9cef92dd2d8867623b1ae572ccace6b1672d5d2f9a60b985b69
SHA512 1bd1c444858eafb4af5c808c614702194d08b284d4a4b7a0b79c2895e810d2814ca611dfb08a6a946467599627ab98ec4aecbddae4918734cad0d4c79aef9988

\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 016357d469b08f521e6b22653d23aec9
SHA1 90248d3729c96ccca491309ab6d95d791d84cdb4
SHA256 2cc4155fb7953410d8029f9460132a5a234a7e258fc44e1174c2510bc7d1511e
SHA512 ba3ff4fefd148fab19dad75293aac67440b6cd8a9fd3058ac04c77ca497a110d69bf2dd1c817bc7c4dee2446d12e23ea31e39f69f5417a6e6bf15c34a7f305cc

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

MD5 4b05f5a3d985f6f2b3ded1f89746f024
SHA1 82d49c6267b250cefe7f7e6a69897717a80cb6f8
SHA256 d84be67a66959e4f9f855ec72b9c28989a3c535c4ee0725715a5929d9027e4b5
SHA512 b23897937e164f650be471c3cdf7e294861df6a8909ed6e50b1049d8085e05bb6aca61b2d6c6b9e7cf1e7fdbe527f6e8d49212f5659e4bf1674ff34ea811434e

memory/324-488-0x000000013F5E0000-0x000000014001D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 984d67555a2ca2f9c528080f5c387202
SHA1 5a2f20837db96c5783579b14cf6ee23d07f15916
SHA256 bbff38af7f9f23e0b07cce68d2d01d58c176604e40be7ed88ef59947589e4d45
SHA512 757ac155b5384d04f7fa3c3ad1f1a014bdbed2838534e00b425efd8f000c849ddf1a53148daf891785ce86803db0b2b945ab8f01eee8f1ae915c3010b2124432

C:\Windows\TEMP\zamrbllfjgdb.sys

MD5 2befac70517124f74e030de60ae4e930
SHA1 c58fc3b1993f2c7a9bafad429d14aaef08fc0846
SHA256 0112bf805fc28f6746dec25690ab1994eb9ac52e09e6d896273b81a037bd8dbd
SHA512 8645020f58ad5fc85306e120bb708a22a9cb3cdb17da0ae7ea6625e254b859207f474af5a01cec4ff0f73b5438cd90c5aca80a7ffc23f4b802a098950e326d33

memory/2552-509-0x000000013F540000-0x000000013FF7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 2cbc923224c875f12b610ec895fcc330
SHA1 17418202e1b87c962c13cfb1d3b5dec044f6adca
SHA256 522d2240bcbffa4159e9d940b0480a363162aca04cd1b76a07daf810b357f59f
SHA512 3370e4b3cf5c20d108a2027b67ba9e464c637bfac9600c094e37f34a4e10b2a275385653dc79b68780a74d8af411bc39249686c1c17eaa3df5230a7060d5097c

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 0fb88825adff7b6093a6f69da7fbc45e
SHA1 61c8dbd0d385e245588371b57821d580dee53c54
SHA256 1a330f9783a5f3652a067256e2b2c3d4e248ef0b9ca866caa673a49dcab60c15
SHA512 6003b3a42fa1fa97e422ca3d79b0cc5064a1dca5d81b57bdf54d8b1884420189e1315e4c6c8251feab5c57f30c8df4bc8342c6b15ab07058456468fdef7e03e3

\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 291ba5d154875918f39e47aaad7b442a
SHA1 3e1e5e56de804aaeb2d73058b3e132e962ee4c1f
SHA256 aa8c511db963cfd620c1b8904dcbc053fbe20139d97be7ac36910decd2588e3f
SHA512 d67b10344b19cc982361a10f8d16d5de6b7ac1ff451a9938ff01237f3f2e4fa7c40c3ae134ef0c7cadc4897399b1e720d0747076e76d128b5b93f00e846423ef

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 d65029a671f33984fa779d9f665534f1
SHA1 e2e150700d5116a2f3c5108f0a5a6ba03c927cab
SHA256 2ec69e0332122f2a880aac0456e754859f83c4fe93b01e4d5be5579cc742d035
SHA512 b742dbe23c52ff3993f6c9b3d4dd09437d5b49223bc5b3444bdf990c57131a3a57a3cfd97e3f9699161263fea78e03aecc8cebaa1c29c15eb8d0dcb4139e895e

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 99d3f8531de82d7de365a9c2347d9bf3
SHA1 c0597ba0d9a9039e5c340f7ebe44e55447e6f470
SHA256 40f7532180b07f14412cd6f2a2a708440519b5243ec58417b263cd6db9d026b0
SHA512 fa30680bb0c1eafc9a5e76edc582cc31befdc3bd99635d839585e5f44c064888bfb7b6a27333da22bed14f1bd555ade9b986e815de91031b177a88d27070f522

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 37262bd31dbd8b0ec07b00c47b75e605
SHA1 6c290a35615855f6e9f5c7f8b51552547d11fd57
SHA256 03ba8047c2eff00856b4b004f9b4d8f21a5de6a8fb812c662e633b98b1312d12
SHA512 9e8a8d23f6888cce12bb37ce1ca6da95a33ece9f85f5e5e4c2ef40e3dc26330f6cc03d418e237e91517c2c92eba7d28958683f900549529aeaa1bb1dc0bd0e5f

\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 262e36aed31a7f4d69e49dc015197b84
SHA1 b3aa0df505e72672aa84d6f5326936f80c5d7f82
SHA256 d3dbfd3f52920136dde44f40cd661a9897722467515bfbe16f02c3038894df93
SHA512 4af1a16da4a069df6179544b7456ba702aebdbf0089ad3b8af4f99beed013ff68f0abc745978c0d80dbd46e78a4a3320d1bca503a339e85baf21c54042073085

memory/1044-526-0x0000000074140000-0x000000007482E000-memory.dmp

memory/1044-525-0x0000000000CA0000-0x0000000000D0C000-memory.dmp

memory/1044-527-0x0000000004C60000-0x0000000004CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab7D8C.tmp

MD5 c59689337c48133c9d066b1374f6db5e
SHA1 22f426eff1efce432cdaced791ca23a3b55d04e6
SHA256 835f4833c67394b66682d41176b4e6438ec8f9a4416f41f0cd360e5527d9dacf
SHA512 8f0bb92fe01eafd41ddf177799ca094355ff97451bf611f3603d893dfcaaea09c89b88a8649f058b092313dd0247d7671f49ce698f2552715252fd5d782c7856

memory/1044-549-0x0000000002110000-0x0000000004110000-memory.dmp

memory/1612-531-0x0000000074140000-0x000000007482E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 b39a8db9f613e1a8700971987ad991cd
SHA1 c76997c3fd31979d7ad3c2b6d0d5b92b101025d1
SHA256 6259f79c70bda305042214db05b1cbbe08f26e59a17655cd70a62e5ee9db493e
SHA512 aba94f291f60bbef221b706515dffc4a3d67f4f29181ecf886a9d838e0fc9734690ed068a225f3167cc4790b0b0128d15a34436f595e66127ace662d8bbfd2aa

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 bdb6b16f333ca80e9470b6737e98c807
SHA1 f2202c1217c64c6b92a312fd2522693ace3ecc86
SHA256 8df83d052e4cac66dd075d1f28c542afcdd0cc755ede31684d8e3cf6ca03730d
SHA512 fc8bf2580071b58fde0c4dd516820e8458fa0988c701b7853db3b5823f42ebfefd57749b014df652561de94445e1c34265595a0f594990e3071267903a550ec6

memory/1044-558-0x0000000074140000-0x000000007482E000-memory.dmp

memory/2164-560-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar858B.tmp

MD5 01d5845c2e674289850271805861cdd7
SHA1 24eb030684824df3d5e896c99dd29dfeda6429b1
SHA256 e1634f5069767092d4281961687107666d4ab5444f98d567b4b4372807cf8f5b
SHA512 02a0ba45263110396a8b7aa88238dd745a79f4f6ae7c804af090408e07f1065c1d654e7e4709424e61fc617dc15828298cde6af832816bb3873decffd7f8542c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5069753b1428397a7e8a1f596dedeedd
SHA1 c61b251dcd5a751700224d05e7140ee8499715a9
SHA256 7fe3109a46bf31415a47794cdf839b507d051abf05910d17abda567249420f05
SHA512 759779ef7aec8081bdf0493dd08d95dfeaa4ad73d660403047397fa91c448352a35fc1303886ccb73e3a7dd85821071cc0843dc4d4a66bbb0035ffdb033a2650

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15f09cddfbe165338283700bcbbc595e
SHA1 6125b98f25a0340a12067fc562a5d66088bf3f39
SHA256 cb9eb879ade90507ffcfa1000fe40eec0794f0bced65ddcc6463187ac5929013
SHA512 ad142760026c032b5dfc2e94407ffec7f3091b0cc2eabc6f9065d20bdf429a2c586dd63fb7d98e77dc7b2642c8aa3ef16533d99a0b4cd0cd3b0ffb3fb8050dbb

memory/1612-661-0x0000000004540000-0x0000000004580000-memory.dmp

memory/2932-716-0x0000000000510000-0x0000000000530000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 aded0edd0b78b8d4154e8d0092d7e4d7
SHA1 20bd70fedaffbd94b64da819c0ab1bc7bcc5878f
SHA256 3402f37605ea6d2fd68c1acd85e09ccc07841999896afe064104a60ebd0b674a
SHA512 cfbb4efaef691654b27769f9ca05f8a5cef52f974cddaf73fc02b3d23a022663d6e83937112934637afe7a94b4f796fbc4d30966f7f03b546832774595949981

\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 12b17f7691c1299461af2471d3b791df
SHA1 d14b861765d94caab3761aa1435a1000079f4ee5
SHA256 8d62ab753ee5a35680c98205c8046aea732c7652d365d15b31cfccf331647254
SHA512 6ae2b7e6ea74136dc39b672b7100ec4b25df16481c0d49b6b6ed6e7d80174552d54af1226779047118afc1e06f1e2c573a40d617cd8ee918a78c08992927a3c5

memory/960-783-0x0000000074140000-0x000000007482E000-memory.dmp

memory/960-784-0x0000000000920000-0x0000000000F40000-memory.dmp

memory/2608-787-0x00000000010F0000-0x00000000010F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 0deda7aa0e6c3a705e64a956088c5a12
SHA1 0902d4df138e416fcbd08a647836238e3c6244a6
SHA256 b1260afde433b66b596a359d415df5c0b1cd417f91f60b0bfe602830a9b068b1
SHA512 62c48e9891c772c99d581bc8669bb5924be4df7280771a4ad5e915db824c45dede633b19ac75d6dee9e8792a4a3be428cff1f88f9ff88ccd42dabbf933e5c232

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 16bf0d798bface1c4f1f507b67f0039a
SHA1 77e10fc512110017cd76d3b504878950d4624275
SHA256 7b8490d78eb62eb249b01cb1f1e73dc779db7ae5dcfc321d4df3d8aacd29a04a
SHA512 a6e420d7a686b27e676e376c82b6181f404971158bf8bfc39af51f4a5c0d8f8862c45f97086ecee271ec6fa518eb3b7b78db96e0e8331d3b9c487061b008a985

\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 ec6dca02c036b93da73b8e7f2e48bbdf
SHA1 e1bb81eef45e12a753502188996f8e3db6040978
SHA256 ee2e6ecb37d81b62c2c2b62ebbd8b5b9a413d7e8a7d6982549ea5b65b42a5fa2
SHA512 97060266ad82b73f6f8122bc58894fd4cea79b0c3ab30fae8c6c4b9a0a02566f82d4e7e227b32d352a85ce66dcf00336ccf3018b87c7eb464ff11af76477b1a6

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 83bbf2dc56c395d817f50f5b05c11227
SHA1 85a8099721f03ece58cc522b2f362bb977bf3b74
SHA256 6a8a0ff7591b87b1ef3df610e51478b6c2731dd7709dc803932442589153c233
SHA512 806219ba4b8e498e4620c0371df0b6b42a887391a9babe1a91a14eb47c7698e255c47af967a740c9bbdfbedb6ce381369ddc3a332b8ead29bb3997b30340e4ba

memory/1800-812-0x0000000000490000-0x00000000004D2000-memory.dmp

memory/1800-814-0x0000000001E80000-0x0000000001EBE000-memory.dmp

memory/1800-820-0x0000000074140000-0x000000007482E000-memory.dmp

memory/1800-821-0x00000000049F0000-0x0000000004A30000-memory.dmp

memory/1800-822-0x00000000049F0000-0x0000000004A30000-memory.dmp

memory/1800-823-0x00000000049F0000-0x0000000004A30000-memory.dmp

memory/2084-825-0x0000000005590000-0x0000000005FCD000-memory.dmp

memory/2084-826-0x0000000005590000-0x0000000005FCD000-memory.dmp

memory/1800-824-0x00000000049F0000-0x0000000004A30000-memory.dmp

memory/2608-819-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 2af88cc5355652608f783785c4bd109c
SHA1 b9dbcecfb5be26fd5bd4c0a27e17230faf6f5bb1
SHA256 3cd1d443ce00c4bb4a466160c465a8fa1971cbdd0fc8702e0e4ff492ae556831
SHA512 dc8a213665b74eb276973768b0cdb225d82b49213510fe2bf244d2d7be0b04c81cfe8141af447b9dd37b7e95b21ae4e31616ad85b4ff68d9261add2656368fb1

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 d921caea3b46b88266df2662ff486f6a
SHA1 9a383b4c82fbb0cf48497a4ce579b503dce1a0b7
SHA256 6d70814d7c3758a3bf99335b722a8b7c3870dad7f2fd6497e0c948236e9b3fa0
SHA512 c99a5b70fb97e685cace411395112ac5d7f16a4152e6705ca45e318710793a9056ab5da9599540533e5b40ae35f68649d8fad481e25f7ad15193835915ab7983

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 6878df738defcf088ba56b4d214ca1bd
SHA1 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2
SHA256 fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
SHA512 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 02:20

Reported

2024-01-23 02:22

Platform

win10v2004-20231215-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clnt = "C:\\Users\\Admin\\AppData\\Roaming\\clnt.exe" C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2652 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2652 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2652 wrote to memory of 2324 N/A C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2324 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2324 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2324 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2324 wrote to memory of 4200 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 2324 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
PID 2324 wrote to memory of 3968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
PID 2324 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 2324 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 2324 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 1872 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 1872 wrote to memory of 1040 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2324 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2324 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2324 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2324 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 2324 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 2324 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3924 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4580 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2324 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 2324 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 2324 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 3980 wrote to memory of 388 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2324 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 2324 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe

"C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

"C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
DE 20.113.35.45:38357 tcp
US 8.8.8.8:53 45.35.113.20.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 104.21.83.138:443 paperambiguonusphoterew.site tcp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 138.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 104.21.38.174:443 combinethemepiggerygoj.site tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 104.21.40.14:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 187.175.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.38.21.104.in-addr.arpa udp
US 8.8.8.8:53 14.40.21.104.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 172.67.133.222:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 222.133.67.172.in-addr.arpa udp

Files

memory/2652-0-0x0000000000FB0000-0x00000000013B8000-memory.dmp

memory/2652-1-0x0000000000FB0000-0x00000000013B8000-memory.dmp

memory/2652-2-0x0000000000FB0000-0x00000000013B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 6878df738defcf088ba56b4d214ca1bd
SHA1 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2
SHA256 fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
SHA512 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 818c767746c2b41da4562ed917dc0ea1
SHA1 d1c8a4cf16df654c21345ba1e1016478647ae33b
SHA256 8d50cc5bc26c7a8b284d0a7ea6ea7545f454d4e20057cb6565856267e7cb47a9
SHA512 458d6ecd4aab88ece919f2e84ee297dcb972f90906e8d008cc94d265a934c3a59baac575a8cbcff5662cb24d3a5eed04d3e8e464c1c9403a6bb757553a05737c

memory/2324-15-0x00000000002D0000-0x00000000006D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2652-13-0x0000000000FB0000-0x00000000013B8000-memory.dmp

memory/2324-16-0x00000000002D0000-0x00000000006D8000-memory.dmp

memory/2324-19-0x00000000002D0000-0x00000000006D8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 51eeed6692a19bb24fb93988cecb3708
SHA1 201bc35e4b25ba770625a84b1152efabf03b7f72
SHA256 3b4c6e551f67952bfca858afcff76b7fc9df2b6303eb3d4b30cf69028ed2145a
SHA512 2ff72534402b572d9d65b28e0a430b8ae5adbaf02d58b0e73752f9f1b3e5aa0ade7394214c085b4276322b3550b8e2702d9df0c944cd34b9205c7bcacc48c89b

memory/4200-36-0x0000000000020000-0x0000000000503000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe

MD5 2eafb4926d78feb0b61d5b995d0fe6ee
SHA1 f6e75678f1dafcb18408452ea948b9ad51b5d83e
SHA256 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30
SHA512 1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e

memory/3968-58-0x00007FF6E92B0000-0x00007FF6E9CED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 3ef515bb081e3a8546a39219bf1310a4
SHA1 65b19bc8100f6b67368c46b33d39ef441aaeaeb0
SHA256 9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394
SHA512 22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1

memory/3968-79-0x00007FF6E92B0000-0x00007FF6E9CED000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 774510bcff294f80e47a210a19483749
SHA1 0de009eca6fe604d132b052a424479b76ca72448
SHA256 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955
SHA512 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 34927273ba25cc3bf5f055bcff675c8d
SHA1 a56bf2edccde62cc69f9ebcf460473e11217f03d
SHA256 07cfd9bbbdee052d89283b60f3a282617f7d2659df8d43743b409d337fef7e14
SHA512 7a8626ba16f03508ce262c6b48b0d0f726485fdeb44270267eda97fc6cbc8c66a6b516b97808756caa0145654ad109b4eac3e6e0fe7ec9d9652ea40731a33504

memory/3980-82-0x00007FF690360000-0x00007FF690D9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 4dc62aa51086843a31d87236c87f21e4
SHA1 c7cdc373668dd8f7373a433ed0f3703843b67c10
SHA256 5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27
SHA512 a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658

memory/1712-99-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/3352-103-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3352-104-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3352-105-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3924-106-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/3352-108-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3352-111-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3352-107-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3924-113-0x00000000000B0000-0x0000000000114000-memory.dmp

memory/1712-114-0x00000000003E0000-0x00000000004DA000-memory.dmp

memory/388-112-0x0000000140000000-0x0000000140840000-memory.dmp

memory/388-124-0x0000000140000000-0x0000000140840000-memory.dmp

memory/3924-130-0x0000000004B30000-0x0000000004B40000-memory.dmp

memory/388-131-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4580-150-0x0000000000740000-0x0000000000796000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/1712-129-0x0000000004EA0000-0x0000000004F9C000-memory.dmp

memory/388-149-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1712-126-0x0000000004E90000-0x0000000004EA0000-memory.dmp

memory/2324-125-0x00000000002D0000-0x00000000006D8000-memory.dmp

memory/1712-154-0x0000000004FA0000-0x000000000509C000-memory.dmp

memory/2384-156-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4200-158-0x0000000000020000-0x0000000000503000-memory.dmp

memory/2324-155-0x00000000002D0000-0x00000000006D8000-memory.dmp

memory/388-152-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4580-153-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/388-157-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 c6aa6b0bcb80aaed4fadc9db40db1e70
SHA1 857f53564cf5100c9a3004979726c3acd83a1981
SHA256 b415781859c620c423165dc8e384088d5de956046368c402bf9212945c2dd7fd
SHA512 2f1c7287f6e16c63ed9e2b791f4f45fad2653c4d2d4a622d89035f6566be900e671033a5dc74c1f33501ce6ecaa7638079a569077e6012aa87271d210d7b31f6

memory/1712-175-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/3924-176-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/2384-181-0x00000000057E0000-0x0000000005D84000-memory.dmp

memory/1712-197-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/4580-200-0x0000000004FE0000-0x0000000004FF0000-memory.dmp

memory/388-202-0x0000000140000000-0x0000000140840000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 fe6134291b8ec20a29a367ea86ff66b5
SHA1 7c4d4320e4a21bd733414476882fc532bc8dd54d
SHA256 454b2b5c2464ae13a3f98dd65a1e008423844efbd53ed0a74fa7b8b13c1b9aab
SHA512 65c4b2281947945d586fd19582a690297d4612df2a6ffcb776325a6e4c9d23b21ebce32752f68635bcb7f3d80dc6f5e3c413c91a44ae4743ef8e25ca894f78c2

memory/1712-211-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/388-221-0x0000022C51270000-0x0000022C51290000-memory.dmp

memory/2356-224-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/1712-229-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/3604-228-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/1712-223-0x0000000004FA0000-0x0000000005097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 dcd5f6da4bdcd043db0c78f335765abb
SHA1 a3532490f75e642e59440a5dba3bb252a9fab9bf
SHA256 f231f8e16e32365bd95fad70873f4878b53150dad753e8f68c4fb7d0e64bf2bc
SHA512 b3b3e060ac76431c5f6a07f90bf117e61ac357ac789efeaa9abc454e14afcf6973ed734b6f678d49be1daf248558068d83543cfbed793d73cc073040b8b7412a

memory/3604-210-0x0000000000BB0000-0x0000000000C04000-memory.dmp

memory/2384-207-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/4580-206-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/3980-204-0x00007FF690360000-0x00007FF690D9D000-memory.dmp

memory/1712-205-0x0000000004FA0000-0x0000000005097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 afa4b5293faaade81fdcfb074a0f68f8
SHA1 f92b8bb183029f98ea497513e4e625354f44a20e
SHA256 ad54b9c45e35baf130eb1f5f5ffa49681ee47426e0df07c664e78f9105e452ee
SHA512 9c80fe269b6379d425c24a5ff123f8f594d41ad993d91005430aa4ee6f77bd834a9886bae40023441607ffbbf1fcb0e32aef1b39afd1789a003f2f46139e95c5

memory/2384-196-0x0000000005230000-0x00000000052C2000-memory.dmp

memory/3924-194-0x00000000023F0000-0x00000000043F0000-memory.dmp

memory/1712-186-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/2356-183-0x0000000000400000-0x0000000000452000-memory.dmp

memory/388-179-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1712-178-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/388-174-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1712-164-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/388-161-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1712-238-0x0000000004FA0000-0x0000000005097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 35d7118f69b76d9474adf17f57f007bc
SHA1 876630920cc32720d7b1abb809c4dddd024ffd70
SHA256 4aa5c237c6289fb4427bd2c9b4d2a0557cd74fb2c58c1b044cff7d0810fdcb16
SHA512 32e6f31dbaa5a1de570b2556125ca85fd942c412ab908792c4b1115eaaffabc897137d2e9a4aff9ba5dba44b091afe9574170236629f41a8907f4e9268ce7eba

memory/1712-244-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/388-242-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4200-246-0x0000000000020000-0x0000000000503000-memory.dmp

memory/1712-249-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/2384-252-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/1712-253-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/388-254-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1712-256-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/388-257-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1712-259-0x0000000004FA0000-0x0000000005097000-memory.dmp

memory/2384-260-0x0000000006580000-0x0000000006B98000-memory.dmp

memory/2384-262-0x0000000006340000-0x000000000644A000-memory.dmp

memory/2356-263-0x0000000006530000-0x0000000006542000-memory.dmp

memory/2384-265-0x00000000062E0000-0x000000000631C000-memory.dmp

memory/1712-266-0x0000000004FA0000-0x0000000005097000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 1affff641ac6eafe4aa557fb1ad8b2ea
SHA1 0964b9b3de39cb2bf97d719c07f50ed2dfe9e8f1
SHA256 522047b7fde92c570bb9ed10d63237989f6cc5e3973d57fca46965088fa9054a
SHA512 4dd2f6b78b0ec5975570323bf115f2e20c131c40da078f8a625c8c8d31c776b57aeae833e4deeb563fdf08f83d1417bba4296293dc57e72c4a7550f10ba1286e

memory/388-250-0x0000000140000000-0x0000000140840000-memory.dmp

memory/3604-272-0x0000000005820000-0x000000000586C000-memory.dmp

memory/2356-248-0x00000000055C0000-0x00000000055D0000-memory.dmp

memory/388-247-0x0000000140000000-0x0000000140840000-memory.dmp

memory/3604-243-0x0000000005690000-0x00000000056A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/1720-239-0x00007FF690360000-0x00007FF690D9D000-memory.dmp

memory/2356-237-0x0000000005560000-0x000000000556A000-memory.dmp

C:\Windows\TEMP\zamrbllfjgdb.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/2556-298-0x0000000000530000-0x000000000058A000-memory.dmp

memory/2556-318-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/2556-320-0x0000000004F90000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2356-365-0x0000000008CC0000-0x0000000008D26000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 aed6732f41e44a2618eebfd97f7b021d
SHA1 1bdc5e9829ac57710e1849324cb08bcc0effcee2
SHA256 0937bf680a0bee9e9f29398a42b418de3e7c9bd6acd83305242ebb7d12ade7db
SHA512 6fbb5983812b4771a31f46aea6f628128d90ce62a58210713ec5357e8bf8a1600eef4e2b254ec36c7e0a559ae9d0fb395110925cce18eb7b24b1113de4563fe5

C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe

MD5 05acab9a2320b5ae731c681d067b7910
SHA1 a99db4f7980921f8d547b5c23bcb78164ca26da6
SHA256 ac0c9df26183f19ba5de78c9864b76aefbf869dd6720752ce684c9a84a37e56d
SHA512 33cfbab190686672e49f42d3867eade31ed8eee8220bb25db188efcf30782c5495bf96d0454d13d860f157cf37f53799d4bdca5c4d3b2a00ef0ee4697b2f2076

memory/1712-378-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/1544-380-0x0000000002410000-0x0000000002452000-memory.dmp

memory/1544-386-0x0000000004A20000-0x0000000004A5E000-memory.dmp

memory/3792-388-0x00007FF74C7F0000-0x00007FF74D22D000-memory.dmp

memory/1544-389-0x0000000004B50000-0x0000000004B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 a554a5382f441e72e95807271120425a
SHA1 4dd2ce234408c379808284209081ab48231b2c36
SHA256 dad975a129729facb71ef2d602c4db9c5ecd3c4abab3164d146691b3b3f670f5
SHA512 538af15e70a9b3826106b36aa7117ba999ace1d7ea159cd2145af5e114c9437028a679adf1d73e26762b67e2d347d3912f0c4ee19d827abc0d079393a34ab7a9

memory/1544-391-0x0000000004B50000-0x0000000004B60000-memory.dmp

memory/1544-404-0x0000000072CE0000-0x0000000073490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 eaac501388508d6881f534d010312c23
SHA1 a0bf13f52fc7eb8e97a6500a90205468b387263b
SHA256 7f5b2de973aa012fc1b120f882bf27938299f2eec28756e39307bdc7b4be0e1b
SHA512 56c7c36a75fc82b8dcaa89acb37a1a466cc7173d073f06f43d380d7fec7889708ed08d258c9ad7f68941252beeed18a841b8e85bffd5ec7c594e2dd0394f2bb5

memory/528-420-0x0000000000650000-0x00000000006BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 a0fef664fc14b5d0c4d24d2cd5d03aaf
SHA1 0dadf1d32a9ab6538a5b039b357574bc2ab16f5a
SHA256 50f2c5c52b712c9eb4c917de9839b7a0c9cf06698e707dbca2e1d0787042b024
SHA512 e8659a19be11c977c4e01d8e27aa30ae8cc41e58c492501de7a82f1d7fed76d34f097706e832a7d61a838fd1d05d03f9ea46fd07113311454d968e36bfb80dc1

memory/3792-424-0x00007FF74C7F0000-0x00007FF74D22D000-memory.dmp

memory/528-426-0x0000000004F00000-0x0000000004F10000-memory.dmp

memory/528-430-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/2556-434-0x0000000005D60000-0x0000000005DD6000-memory.dmp

memory/2356-454-0x0000000009260000-0x00000000092B0000-memory.dmp

memory/2556-453-0x0000000006060000-0x000000000607E000-memory.dmp

memory/528-457-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/3924-456-0x00000000023F0000-0x00000000043F0000-memory.dmp

memory/3604-462-0x0000000072CE0000-0x0000000073490000-memory.dmp

memory/2588-460-0x00007FF626A20000-0x00007FF62745D000-memory.dmp

memory/2356-466-0x0000000009DE0000-0x0000000009FA2000-memory.dmp

memory/4432-464-0x0000000072CE0000-0x0000000073490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 5da54273333d806f8e960fef640463ee
SHA1 945da7268586b47ad09bb824d32a5b8ef1fe5c26
SHA256 4d9fd4dcafe092f58c0db817e8688668e72a08504549e481559523d1b27691de
SHA512 28cf31fbab625a2fcaba19529bd1d4075d183d5a3ac249a82e09264aafca7eecf823912a5994fbc9d553e40598301c5e9aaa639c2e3e2b8f8f79d397eda20500

memory/4432-445-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 d200126700c854f55dcadbd46c80fe87
SHA1 92aca1c6700a2313161b773e862655c2541a041c
SHA256 d5728aeb54cec5295f70c9f0480e3521eb3e818f4acd0a6c33c123b78c3ca97f
SHA512 eb4009e0b49c97afa5e45ed436f8598ad317046507e35f91ea230542480f0fa72445ae163f96535ec6eedc78ca90822d2f033f4c016816fb582644bb36b404af

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 7e5c38888138ef37282df7d24cec80e6
SHA1 4f2d0fc39c2d64da9b1668b81e7b545c855fb169
SHA256 d27bd225ff3d01ac3772fd0a5de1c06009bfe52fb0ca06644743b643290ebb04
SHA512 c935b9f7e4b0c516048dc0c51c37934533afb96348db21f4e5178871843bf4be7e1d136d5b5fa3afd670ab9dc5f7bbebbfebc3bcced0fbbbc2ba3abb7e85c1f7

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log

MD5 cad4caba9aaab897691a633527fd5cc8
SHA1 b3e4fc90c296f60de8a70dd1ca52c88b22311fb9
SHA256 38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e
SHA512 57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5ufhfgj.bjr.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zjqkz.exe.log

MD5 f7047b64aa01f9d80c7a5e177ce2485c
SHA1 bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8
SHA256 807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915
SHA512 a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f