Analysis Overview
SHA256
fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b
Threat Level: Known bad
The file amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
Detect ZGRat V1
xmrig
Amadey
RedLine payload
ZGRat
RisePro
XMRig Miner payload
Blocklisted process makes network request
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Checks BIOS information in registry
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 02:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 02:20
Reported
2024-01-23 02:22
Platform
win7-20231215-en
Max time kernel
0s
Max time network
147s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2056 wrote to memory of 2084 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
| PID 2056 wrote to memory of 2084 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
| PID 2056 wrote to memory of 2084 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
| PID 2056 wrote to memory of 2084 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe
"C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=flesh.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:348 CREDAT:275457 /prefetch:2
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {E69EEF74-AB9B-4385-8C1F-154C457961BB} S-1-5-21-3601492379-692465709-652514833-1000:CALKHSYM\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 92
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| GB | 96.16.110.114:80 | tcp | |
| DE | 20.113.35.45:38357 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| RU | 185.215.113.68:80 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| NL | 94.156.66.203:13781 | tcp |
Files
memory/2056-1-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/2056-2-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/2056-4-0x0000000002600000-0x0000000002601000-memory.dmp
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | fbda2166923d4d3c912a2d051a0bdf3c |
| SHA1 | 9600dfe21df0c9582830bdd30e175b676b6db7f1 |
| SHA256 | 9740e16c05c4737ed448ca105f6552f43e57cb9b7136efe6ebe3db5df9641f49 |
| SHA512 | fc0026f4f9a9aadd7b0ad3a712a63879cfc3a4ff8a6b88176ed885e1898a6bace4727d9a80780f8cb63cdeaff49a93864cb375054a3a33571ce614422b3a9e04 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 7f21c485291e5e3e8609f6191687261d |
| SHA1 | 78cdde83ab6339e071d9a4b04f0051b334eb5aeb |
| SHA256 | e440316b70ab4b11da420d37226f13070bd699d8652587c39f8d2bd04cfd27b8 |
| SHA512 | 04bee2338c6d73d3242488f4a2cec595c99db0e7ca9bb79292b5e13280b8106ae4b03d90305bd97a2722e1feb4ced33446189fe3aeec09b70a53f5cbf0175dad |
memory/2056-13-0x0000000000CF0000-0x00000000010F8000-memory.dmp
memory/2056-15-0x0000000005490000-0x0000000005898000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 776e4105a2fccd60a82396538c2bced8 |
| SHA1 | fd793d6ab77db33ba0539dab718991b863b14e95 |
| SHA256 | 2de2deebe1a4d204f50e7b4085a9df37459073765b3ae311798d090f2a1b2c25 |
| SHA512 | 0b595f1d566d69532ef4ab464982c52275a68a34a301c65fa73ab3838477dad04bbb9effbfce9f3d42f947e69e674aa026ad086b3c2cc8ea06f22acf2a67c7fc |
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
memory/2084-16-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/2084-14-0x0000000000830000-0x0000000000C38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 4f2261b1afe3308e8814fac324aae5ad |
| SHA1 | 20fcf5b05811a72bc454662023a1e11e5dfebc69 |
| SHA256 | ffef74bef377d72c45c74778e65524a23961dabba372eace0fca882a3301cd76 |
| SHA512 | 00a8b7ed49c963536894f8507cf5ed943a8d208029cf33f483f7b0b0dbeba7d737fe9b35407c4ec7513f4fbdcfd7752d91665352a718e6d08a2653a88bcbaf2e |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | d75314df2865f6af237f954d50a38036 |
| SHA1 | bbd9ed9da82a899bbe31051777a494ee04b40b35 |
| SHA256 | d056fe50726981720e352657b32ca7816b36f07de854946be4c22f1e5b6946d2 |
| SHA512 | 242831254ed74f45e83102f00da17ed15511ab334b17d31a5802fffc965357154a717c84c944f109efd8613a4c385e606dac28c13a6ed6180014a4da23fccce6 |
\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | 14c8f2733e1f3729ed4dbdeca77bb19d |
| SHA1 | af7ac48da357080e5d63f5d1c46a9cc395ff61c5 |
| SHA256 | 7d95a34ca0d3f4b8320232f753cc820d48c4bde4af996560535550a8308f1381 |
| SHA512 | db1a42fdfa075d39c49fa05f03e8dd6abbc3aa858c94394bed8dfe7861b3436b52d1e9674b38d45ad39f37874fbf04a76fa1a8e247276362d5343419d587011d |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | 14d44188e0b9d0669ebb6e912bcc914c |
| SHA1 | bac21f37e76e5efca68e003d8655438d96eb967e |
| SHA256 | 72d312c044d72a03b6f0abab7b102bb6e903f26b787decfd2a2b2b51283f8ec1 |
| SHA512 | 5daaf21200d555ae2d92ac9285731b53f778324c43ef2aaa16a30b4d4b52252db7ee5b1eccee973768b131f320bdfbb756340b3d07416fefd60bc6be30d46e45 |
memory/2084-34-0x0000000005590000-0x0000000005A73000-memory.dmp
memory/2712-37-0x0000000000980000-0x0000000000E63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | b5b757de2c02452da34399d3fa64d4af |
| SHA1 | 2778a805737c6d35cc4253ee5c4f94454409ef38 |
| SHA256 | 987fb7275dc893cd189679cec172415654aadebe739e139eb5b909ded232dc36 |
| SHA512 | 3d033a08b2d4a5cf5d3b191cd9bca0bf4b07943723c18547ac5ba6b04ab76d6b81c4b964804d1325bcbdc6bf16af28cf431c7debe9fa4f10c3f99f7d420e87d1 |
\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | 273a9a6356b7e527007a66e2fd6aebbc |
| SHA1 | d8db7181e12f4eba2c799e205e33b7d385d0c814 |
| SHA256 | b38f904c501f2315c3876c7436c6e28c90f457ad90ba2bb3ed3be0010e79cd34 |
| SHA512 | 2ede8336ae39c34bc772bfb82775d679f6d78f0eac30e8fd3a4c749b565dae176ab3d0f48e24764b8b84125901babedd00311396ceb037efd86dae09b87739ec |
memory/2084-55-0x0000000005590000-0x0000000005FCD000-memory.dmp
memory/2796-56-0x000000013FD20000-0x000000014075D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | 6c50193cdd2f48d86c97d2e88e530124 |
| SHA1 | 1215aa1c019724a53716e48798619d07654a2c57 |
| SHA256 | 8c8dcfb7652be0cdeb9dca6012baa1bad54f20efe744f3580c0f8a6f52f1cbf6 |
| SHA512 | f9a5e4bd738ef6f3a67eb096581cec1d23c8d778afd0defb0b235f1efc27843dc5f616989d5ccc9734f0b77b059b0653b2a83892d923c709ba2541a097df4147 |
memory/2084-54-0x0000000005590000-0x0000000005FCD000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | c184e413af0c12886a09b4cc4ca1b1a2 |
| SHA1 | 7010c0e8f8a69e6d21ae5f2b9f8bbcfcb12ce41b |
| SHA256 | a6b1d4cea0af016379cdcf4e15e363001913ac08ccd071aaf3a48d9b66c28bc1 |
| SHA512 | 4ae15db7a02faa06181d3d06345157071327d6c8d904b950fddfa70097958121984e085a58f795a6761e0135d9e2d5672a0a168410f74bcc3f5c71985f6708ce |
memory/1532-63-0x000000013F920000-0x000000014035D000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 4a35677a46de1122bf473ee1d3e7e497 |
| SHA1 | b596c1e322138c04315340e34a442c3a561f9f4d |
| SHA256 | 135aa01d467cb5877136a95f7f6126487507a286c4a6f4d00675a7cb757bf6ee |
| SHA512 | fa82e508ad00b4203cd1c55e7e50af051c2687bfb1e29097f2743529c41792aac6f7399db7b4c02a81ed97f9f4e259324e5e9c2498463aeafc21eda67f6c8ff8 |
memory/2932-73-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-74-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-85-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-87-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-88-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-89-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-86-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 0250b42ac410d959e41943a5d6cfc91f |
| SHA1 | f80a67af99c774d69698799f4cc98297781946c7 |
| SHA256 | d28859f4d827a7ea90969e1e23cd9072399266ad92c4d3b621eac668bde56dba |
| SHA512 | 1f84eca493a21a91bb9d003e9d9d3d30f56b6b8ee8618fbfbd5da4b15363f9ba4818ff52faae31efa807609b8e2fabc90443dedf34feac00651ce489f4000dd4 |
memory/1532-93-0x000000013F920000-0x000000014035D000-memory.dmp
memory/2932-91-0x0000000140000000-0x0000000140840000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 4194dfda2e0e0e6ed52bb57121fea7be |
| SHA1 | 04b8fd724804a5db18e248ac46e80f6c0bc64aeb |
| SHA256 | 4b996033282a05db5188775c9159e952158d4d8a1e835d53015318755caf661c |
| SHA512 | 84d8c6a085be566e0f93fdf0ac6a3bffa89b5b3be3d36abaa0f1649a8612622f72a3f7c9c258abe25408bfff68c09ce925cae8b3efe5814f95f3ee32d99d5289 |
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | b7e05dc11c470215c4611ee714868046 |
| SHA1 | da9d9fd7d291336035a0a9adc22f87eb799bb1c5 |
| SHA256 | a17d562b72c1911f488c06bda8b33cef4726dc5dcd570dd29b2dab5cb770539c |
| SHA512 | 20681d7155e70cd887011e8207564dfb3d6be320bbb36f1b8cf55b0499f4e0a78496d5124dba124072fb3d363c4fdbcf4a772aa37564006403f2507eb442e600 |
memory/340-103-0x0000000000920000-0x0000000000A1A000-memory.dmp
memory/2932-102-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-101-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-104-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-105-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 93d33d34c79ea589c52ae3b43f4af658 |
| SHA1 | aba0491c96d053e428b4572e8ba228120a5773b7 |
| SHA256 | 90a77ec3458d8f0d9ec6f78a53c298ab75409082af1b9bcba879d1fc12b29715 |
| SHA512 | 267734afe23dc222514fd6ab42524f3f54712c6ddd09455ac6a691bd3de946f165910d17db12a8755b7c9c686363453fd590f9fce110d5f8a43adbcd25cbd9d4 |
memory/2932-95-0x00000000001C0000-0x00000000001E0000-memory.dmp
memory/2932-94-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-76-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2932-106-0x0000000140000000-0x0000000140840000-memory.dmp
memory/340-107-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | f07247c1a0c309c226210837275076a6 |
| SHA1 | 3dd190db619a22246d1c715e8da9759d87687616 |
| SHA256 | 65a9ed05850b5ec2c7d43990fa5bf6be5f79191d38835f83c1d62aaab78112aa |
| SHA512 | 9908ec751ab0aeceb31be50cc23c5d7195c319a5d9d27c9e5a8ee1b380da5686167e15086495b75e7b1550de8da3ebcfa675ba3286451403f6fbdfe03b107359 |
memory/340-110-0x0000000004290000-0x000000000438C000-memory.dmp
memory/1120-126-0x0000000000980000-0x00000000009E4000-memory.dmp
memory/1120-127-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | b9a2774d1c74e48d9af1d51ab5a049f3 |
| SHA1 | ce506e007444f31eb0b0474b954ba24de8600b92 |
| SHA256 | d81ba6eae43063b28d40bb0729e72e978870dc2de517c5918b60b148b7e24dc5 |
| SHA512 | ff5beca92cfc9cc62291f8554128319d1bb21de05020a17ca0631626c50cb177e6764b558994884d4e7880963d1c118d4398c875215257d23fdf63338c34ef05 |
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 34f5e04b79f2cc6d9bd386da92e7420f |
| SHA1 | 1bc6ae662b8b0d37fc18e48be4f23fa1b091c12b |
| SHA256 | b4cc2f6951c007d02863f67d6e6be1c5e3682953e987b2324ed2c2f3dc415ca6 |
| SHA512 | 61f4cc74eaea37dd08ec69671c7592725d1ae8e7ac8e2c238180a823d76a542052f1074770d27d5a2db4391461fa8b9a7b941a4e41b1a6c601d3779755480d6e |
memory/340-123-0x0000000004E80000-0x0000000004F7C000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | fa712ab8adbe668c84de5bb2fbefb044 |
| SHA1 | 6972ec301303c9a763ea24051f7166beb2f7d581 |
| SHA256 | 48fd56b12122d946a8ff3a17b1644bbfab2dd6531321037a28ebfc185959f848 |
| SHA512 | e633a285b5027810485ee138ce57a36d288bc06f38bf4e535183e41ed660a8fef34cb67218f66c1a23b687890805186b423db4e511bcfb8627839463f196f669 |
memory/340-108-0x0000000004B60000-0x0000000004BA0000-memory.dmp
memory/2072-70-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2072-68-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2072-67-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2072-66-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2072-65-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2072-64-0x0000000140000000-0x000000014000D000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | c164aeafb5225644ccc0265efe4680bc |
| SHA1 | c4cbe905e81b382803688c34f68b50db8d11ebf3 |
| SHA256 | 815871c5fbdc2f99fc5d6703d0ba43577b50dbf1f6282d26b2178d3b89cea60c |
| SHA512 | eff53a0dce544eace5ac6b73d84140a57a1ef18e54cf911ea0ed5855b3adc0085b3b81efab0e6e3348f694ba4ad560a815026d8dbebf1d97fdf8d82acb1891a3 |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 219b7bc2773985fc648e216856d19cdc |
| SHA1 | 70a7741a27990fd8eb60695f2bba63cf2e8426b8 |
| SHA256 | f0c815ac9bf6ec1f809a28aa40898503a788f72b90841ac1705da20f867d11e5 |
| SHA512 | 638230ec35fd4056736c420ac375487ebff4301d54be79d538c662ef0165c2ec1431e867b779431e857c284e793e79d3e18a6f575cabe4195d752016d918a532 |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 8c8bdeedf4eb82c5bd3334caf9ef6984 |
| SHA1 | 1ebc0d2c3262b0862d171845b19bf1753cf26cb5 |
| SHA256 | ff2dab3639307c5d9b49b13f62e568aabf6e01fdee594d4aac60b7cd4c4e3837 |
| SHA512 | f729d4d487462c98ead8a5954856970b54773cf22ebe049b433bcbd88fa3a7d9c6dca12cdef51bb33ad1f6c4a919b5d63297ce2e35d83ba0d782d1fdf7797d6c |
memory/2796-59-0x000000013FD20000-0x000000014075D000-memory.dmp
memory/2084-130-0x0000000000830000-0x0000000000C38000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | a77f054c4f7ffc24d381a677cebc1205 |
| SHA1 | 3fffd2e716824d40a74f56cacc45dbd92dd4fb9c |
| SHA256 | 0fd8f5de2ed1742a1c3446f0bd01c9388d0e7eb13ead47481bdace69f2e723bb |
| SHA512 | ab6692ef5cc8d607c2b7da2053c2ba91981016e551f7b8da9564ed4207ca3447bea9d3ef35c10b59e25af79c02cbc8109eb108919334c705c94ed52161b39e56 |
memory/340-141-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-142-0x0000000004E80000-0x0000000004F77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 633617891fb84b688398d08d3e1bcb13 |
| SHA1 | a486af93f56ebb04f4f7b1695f51da5af8fd4653 |
| SHA256 | 4551f1e48c13d4682443fa0d170e2e39c6aeceaf5f51b168a02d5bfee36d6837 |
| SHA512 | 47f79165c796ef81a7d3316ff958edcc121cb3a740108c933870484b5521fb5661d5f7d48a0f3f35dcb53c2e05e446d91d4b0ffa0415fbfdfdc8e19ca95b4477 |
memory/340-145-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/1120-131-0x0000000002270000-0x0000000004270000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 96df2693bded933178c349e7e7ce25d7 |
| SHA1 | ef0ba135926742270c69e74f31a44f514fe1c95b |
| SHA256 | 31e45caafd405e882f3d5ed102658a5b1ec3e79230a47fc92261c9db565a480d |
| SHA512 | 88ded2c97630beee6e574970499ee2d93d4e3bbbc8d05821f846cbc17104bb1e6d7cdf2bdb24f8491bf1f764c1d76f65b294b649aa7fd7acde10c9b6891ccd00 |
memory/340-153-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-155-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/2084-159-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/2084-161-0x0000000005590000-0x0000000005A73000-memory.dmp
memory/340-164-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/948-163-0x0000000074140000-0x000000007482E000-memory.dmp
memory/340-166-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-160-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-182-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-184-0x0000000004E80000-0x0000000004F77000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 65e6f6857d17ffd2bdda6c63c64448c0 |
| SHA1 | c594fe2151ebcd6fe2b7102bbe4a74f6772eb27b |
| SHA256 | a10818f492ec6708a7ca04a54168a47e94e28d0bbb081c8049777ca1bde32050 |
| SHA512 | 3b53c34e210fdbe29b4b5aad9579baef6629ecf1114e6a26a56d26cda20e9b4328bac677725d3a65cd8e0cf83f1892d57ed13772fb69f6ad12d217991410a386 |
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | dfae3d4bfd8141704aa1b9deae39a230 |
| SHA1 | b6fedddfc128e71817ba1ba43ecd27f0bdf19588 |
| SHA256 | f9ca0e312959b27a877e10857c35a40dc126ef0f8f8a747e964969f8a19796f7 |
| SHA512 | ecbdd500731b439291cbee3d184dd61b06a2751fae25425c5e52a2a03681da60f83f70a060b4d7c59d01307a7a94c1f83de10b0114d0a902a08819fda27aee62 |
memory/340-192-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-194-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/948-191-0x00000000025E0000-0x00000000045E0000-memory.dmp
memory/340-196-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-198-0x0000000004E80000-0x0000000004F77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 101d03279a3728171f719d3762b12aa6 |
| SHA1 | b3bf37bedb5d22c7d2384414912e99aa7696bf6a |
| SHA256 | f1535b325e9e9f3166b04558804f6d42f048d9d6af9d45b2cefd62c1e03d0cc4 |
| SHA512 | 43e7847ae24c49e638d3b69a4012d34287323b7af1ee09326ff0f8cccf5c7fb3edced2321be02cdf524f233619e21449fea2436442f0839698722eebb6afdf8b |
memory/340-200-0x0000000004E80000-0x0000000004F77000-memory.dmp
memory/340-202-0x0000000004E80000-0x0000000004F77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | e8f7d0943b2319d515e53703b965be7f |
| SHA1 | 0f4880a095d930cc8a5892fc733b2e4a3ffe631c |
| SHA256 | 2e43c845ca1ba213afc968dee3526a89a75fcf94b42858804fe87da562234674 |
| SHA512 | ad111ea9cc1e138b08307b61f560d892ebc55cae507f7582d6c68a69d1f18c911ac05cfc12e60bd3e886f5f30181ce4f21db8328bce29ba4eed504c936e3e708 |
memory/2712-181-0x0000000000980000-0x0000000000E63000-memory.dmp
memory/340-169-0x0000000004E80000-0x0000000004F77000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | f343b6f68e235c61d7ffc17b5a514ac3 |
| SHA1 | d935817c1c170c7c15227072b922f9ceca45d49f |
| SHA256 | 8460d88e03a14cc918e292a4dfbf7036acb4699c0d6aa9530792eca8bed37c02 |
| SHA512 | 3b29899b026cf2128ae103fe775cba3721e5427204cb734cf2473073b67681389b04a3f860c424ca1374dad7653ab37d0ccb42f998d2480deeda2adecdcef605 |
\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 62b179d5ccdb070da2841b8356a4e11b |
| SHA1 | 762ae153201da6e7e548650df5098755d564fb20 |
| SHA256 | e184cf6966de716347f42476995827a61eeb25c387a50c8c5e840d6f13a0ceb1 |
| SHA512 | fe038dd3cd5b203c0edcf499b32369a516fe8a0ea3c7c93fae5d4ac71f87a6003bde06232dc878b0a1af419ed3c7ea3f8290acfd3adf30cea2dc2b74a644eee5 |
\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 8fbea9dc1ef1d3b779d73cf24578d82c |
| SHA1 | a2260cff716f240e0239906776e49b536c179956 |
| SHA256 | d40ca3a3940106a2ff3110b481f2f52fa6f41d09d64bd72169abbe90bd1d6087 |
| SHA512 | 61cbf2269c43cf89a9d7cea712160c322f8bed9ee288d498881df5b9e76337fb3cd95a0f05fae8d443014df73d3feff14fd28b016e0bb65ceb6aef2720707d64 |
memory/948-158-0x0000000001180000-0x00000000011D6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | ef97928ed1b83256ad18bf391f3ab200 |
| SHA1 | 4050e2188e8d18d1b6932e64da9277fe8f834f5c |
| SHA256 | ff10029f98921d6e572b1bdd6c388f223fda7a423946033f6a0e31a36349bf3e |
| SHA512 | e3c9fd16de61a3fef5c8f6552dfddd85e68cee9ff03869ff70935e2fcf873fd3fb86f5d8c49f8d0216cb405e802b6effc647af59fbf1c0af87d99c4609f938b1 |
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
memory/340-147-0x0000000004E80000-0x0000000004F77000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | f1e2caef0fe600fa32da9058c9275f1d |
| SHA1 | b6222e0454dcbdecb0867be62c75156907e3d239 |
| SHA256 | 5389f2f9bd9a370f056a9ec0d7b2f19df2ce4b77c5f9b79f6ae697e7f167e93f |
| SHA512 | becb31ef2166c769ef89a213e636872fab59decf03ab6d7897354ec45b40f5fe9139d2b4583637fe97311eab89d81c9ccaa89ae4c779319b7d224cc08489397e |
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 989e9d69cefb06a46e4b6f65ab959304 |
| SHA1 | 3d46deb2c32ecae307ab6006be2e930e9210df2a |
| SHA256 | 0d3e6aa978a25b48300193c4d3ad853b778e948dc312feb20f2e40d67d77b070 |
| SHA512 | 89c52cc98ddf1925944becfeda0ef5c1c974087b680b0e4c47e59ccd0590e63541813d32455fdebd7c6855d2dacc74c95a5f60f2556e579a55d67ef67810848f |
memory/1612-267-0x0000000000DB0000-0x0000000000E04000-memory.dmp
memory/1612-271-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2084-291-0x0000000005590000-0x0000000005FCD000-memory.dmp
memory/1612-298-0x0000000004540000-0x0000000004580000-memory.dmp
memory/948-304-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1120-305-0x0000000074140000-0x000000007482E000-memory.dmp
memory/3020-329-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2932-332-0x0000000000510000-0x0000000000530000-memory.dmp
memory/296-330-0x0000000000400000-0x0000000000454000-memory.dmp
memory/340-431-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/340-465-0x0000000004B60000-0x0000000004BA0000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | 01606c3e5adc346274c3c32ed9b008e1 |
| SHA1 | ce845ed1eb6bbead075c8ba50b0f1f9b8ce5838e |
| SHA256 | c9e24aa365874247dcb628a8587812f4680abf0a519d1c1be1accbccc35ae2c0 |
| SHA512 | 4f00affdcba975f3e60dab3e74f7a37bb030d415349e0618c7a607e88ca3f269791363e90e964236e6b4b8582a87362b27b1d6dd9857cee76896669eb7c384a0 |
memory/2084-482-0x0000000005590000-0x0000000005FCD000-memory.dmp
memory/2084-483-0x0000000005590000-0x0000000005FCD000-memory.dmp
memory/324-484-0x000000013F5E0000-0x000000014001D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | ef67ec7c1557590e6277ee14b0277862 |
| SHA1 | 772bcf566b60af8e3b45df2d1e2088147c8c9bf9 |
| SHA256 | 9d73aaf41c07e9cef92dd2d8867623b1ae572ccace6b1672d5d2f9a60b985b69 |
| SHA512 | 1bd1c444858eafb4af5c808c614702194d08b284d4a4b7a0b79c2895e810d2814ca611dfb08a6a946467599627ab98ec4aecbddae4918734cad0d4c79aef9988 |
\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | 016357d469b08f521e6b22653d23aec9 |
| SHA1 | 90248d3729c96ccca491309ab6d95d791d84cdb4 |
| SHA256 | 2cc4155fb7953410d8029f9460132a5a234a7e258fc44e1174c2510bc7d1511e |
| SHA512 | ba3ff4fefd148fab19dad75293aac67440b6cd8a9fd3058ac04c77ca497a110d69bf2dd1c817bc7c4dee2446d12e23ea31e39f69f5417a6e6bf15c34a7f305cc |
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
| MD5 | 4b05f5a3d985f6f2b3ded1f89746f024 |
| SHA1 | 82d49c6267b250cefe7f7e6a69897717a80cb6f8 |
| SHA256 | d84be67a66959e4f9f855ec72b9c28989a3c535c4ee0725715a5929d9027e4b5 |
| SHA512 | b23897937e164f650be471c3cdf7e294861df6a8909ed6e50b1049d8085e05bb6aca61b2d6c6b9e7cf1e7fdbe527f6e8d49212f5659e4bf1674ff34ea811434e |
memory/324-488-0x000000013F5E0000-0x000000014001D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | 984d67555a2ca2f9c528080f5c387202 |
| SHA1 | 5a2f20837db96c5783579b14cf6ee23d07f15916 |
| SHA256 | bbff38af7f9f23e0b07cce68d2d01d58c176604e40be7ed88ef59947589e4d45 |
| SHA512 | 757ac155b5384d04f7fa3c3ad1f1a014bdbed2838534e00b425efd8f000c849ddf1a53148daf891785ce86803db0b2b945ab8f01eee8f1ae915c3010b2124432 |
C:\Windows\TEMP\zamrbllfjgdb.sys
| MD5 | 2befac70517124f74e030de60ae4e930 |
| SHA1 | c58fc3b1993f2c7a9bafad429d14aaef08fc0846 |
| SHA256 | 0112bf805fc28f6746dec25690ab1994eb9ac52e09e6d896273b81a037bd8dbd |
| SHA512 | 8645020f58ad5fc85306e120bb708a22a9cb3cdb17da0ae7ea6625e254b859207f474af5a01cec4ff0f73b5438cd90c5aca80a7ffc23f4b802a098950e326d33 |
memory/2552-509-0x000000013F540000-0x000000013FF7D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | 2cbc923224c875f12b610ec895fcc330 |
| SHA1 | 17418202e1b87c962c13cfb1d3b5dec044f6adca |
| SHA256 | 522d2240bcbffa4159e9d940b0480a363162aca04cd1b76a07daf810b357f59f |
| SHA512 | 3370e4b3cf5c20d108a2027b67ba9e464c637bfac9600c094e37f34a4e10b2a275385653dc79b68780a74d8af411bc39249686c1c17eaa3df5230a7060d5097c |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 0fb88825adff7b6093a6f69da7fbc45e |
| SHA1 | 61c8dbd0d385e245588371b57821d580dee53c54 |
| SHA256 | 1a330f9783a5f3652a067256e2b2c3d4e248ef0b9ca866caa673a49dcab60c15 |
| SHA512 | 6003b3a42fa1fa97e422ca3d79b0cc5064a1dca5d81b57bdf54d8b1884420189e1315e4c6c8251feab5c57f30c8df4bc8342c6b15ab07058456468fdef7e03e3 |
\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | 291ba5d154875918f39e47aaad7b442a |
| SHA1 | 3e1e5e56de804aaeb2d73058b3e132e962ee4c1f |
| SHA256 | aa8c511db963cfd620c1b8904dcbc053fbe20139d97be7ac36910decd2588e3f |
| SHA512 | d67b10344b19cc982361a10f8d16d5de6b7ac1ff451a9938ff01237f3f2e4fa7c40c3ae134ef0c7cadc4897399b1e720d0747076e76d128b5b93f00e846423ef |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | d65029a671f33984fa779d9f665534f1 |
| SHA1 | e2e150700d5116a2f3c5108f0a5a6ba03c927cab |
| SHA256 | 2ec69e0332122f2a880aac0456e754859f83c4fe93b01e4d5be5579cc742d035 |
| SHA512 | b742dbe23c52ff3993f6c9b3d4dd09437d5b49223bc5b3444bdf990c57131a3a57a3cfd97e3f9699161263fea78e03aecc8cebaa1c29c15eb8d0dcb4139e895e |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 99d3f8531de82d7de365a9c2347d9bf3 |
| SHA1 | c0597ba0d9a9039e5c340f7ebe44e55447e6f470 |
| SHA256 | 40f7532180b07f14412cd6f2a2a708440519b5243ec58417b263cd6db9d026b0 |
| SHA512 | fa30680bb0c1eafc9a5e76edc582cc31befdc3bd99635d839585e5f44c064888bfb7b6a27333da22bed14f1bd555ade9b986e815de91031b177a88d27070f522 |
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 37262bd31dbd8b0ec07b00c47b75e605 |
| SHA1 | 6c290a35615855f6e9f5c7f8b51552547d11fd57 |
| SHA256 | 03ba8047c2eff00856b4b004f9b4d8f21a5de6a8fb812c662e633b98b1312d12 |
| SHA512 | 9e8a8d23f6888cce12bb37ce1ca6da95a33ece9f85f5e5e4c2ef40e3dc26330f6cc03d418e237e91517c2c92eba7d28958683f900549529aeaa1bb1dc0bd0e5f |
\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 262e36aed31a7f4d69e49dc015197b84 |
| SHA1 | b3aa0df505e72672aa84d6f5326936f80c5d7f82 |
| SHA256 | d3dbfd3f52920136dde44f40cd661a9897722467515bfbe16f02c3038894df93 |
| SHA512 | 4af1a16da4a069df6179544b7456ba702aebdbf0089ad3b8af4f99beed013ff68f0abc745978c0d80dbd46e78a4a3320d1bca503a339e85baf21c54042073085 |
memory/1044-526-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1044-525-0x0000000000CA0000-0x0000000000D0C000-memory.dmp
memory/1044-527-0x0000000004C60000-0x0000000004CA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab7D8C.tmp
| MD5 | c59689337c48133c9d066b1374f6db5e |
| SHA1 | 22f426eff1efce432cdaced791ca23a3b55d04e6 |
| SHA256 | 835f4833c67394b66682d41176b4e6438ec8f9a4416f41f0cd360e5527d9dacf |
| SHA512 | 8f0bb92fe01eafd41ddf177799ca094355ff97451bf611f3603d893dfcaaea09c89b88a8649f058b092313dd0247d7671f49ce698f2552715252fd5d782c7856 |
memory/1044-549-0x0000000002110000-0x0000000004110000-memory.dmp
memory/1612-531-0x0000000074140000-0x000000007482E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | b39a8db9f613e1a8700971987ad991cd |
| SHA1 | c76997c3fd31979d7ad3c2b6d0d5b92b101025d1 |
| SHA256 | 6259f79c70bda305042214db05b1cbbe08f26e59a17655cd70a62e5ee9db493e |
| SHA512 | aba94f291f60bbef221b706515dffc4a3d67f4f29181ecf886a9d838e0fc9734690ed068a225f3167cc4790b0b0128d15a34436f595e66127ace662d8bbfd2aa |
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | bdb6b16f333ca80e9470b6737e98c807 |
| SHA1 | f2202c1217c64c6b92a312fd2522693ace3ecc86 |
| SHA256 | 8df83d052e4cac66dd075d1f28c542afcdd0cc755ede31684d8e3cf6ca03730d |
| SHA512 | fc8bf2580071b58fde0c4dd516820e8458fa0988c701b7853db3b5823f42ebfefd57749b014df652561de94445e1c34265595a0f594990e3071267903a550ec6 |
memory/1044-558-0x0000000074140000-0x000000007482E000-memory.dmp
memory/2164-560-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar858B.tmp
| MD5 | 01d5845c2e674289850271805861cdd7 |
| SHA1 | 24eb030684824df3d5e896c99dd29dfeda6429b1 |
| SHA256 | e1634f5069767092d4281961687107666d4ab5444f98d567b4b4372807cf8f5b |
| SHA512 | 02a0ba45263110396a8b7aa88238dd745a79f4f6ae7c804af090408e07f1065c1d654e7e4709424e61fc617dc15828298cde6af832816bb3873decffd7f8542c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5069753b1428397a7e8a1f596dedeedd |
| SHA1 | c61b251dcd5a751700224d05e7140ee8499715a9 |
| SHA256 | 7fe3109a46bf31415a47794cdf839b507d051abf05910d17abda567249420f05 |
| SHA512 | 759779ef7aec8081bdf0493dd08d95dfeaa4ad73d660403047397fa91c448352a35fc1303886ccb73e3a7dd85821071cc0843dc4d4a66bbb0035ffdb033a2650 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 15f09cddfbe165338283700bcbbc595e |
| SHA1 | 6125b98f25a0340a12067fc562a5d66088bf3f39 |
| SHA256 | cb9eb879ade90507ffcfa1000fe40eec0794f0bced65ddcc6463187ac5929013 |
| SHA512 | ad142760026c032b5dfc2e94407ffec7f3091b0cc2eabc6f9065d20bdf429a2c586dd63fb7d98e77dc7b2642c8aa3ef16533d99a0b4cd0cd3b0ffb3fb8050dbb |
memory/1612-661-0x0000000004540000-0x0000000004580000-memory.dmp
memory/2932-716-0x0000000000510000-0x0000000000530000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | aded0edd0b78b8d4154e8d0092d7e4d7 |
| SHA1 | 20bd70fedaffbd94b64da819c0ab1bc7bcc5878f |
| SHA256 | 3402f37605ea6d2fd68c1acd85e09ccc07841999896afe064104a60ebd0b674a |
| SHA512 | cfbb4efaef691654b27769f9ca05f8a5cef52f974cddaf73fc02b3d23a022663d6e83937112934637afe7a94b4f796fbc4d30966f7f03b546832774595949981 |
\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 12b17f7691c1299461af2471d3b791df |
| SHA1 | d14b861765d94caab3761aa1435a1000079f4ee5 |
| SHA256 | 8d62ab753ee5a35680c98205c8046aea732c7652d365d15b31cfccf331647254 |
| SHA512 | 6ae2b7e6ea74136dc39b672b7100ec4b25df16481c0d49b6b6ed6e7d80174552d54af1226779047118afc1e06f1e2c573a40d617cd8ee918a78c08992927a3c5 |
memory/960-783-0x0000000074140000-0x000000007482E000-memory.dmp
memory/960-784-0x0000000000920000-0x0000000000F40000-memory.dmp
memory/2608-787-0x00000000010F0000-0x00000000010F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 0deda7aa0e6c3a705e64a956088c5a12 |
| SHA1 | 0902d4df138e416fcbd08a647836238e3c6244a6 |
| SHA256 | b1260afde433b66b596a359d415df5c0b1cd417f91f60b0bfe602830a9b068b1 |
| SHA512 | 62c48e9891c772c99d581bc8669bb5924be4df7280771a4ad5e915db824c45dede633b19ac75d6dee9e8792a4a3be428cff1f88f9ff88ccd42dabbf933e5c232 |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 16bf0d798bface1c4f1f507b67f0039a |
| SHA1 | 77e10fc512110017cd76d3b504878950d4624275 |
| SHA256 | 7b8490d78eb62eb249b01cb1f1e73dc779db7ae5dcfc321d4df3d8aacd29a04a |
| SHA512 | a6e420d7a686b27e676e376c82b6181f404971158bf8bfc39af51f4a5c0d8f8862c45f97086ecee271ec6fa518eb3b7b78db96e0e8331d3b9c487061b008a985 |
\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | ec6dca02c036b93da73b8e7f2e48bbdf |
| SHA1 | e1bb81eef45e12a753502188996f8e3db6040978 |
| SHA256 | ee2e6ecb37d81b62c2c2b62ebbd8b5b9a413d7e8a7d6982549ea5b65b42a5fa2 |
| SHA512 | 97060266ad82b73f6f8122bc58894fd4cea79b0c3ab30fae8c6c4b9a0a02566f82d4e7e227b32d352a85ce66dcf00336ccf3018b87c7eb464ff11af76477b1a6 |
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | 83bbf2dc56c395d817f50f5b05c11227 |
| SHA1 | 85a8099721f03ece58cc522b2f362bb977bf3b74 |
| SHA256 | 6a8a0ff7591b87b1ef3df610e51478b6c2731dd7709dc803932442589153c233 |
| SHA512 | 806219ba4b8e498e4620c0371df0b6b42a887391a9babe1a91a14eb47c7698e255c47af967a740c9bbdfbedb6ce381369ddc3a332b8ead29bb3997b30340e4ba |
memory/1800-812-0x0000000000490000-0x00000000004D2000-memory.dmp
memory/1800-814-0x0000000001E80000-0x0000000001EBE000-memory.dmp
memory/1800-820-0x0000000074140000-0x000000007482E000-memory.dmp
memory/1800-821-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/1800-822-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/1800-823-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/2084-825-0x0000000005590000-0x0000000005FCD000-memory.dmp
memory/2084-826-0x0000000005590000-0x0000000005FCD000-memory.dmp
memory/1800-824-0x00000000049F0000-0x0000000004A30000-memory.dmp
memory/2608-819-0x000007FEF59A0000-0x000007FEF638C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 2af88cc5355652608f783785c4bd109c |
| SHA1 | b9dbcecfb5be26fd5bd4c0a27e17230faf6f5bb1 |
| SHA256 | 3cd1d443ce00c4bb4a466160c465a8fa1971cbdd0fc8702e0e4ff492ae556831 |
| SHA512 | dc8a213665b74eb276973768b0cdb225d82b49213510fe2bf244d2d7be0b04c81cfe8141af447b9dd37b7e95b21ae4e31616ad85b4ff68d9261add2656368fb1 |
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | d921caea3b46b88266df2662ff486f6a |
| SHA1 | 9a383b4c82fbb0cf48497a4ce579b503dce1a0b7 |
| SHA256 | 6d70814d7c3758a3bf99335b722a8b7c3870dad7f2fd6497e0c948236e9b3fa0 |
| SHA512 | c99a5b70fb97e685cace411395112ac5d7f16a4152e6705ca45e318710793a9056ab5da9599540533e5b40ae35f68649d8fad481e25f7ad15193835915ab7983 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 6878df738defcf088ba56b4d214ca1bd |
| SHA1 | 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2 |
| SHA256 | fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b |
| SHA512 | 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 02:20
Reported
2024-01-23 02:22
Platform
win10v2004-20231215-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clnt = "C:\\Users\\Admin\\AppData\\Roaming\\clnt.exe" | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe
"C:\Users\Admin\AppData\Local\Temp\amer.exe_fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
"C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000549001\moto.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | 148.211.95.141.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| DE | 20.113.35.45:38357 | tcp | |
| US | 8.8.8.8:53 | 45.35.113.20.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| RU | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 61.4.79.80.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paperambiguonusphoterew.site | udp |
| US | 104.21.83.138:443 | paperambiguonusphoterew.site | tcp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | 138.83.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | qualifiedbehaviorrykej.site | udp |
| US | 172.67.175.187:443 | qualifiedbehaviorrykej.site | tcp |
| US | 8.8.8.8:53 | combinethemepiggerygoj.site | udp |
| US | 104.21.38.174:443 | combinethemepiggerygoj.site | tcp |
| US | 8.8.8.8:53 | weedpairfolkloredheryw.site | udp |
| US | 104.21.40.14:443 | weedpairfolkloredheryw.site | tcp |
| US | 8.8.8.8:53 | 187.175.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 174.38.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.40.21.104.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | expenditureddisumilarwo.site | udp |
| US | 172.67.133.222:443 | expenditureddisumilarwo.site | tcp |
| US | 8.8.8.8:53 | 222.133.67.172.in-addr.arpa | udp |
Files
memory/2652-0-0x0000000000FB0000-0x00000000013B8000-memory.dmp
memory/2652-1-0x0000000000FB0000-0x00000000013B8000-memory.dmp
memory/2652-2-0x0000000000FB0000-0x00000000013B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 6878df738defcf088ba56b4d214ca1bd |
| SHA1 | 24a27c8c1d8a248dc76f060d7ab1cbfe5bf257a2 |
| SHA256 | fa28eef0849acaf3e0fecf455938bdbf26282afcc3d89eb491cafbf0aed5331b |
| SHA512 | 7b047edb4c5bd01d4eaa7062fd60453cb0093a80e8a3f9e62703b67fd4c78f06e04005e31dc4d6df4b39409efc730e327de4a871d109ef78a9b28dbd69ae4b78 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 818c767746c2b41da4562ed917dc0ea1 |
| SHA1 | d1c8a4cf16df654c21345ba1e1016478647ae33b |
| SHA256 | 8d50cc5bc26c7a8b284d0a7ea6ea7545f454d4e20057cb6565856267e7cb47a9 |
| SHA512 | 458d6ecd4aab88ece919f2e84ee297dcb972f90906e8d008cc94d265a934c3a59baac575a8cbcff5662cb24d3a5eed04d3e8e464c1c9403a6bb757553a05737c |
memory/2324-15-0x00000000002D0000-0x00000000006D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2652-13-0x0000000000FB0000-0x00000000013B8000-memory.dmp
memory/2324-16-0x00000000002D0000-0x00000000006D8000-memory.dmp
memory/2324-19-0x00000000002D0000-0x00000000006D8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | 51eeed6692a19bb24fb93988cecb3708 |
| SHA1 | 201bc35e4b25ba770625a84b1152efabf03b7f72 |
| SHA256 | 3b4c6e551f67952bfca858afcff76b7fc9df2b6303eb3d4b30cf69028ed2145a |
| SHA512 | 2ff72534402b572d9d65b28e0a430b8ae5adbaf02d58b0e73752f9f1b3e5aa0ade7394214c085b4276322b3550b8e2702d9df0c944cd34b9205c7bcacc48c89b |
memory/4200-36-0x0000000000020000-0x0000000000503000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000541001\Miner-XMR1.exe
| MD5 | 2eafb4926d78feb0b61d5b995d0fe6ee |
| SHA1 | f6e75678f1dafcb18408452ea948b9ad51b5d83e |
| SHA256 | 50b50beee2174d403ddba91f4f0b13d8e754ed2f979ad7c60baeb6617249bb30 |
| SHA512 | 1885f5874c44a6841be4d53140ad63304e8d1924bb98fe14602d884fbc289ec8913db772a9e2db93e45298d1328700e2000ddab109af3964eaf6f23af61ef78e |
memory/3968-58-0x00007FF6E92B0000-0x00007FF6E9CED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 3ef515bb081e3a8546a39219bf1310a4 |
| SHA1 | 65b19bc8100f6b67368c46b33d39ef441aaeaeb0 |
| SHA256 | 9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394 |
| SHA512 | 22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1 |
memory/3968-79-0x00007FF6E92B0000-0x00007FF6E9CED000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 774510bcff294f80e47a210a19483749 |
| SHA1 | 0de009eca6fe604d132b052a424479b76ca72448 |
| SHA256 | 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955 |
| SHA512 | 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 34927273ba25cc3bf5f055bcff675c8d |
| SHA1 | a56bf2edccde62cc69f9ebcf460473e11217f03d |
| SHA256 | 07cfd9bbbdee052d89283b60f3a282617f7d2659df8d43743b409d337fef7e14 |
| SHA512 | 7a8626ba16f03508ce262c6b48b0d0f726485fdeb44270267eda97fc6cbc8c66a6b516b97808756caa0145654ad109b4eac3e6e0fe7ec9d9652ea40731a33504 |
memory/3980-82-0x00007FF690360000-0x00007FF690D9D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 4dc62aa51086843a31d87236c87f21e4 |
| SHA1 | c7cdc373668dd8f7373a433ed0f3703843b67c10 |
| SHA256 | 5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27 |
| SHA512 | a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658 |
memory/1712-99-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/3352-103-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3352-104-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3352-105-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3924-106-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/3352-108-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3352-111-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3352-107-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3924-113-0x00000000000B0000-0x0000000000114000-memory.dmp
memory/1712-114-0x00000000003E0000-0x00000000004DA000-memory.dmp
memory/388-112-0x0000000140000000-0x0000000140840000-memory.dmp
memory/388-124-0x0000000140000000-0x0000000140840000-memory.dmp
memory/3924-130-0x0000000004B30000-0x0000000004B40000-memory.dmp
memory/388-131-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4580-150-0x0000000000740000-0x0000000000796000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/1712-129-0x0000000004EA0000-0x0000000004F9C000-memory.dmp
memory/388-149-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1712-126-0x0000000004E90000-0x0000000004EA0000-memory.dmp
memory/2324-125-0x00000000002D0000-0x00000000006D8000-memory.dmp
memory/1712-154-0x0000000004FA0000-0x000000000509C000-memory.dmp
memory/2384-156-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4200-158-0x0000000000020000-0x0000000000503000-memory.dmp
memory/2324-155-0x00000000002D0000-0x00000000006D8000-memory.dmp
memory/388-152-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4580-153-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/388-157-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | c6aa6b0bcb80aaed4fadc9db40db1e70 |
| SHA1 | 857f53564cf5100c9a3004979726c3acd83a1981 |
| SHA256 | b415781859c620c423165dc8e384088d5de956046368c402bf9212945c2dd7fd |
| SHA512 | 2f1c7287f6e16c63ed9e2b791f4f45fad2653c4d2d4a622d89035f6566be900e671033a5dc74c1f33501ce6ecaa7638079a569077e6012aa87271d210d7b31f6 |
memory/1712-175-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/3924-176-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/2384-181-0x00000000057E0000-0x0000000005D84000-memory.dmp
memory/1712-197-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/4580-200-0x0000000004FE0000-0x0000000004FF0000-memory.dmp
memory/388-202-0x0000000140000000-0x0000000140840000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | fe6134291b8ec20a29a367ea86ff66b5 |
| SHA1 | 7c4d4320e4a21bd733414476882fc532bc8dd54d |
| SHA256 | 454b2b5c2464ae13a3f98dd65a1e008423844efbd53ed0a74fa7b8b13c1b9aab |
| SHA512 | 65c4b2281947945d586fd19582a690297d4612df2a6ffcb776325a6e4c9d23b21ebce32752f68635bcb7f3d80dc6f5e3c413c91a44ae4743ef8e25ca894f78c2 |
memory/1712-211-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/388-221-0x0000022C51270000-0x0000022C51290000-memory.dmp
memory/2356-224-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/1712-229-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/3604-228-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/1712-223-0x0000000004FA0000-0x0000000005097000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | dcd5f6da4bdcd043db0c78f335765abb |
| SHA1 | a3532490f75e642e59440a5dba3bb252a9fab9bf |
| SHA256 | f231f8e16e32365bd95fad70873f4878b53150dad753e8f68c4fb7d0e64bf2bc |
| SHA512 | b3b3e060ac76431c5f6a07f90bf117e61ac357ac789efeaa9abc454e14afcf6973ed734b6f678d49be1daf248558068d83543cfbed793d73cc073040b8b7412a |
memory/3604-210-0x0000000000BB0000-0x0000000000C04000-memory.dmp
memory/2384-207-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/4580-206-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/3980-204-0x00007FF690360000-0x00007FF690D9D000-memory.dmp
memory/1712-205-0x0000000004FA0000-0x0000000005097000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | afa4b5293faaade81fdcfb074a0f68f8 |
| SHA1 | f92b8bb183029f98ea497513e4e625354f44a20e |
| SHA256 | ad54b9c45e35baf130eb1f5f5ffa49681ee47426e0df07c664e78f9105e452ee |
| SHA512 | 9c80fe269b6379d425c24a5ff123f8f594d41ad993d91005430aa4ee6f77bd834a9886bae40023441607ffbbf1fcb0e32aef1b39afd1789a003f2f46139e95c5 |
memory/2384-196-0x0000000005230000-0x00000000052C2000-memory.dmp
memory/3924-194-0x00000000023F0000-0x00000000043F0000-memory.dmp
memory/1712-186-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/2356-183-0x0000000000400000-0x0000000000452000-memory.dmp
memory/388-179-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1712-178-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/388-174-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1712-164-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/388-161-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1712-238-0x0000000004FA0000-0x0000000005097000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 35d7118f69b76d9474adf17f57f007bc |
| SHA1 | 876630920cc32720d7b1abb809c4dddd024ffd70 |
| SHA256 | 4aa5c237c6289fb4427bd2c9b4d2a0557cd74fb2c58c1b044cff7d0810fdcb16 |
| SHA512 | 32e6f31dbaa5a1de570b2556125ca85fd942c412ab908792c4b1115eaaffabc897137d2e9a4aff9ba5dba44b091afe9574170236629f41a8907f4e9268ce7eba |
memory/1712-244-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/388-242-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4200-246-0x0000000000020000-0x0000000000503000-memory.dmp
memory/1712-249-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/2384-252-0x00000000051C0000-0x00000000051D0000-memory.dmp
memory/1712-253-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/388-254-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1712-256-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/388-257-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1712-259-0x0000000004FA0000-0x0000000005097000-memory.dmp
memory/2384-260-0x0000000006580000-0x0000000006B98000-memory.dmp
memory/2384-262-0x0000000006340000-0x000000000644A000-memory.dmp
memory/2356-263-0x0000000006530000-0x0000000006542000-memory.dmp
memory/2384-265-0x00000000062E0000-0x000000000631C000-memory.dmp
memory/1712-266-0x0000000004FA0000-0x0000000005097000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 1affff641ac6eafe4aa557fb1ad8b2ea |
| SHA1 | 0964b9b3de39cb2bf97d719c07f50ed2dfe9e8f1 |
| SHA256 | 522047b7fde92c570bb9ed10d63237989f6cc5e3973d57fca46965088fa9054a |
| SHA512 | 4dd2f6b78b0ec5975570323bf115f2e20c131c40da078f8a625c8c8d31c776b57aeae833e4deeb563fdf08f83d1417bba4296293dc57e72c4a7550f10ba1286e |
memory/388-250-0x0000000140000000-0x0000000140840000-memory.dmp
memory/3604-272-0x0000000005820000-0x000000000586C000-memory.dmp
memory/2356-248-0x00000000055C0000-0x00000000055D0000-memory.dmp
memory/388-247-0x0000000140000000-0x0000000140840000-memory.dmp
memory/3604-243-0x0000000005690000-0x00000000056A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/1720-239-0x00007FF690360000-0x00007FF690D9D000-memory.dmp
memory/2356-237-0x0000000005560000-0x000000000556A000-memory.dmp
C:\Windows\TEMP\zamrbllfjgdb.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/2556-298-0x0000000000530000-0x000000000058A000-memory.dmp
memory/2556-318-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/2556-320-0x0000000004F90000-0x0000000004FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2356-365-0x0000000008CC0000-0x0000000008D26000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | aed6732f41e44a2618eebfd97f7b021d |
| SHA1 | 1bdc5e9829ac57710e1849324cb08bcc0effcee2 |
| SHA256 | 0937bf680a0bee9e9f29398a42b418de3e7c9bd6acd83305242ebb7d12ade7db |
| SHA512 | 6fbb5983812b4771a31f46aea6f628128d90ce62a58210713ec5357e8bf8a1600eef4e2b254ec36c7e0a559ae9d0fb395110925cce18eb7b24b1113de4563fe5 |
C:\Users\Admin\AppData\Local\Temp\1000550001\leg221.exe
| MD5 | 05acab9a2320b5ae731c681d067b7910 |
| SHA1 | a99db4f7980921f8d547b5c23bcb78164ca26da6 |
| SHA256 | ac0c9df26183f19ba5de78c9864b76aefbf869dd6720752ce684c9a84a37e56d |
| SHA512 | 33cfbab190686672e49f42d3867eade31ed8eee8220bb25db188efcf30782c5495bf96d0454d13d860f157cf37f53799d4bdca5c4d3b2a00ef0ee4697b2f2076 |
memory/1712-378-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/1544-380-0x0000000002410000-0x0000000002452000-memory.dmp
memory/1544-386-0x0000000004A20000-0x0000000004A5E000-memory.dmp
memory/3792-388-0x00007FF74C7F0000-0x00007FF74D22D000-memory.dmp
memory/1544-389-0x0000000004B50000-0x0000000004B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | a554a5382f441e72e95807271120425a |
| SHA1 | 4dd2ce234408c379808284209081ab48231b2c36 |
| SHA256 | dad975a129729facb71ef2d602c4db9c5ecd3c4abab3164d146691b3b3f670f5 |
| SHA512 | 538af15e70a9b3826106b36aa7117ba999ace1d7ea159cd2145af5e114c9437028a679adf1d73e26762b67e2d347d3912f0c4ee19d827abc0d079393a34ab7a9 |
memory/1544-391-0x0000000004B50000-0x0000000004B60000-memory.dmp
memory/1544-404-0x0000000072CE0000-0x0000000073490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | eaac501388508d6881f534d010312c23 |
| SHA1 | a0bf13f52fc7eb8e97a6500a90205468b387263b |
| SHA256 | 7f5b2de973aa012fc1b120f882bf27938299f2eec28756e39307bdc7b4be0e1b |
| SHA512 | 56c7c36a75fc82b8dcaa89acb37a1a466cc7173d073f06f43d380d7fec7889708ed08d258c9ad7f68941252beeed18a841b8e85bffd5ec7c594e2dd0394f2bb5 |
memory/528-420-0x0000000000650000-0x00000000006BC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | a0fef664fc14b5d0c4d24d2cd5d03aaf |
| SHA1 | 0dadf1d32a9ab6538a5b039b357574bc2ab16f5a |
| SHA256 | 50f2c5c52b712c9eb4c917de9839b7a0c9cf06698e707dbca2e1d0787042b024 |
| SHA512 | e8659a19be11c977c4e01d8e27aa30ae8cc41e58c492501de7a82f1d7fed76d34f097706e832a7d61a838fd1d05d03f9ea46fd07113311454d968e36bfb80dc1 |
memory/3792-424-0x00007FF74C7F0000-0x00007FF74D22D000-memory.dmp
memory/528-426-0x0000000004F00000-0x0000000004F10000-memory.dmp
memory/528-430-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/2556-434-0x0000000005D60000-0x0000000005DD6000-memory.dmp
memory/2356-454-0x0000000009260000-0x00000000092B0000-memory.dmp
memory/2556-453-0x0000000006060000-0x000000000607E000-memory.dmp
memory/528-457-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/3924-456-0x00000000023F0000-0x00000000043F0000-memory.dmp
memory/3604-462-0x0000000072CE0000-0x0000000073490000-memory.dmp
memory/2588-460-0x00007FF626A20000-0x00007FF62745D000-memory.dmp
memory/2356-466-0x0000000009DE0000-0x0000000009FA2000-memory.dmp
memory/4432-464-0x0000000072CE0000-0x0000000073490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 5da54273333d806f8e960fef640463ee |
| SHA1 | 945da7268586b47ad09bb824d32a5b8ef1fe5c26 |
| SHA256 | 4d9fd4dcafe092f58c0db817e8688668e72a08504549e481559523d1b27691de |
| SHA512 | 28cf31fbab625a2fcaba19529bd1d4075d183d5a3ac249a82e09264aafca7eecf823912a5994fbc9d553e40598301c5e9aaa639c2e3e2b8f8f79d397eda20500 |
memory/4432-445-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | d200126700c854f55dcadbd46c80fe87 |
| SHA1 | 92aca1c6700a2313161b773e862655c2541a041c |
| SHA256 | d5728aeb54cec5295f70c9f0480e3521eb3e818f4acd0a6c33c123b78c3ca97f |
| SHA512 | eb4009e0b49c97afa5e45ed436f8598ad317046507e35f91ea230542480f0fa72445ae163f96535ec6eedc78ca90822d2f033f4c016816fb582644bb36b404af |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 7e5c38888138ef37282df7d24cec80e6 |
| SHA1 | 4f2d0fc39c2d64da9b1668b81e7b545c855fb169 |
| SHA256 | d27bd225ff3d01ac3772fd0a5de1c06009bfe52fb0ca06644743b643290ebb04 |
| SHA512 | c935b9f7e4b0c516048dc0c51c37934533afb96348db21f4e5178871843bf4be7e1d136d5b5fa3afd670ab9dc5f7bbebbfebc3bcced0fbbbc2ba3abb7e85c1f7 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1305705ab4eb7a8ff5a73874670d91f4 |
| SHA1 | a118cf0ba2d4ac47473b9140c0aa7745efc6aac7 |
| SHA256 | d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b |
| SHA512 | 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log
| MD5 | cad4caba9aaab897691a633527fd5cc8 |
| SHA1 | b3e4fc90c296f60de8a70dd1ca52c88b22311fb9 |
| SHA256 | 38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e |
| SHA512 | 57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u5ufhfgj.bjr.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Zjqkz.exe.log
| MD5 | f7047b64aa01f9d80c7a5e177ce2485c |
| SHA1 | bab6005f4a30f12ee36b9abf6bfdfaa5411bbff8 |
| SHA256 | 807356d2424d2d04f51ebd56f926d4d5a8318bc947c76569a3b5ca2c2f279915 |
| SHA512 | a9af5ace72eb66a6156a5d8764031cdc46feefffabb6898651f91a5af7f3bcef645e63e8d01ed35f1105e824d6830f6fa97e70adda2d5b148ffaff5f54ca248f |