Malware Analysis Report

2025-01-22 10:24

Sample ID 240123-ttm52acff5
Target b06437ffb6c87f69539842cd536e78d3.exe
SHA256 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
Tags
amadey glupteba redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan djvu smokeloader stealc vidar xmrig pub1 backdoor miner ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

Threat Level: Known bad

The file b06437ffb6c87f69539842cd536e78d3.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic discovery dropper evasion infostealer loader persistence rat rootkit spyware stealer trojan djvu smokeloader stealc vidar xmrig pub1 backdoor miner ransomware

RedLine

RisePro

Vidar

Djvu Ransomware

Glupteba payload

Detected Djvu ransomware

xmrig

Amadey

Glupteba

Detect ZGRat V1

RedLine payload

Stealc

ZGRat

SmokeLoader

Detect Vidar Stealer

XMRig Miner payload

Stops running service(s)

Downloads MZ/PE file

Creates new service(s)

Modifies Windows Firewall

Blocklisted process makes network request

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Modifies file permissions

Checks BIOS information in registry

Checks computer location settings

Manipulates WinMonFS driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Checks installed software on the system

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Program crash

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Delays execution with timeout.exe

Checks processor information in registry

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 16:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 16:21

Reported

2024-01-23 16:23

Platform

win10v2004-20231222-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\System32\Conhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\System32\Conhost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clnt = "C:\\Users\\Admin\\AppData\\Roaming\\clnt.exe" C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\System32\Conhost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\system32\sc.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\Conhost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\sc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\Conhost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\Conhost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 836 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 836 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 836 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 2256 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4428 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 4428 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 4428 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 4428 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 4428 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 4428 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 4428 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 4428 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 4428 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2036 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2356 wrote to memory of 444 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4428 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 4428 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 4428 wrote to memory of 3632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 4428 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 4428 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 4428 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 4428 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4428 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4428 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2544 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3164 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3164 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3164 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2356 wrote to memory of 2544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2356 wrote to memory of 2544 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4428 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 4428 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 4428 wrote to memory of 3524 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 4428 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 4428 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 4428 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 4428 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
PID 4428 wrote to memory of 3664 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3680 -ip 3680

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 348

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp

C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1288

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 9.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 20.113.35.45:38357 tcp
US 8.8.8.8:53 45.35.113.20.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 80.79.4.61:18236 tcp
GB 104.77.160.23:80 tcp
US 138.91.171.81:80 tcp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
HK 154.92.15.189:443 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 172.67.141.68:443 tcp
US 8.8.8.8:53 braidfadefriendklypk.site udp
US 172.67.129.233:443 braidfadefriendklypk.site tcp
US 8.8.8.8:53 68.141.67.172.in-addr.arpa udp
NL 94.156.67.176:13781 tcp
US 104.21.61.62:443 tcp
US 8.8.8.8:53 cooperatecliqueobstac.site udp
US 188.114.96.2:443 cooperatecliqueobstac.site tcp
US 8.8.8.8:53 176.67.156.94.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 62.61.21.104.in-addr.arpa udp
US 8.8.8.8:53 vesselspeedcrosswakew.site udp
US 104.21.17.48:443 vesselspeedcrosswakew.site tcp
US 8.8.8.8:53 carvewomanflavourwop.site udp
US 172.67.129.86:443 carvewomanflavourwop.site tcp
US 172.67.216.203:443 tcp
US 8.8.8.8:53 48.17.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.129.67.172.in-addr.arpa udp
US 8.8.8.8:53 retainfactorypunishjkw.site udp
US 188.114.97.2:443 retainfactorypunishjkw.site tcp
US 8.8.8.8:53 brickabsorptiondullyi.site udp
US 188.114.96.2:443 brickabsorptiondullyi.site tcp
DE 185.172.128.109:80 185.172.128.109 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server5.datadumpcloud.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server5.datadumpcloud.org tcp
IT 142.251.27.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.2:443 walkinglate.com tcp
US 172.67.177.31:443 tcp
DE 185.172.128.90:80 tcp
US 8.8.8.8:53 31.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 30.179.17.96.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
BG 185.82.216.104:443 server5.datadumpcloud.org tcp
HK 154.92.15.189:80 tcp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 udp
GB 2.18.110.57:80 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 8.8.8.8:53 187.175.67.172.in-addr.arpa udp
US 188.114.97.2:443 combinethemepiggerygoj.site tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 172.67.174.43:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 138.91.171.81:80 tcp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 43.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 36.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 185.172.128.53:80 tcp
US 8.8.8.8:53 udp
GB 173.222.13.40:80 tcp
US 8.8.8.8:53 udp
N/A 13.85.23.86:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.242.39.171:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 13.85.23.86:443 tcp
N/A 13.85.23.86:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 188.114.96.2:443 expenditureddisumilarwo.site tcp
GB 2.18.110.57:80 tcp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server5.datadumpcloud.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 64.52.171.220:56001 tcp
NL 94.156.66.203:13781 tcp
US 64.52.171.220:56002 tcp
US 64.52.171.220:56003 tcp

Files

memory/836-1-0x00000000000A0000-0x00000000004A8000-memory.dmp

memory/836-0-0x00000000000A0000-0x00000000004A8000-memory.dmp

memory/836-2-0x00000000000A0000-0x00000000004A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b06437ffb6c87f69539842cd536e78d3
SHA1 6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512 b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

memory/836-13-0x00000000000A0000-0x00000000004A8000-memory.dmp

memory/4428-16-0x0000000000D50000-0x0000000001158000-memory.dmp

memory/4428-19-0x0000000000D50000-0x0000000001158000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 3df45d19c8990f36b70095db310a1722
SHA1 cc0bce2c34216bf8e3844982ebd2c97133f6862b
SHA256 3eb37a66747b4e3420c08292be12c1206dd63cd3a0d489fab02fd087a6fd299b
SHA512 f427d873d120cbc332c7b92bd6e055bc1f2f3668bdcba2f106f4391d0b94d5f4f88d1fc076cfccfa5ebc8e556dce0c50e263ac5a42abbe7613b1accca23d5cbd

memory/2796-36-0x0000000000580000-0x0000000000A63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 3ef515bb081e3a8546a39219bf1310a4
SHA1 65b19bc8100f6b67368c46b33d39ef441aaeaeb0
SHA256 9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394
SHA512 22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1

memory/3164-58-0x0000000000450000-0x000000000054A000-memory.dmp

memory/3164-59-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3164-60-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/3164-61-0x0000000004E00000-0x0000000004EFC000-memory.dmp

memory/3164-62-0x0000000004F00000-0x0000000004FFC000-memory.dmp

memory/3164-63-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-64-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-66-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-68-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-70-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-74-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-72-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-76-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-78-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-88-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-86-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-84-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-82-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-80-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-92-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-102-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-108-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-114-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-116-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-118-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-112-0x0000000004F00000-0x0000000004FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 9c23c0dec00a22ac717b3b347926f3bf
SHA1 0d06e1e27797cfafe0401956c3c9ad0a8c1bb5c1
SHA256 186a66ccd81df989981e24fea1111a1ea404bb12dc9a31767c095e3f70e62597
SHA512 e4b714b601fbb95946a63b364745d7e624d6a5882932a0a1db6e64ca841342d8b3b83f8fb89a3f38bc86f4079a070dc57b8f5b3e683a3457a686e1ab447c5212

memory/3164-131-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-120-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-110-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-106-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-104-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-100-0x0000000004F00000-0x0000000004FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 1e5569ff11938998364fd08ad50f3e95
SHA1 8dd9b73282fc7c6d4d935234b4ea0af44a6f8e9b
SHA256 4436e32f76af61465e1b7f19df5f0e651a995543c8dbb8fec2eab343ebf62620
SHA512 9dbd4b68025964923b4ff5dae14e0464fa957425d3094ad9f15cc2f1995551bdaa1f3ee13680e4cd367c41bc7c0722cba592911a1b1d9fc030bce37d02476be4

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 88f9faa4ded1d919a3e59609c6de913d
SHA1 0762f6882acb0ce10369a01b5d0ff54296123fca
SHA256 6dcfdca6ea6f69812ecefdc63d46b4a1effcf72a53defe05cb941831fd4e355f
SHA512 4b1ebdb00ee98a8edfddd04efc385bbb559caf85cb8e43b09af64ebc68b612ad6c69e46bca3a152eb407180e141a1f76b6672bf2c77babf74869f23b687f0472

memory/2036-156-0x0000000000FA0000-0x0000000001004000-memory.dmp

memory/2036-164-0x0000000005930000-0x0000000005940000-memory.dmp

memory/2036-157-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3164-98-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-96-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/3164-94-0x0000000004F00000-0x0000000004FF7000-memory.dmp

memory/2036-175-0x0000000003300000-0x0000000005300000-memory.dmp

memory/1652-179-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1652-186-0x0000000005980000-0x0000000005F24000-memory.dmp

memory/1652-189-0x00000000054B0000-0x0000000005542000-memory.dmp

memory/1652-196-0x0000000005460000-0x0000000005470000-memory.dmp

memory/2036-181-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/1652-180-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/1652-199-0x0000000005650000-0x000000000565A000-memory.dmp

memory/3164-90-0x0000000004F00000-0x0000000004FF7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 5b97d7769e17c999933f74a789646679
SHA1 ccb46ca4ffa661f16356a3b6d31480fc6a39466c
SHA256 a5858c766febc33ca10fcc36a2c25cc67a8c6160151cfc9e3f622f5790c0741a
SHA512 44dd0e00a8ddff68b18f1b091c1284397600efc5eef27e2fde9f5f9a28ad5d8915ac883af2675bb8ec668d7c60fbe50be66e054c9297b6e566a0f07667ebdac2

memory/1652-234-0x0000000008210000-0x000000000831A000-memory.dmp

memory/1652-231-0x0000000006860000-0x0000000006E78000-memory.dmp

memory/1652-245-0x0000000008380000-0x00000000083BC000-memory.dmp

memory/2356-251-0x0000000000E90000-0x0000000000EE6000-memory.dmp

memory/2356-254-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/4428-252-0x0000000000D50000-0x0000000001158000-memory.dmp

memory/4428-259-0x0000000000D50000-0x0000000001158000-memory.dmp

memory/1652-250-0x00000000083D0000-0x000000000841C000-memory.dmp

memory/2356-262-0x00000000057F0000-0x0000000005800000-memory.dmp

memory/2796-265-0x0000000000580000-0x0000000000A63000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 6ada80146cbe71a083293db409c5dcbf
SHA1 5ac169c7100c2f82ba09b71d4ebca71bb36c01f8
SHA256 696cda73056273607321d64e920cb9f2bc8cff907d0d5d933c4ebbc42535885b
SHA512 620e19c188cea724f7cdeb648800eaf489288d42ea996a355d5e530e98a6976e9212f84b2ab0acb8ef1b5a0eb327186fc29f90e300fd1de682d519bbc4a45e31

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 06112fe709368a565861d30429cb6cb9
SHA1 1daf4391e10bf64e8aaadc7072f841026d2ad781
SHA256 ae4365d7635d602cb6aadff13b228631a3baa69f2eed485c4ea3282e8dd3dd8f
SHA512 7d30351c0fcb02d958c6a479fa04f0c04bd63133715b151b638aaa6e308e82d0e6d9806970c614d432dd89741d70db67099394116666b797bc4a27f754cb3b70

memory/1652-236-0x0000000008320000-0x0000000008332000-memory.dmp

memory/2356-273-0x0000000003160000-0x0000000005160000-memory.dmp

memory/444-272-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 d97033bf19d63a7812a8c1e8bac31e35
SHA1 4b6a34daabfab8f77cedaa2f2c62ac2d500c3861
SHA256 a1dda0bd6342520ce6798b0a0acecd0e62556dea47dce390d9cbf6b4a698d60f
SHA512 fb72816bd1ba110bb5cf78baa92754beceb7c9a62726b77c3ac89be80abdc22574f88319b2db859a00b94818e2bd21b9514ce3e190adcce7370be213097ad4be

memory/444-290-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3164-291-0x0000000004DF0000-0x0000000004E00000-memory.dmp

memory/2356-278-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3164-277-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3632-310-0x0000000072B20000-0x00000000732D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 6f194111ad5f8dee8be5e872c3d9be4d
SHA1 468efdd5d718d35c91e154882f269141b4fd2833
SHA256 4d54eaf06b7b67cf40c73a1584c9f7990c2b39b903298c4e4e28202614bd6276
SHA512 869c29c1d83825b7fc99f7475d3f312785339c202722a135b42dbfa79f4247a05d5fb6462f360ca1eeeb62cc1f97a3e05c1c86905298c3d1a6d77c519221d1f0

memory/3632-314-0x0000000000DA0000-0x0000000000DF4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 a64582fa6f9d706812e490bcb32b681e
SHA1 2d80b80f2b6f2502e15ff64df43fb53cb69949ca
SHA256 65478137bcd3e4141c8c592d4eaa632f1532758dc95d42f893bcdb934d6468fb
SHA512 78153457a843e235330cf04d3923d6c65e8c22a8939707a8332e21d0203170332aafcb9668fa871d22379214bacbaade61a656e30f06b83259e1f3c2bf214f11

memory/3632-318-0x00000000058B0000-0x00000000058C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 b78fb21c7830f530ecd1d3ceaa2a9402
SHA1 39bb3a77ef52a612360936bb8f28d05c3e8d12ef
SHA256 e01823a22f0240fa81b68a42c78a36ef7693799719688f9a9cf19393d7733078
SHA512 ae2266fc35bbf11b709b4f1745b057ac5cdf0c1203fe28df90eb6e07319caf365b489ae18dcf3fcc9c37cf13c1d1c07fd067cad123643b7fb2fbd4d8b662527f

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 7f1d299d10be362c989c48ad7b7bd607
SHA1 2a56c75cd7ef2a6226215e24578adae089362eb5
SHA256 a74f642db8c259687f860c325ab66ee7884c87b7f4d4b990ab74fd91e605013a
SHA512 e3c93ba02fc3a26e9df0bee4bcee67251c16f20be5a02164ebdab35da6c02bae2eceded0f349c602929e621713b0ef0d2b303d729ef96189bf895ae45c7db97c

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 a220d711a686988c5b0e89166eed2e0a
SHA1 5d7ed1406277bc0ca09ef569edda2eb08b55730f
SHA256 3d08ee58bda062a65abaced0d99154d5d6ef93d78c23658c5238f59afbd9f3b7
SHA512 ea27aa81b1e58acbb33dee178bde737fa0fa26db4ff937305958ba5d318621650e703cfd374687f42bae1015f43391d8255f912a828e74bd26e0e659f4afe282

memory/3252-551-0x0000000001120000-0x000000000117A000-memory.dmp

memory/3252-556-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3252-558-0x0000000005600000-0x0000000005610000-memory.dmp

memory/1652-561-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3252-629-0x0000000005A90000-0x0000000005AF6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 8353c8e2769ef6959b1fe147d3e98ee6
SHA1 0d9009a0a7c2913a7a3092d9a83a26d4b9ae57b2
SHA256 bc901189d6c1079ba4d70dab59f77472d7b03bec807e5cca73848c67c7f3ac87
SHA512 f2838eccd8a1910bf46b46e21c24a0ca459944d46c0b7e4f1486c9663e493ce9842aa8634ca052623a4ae512ddd8337035ce45ab23335df69e3dc89252222c69

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 1bf77200320ce12125247fa912480682
SHA1 3f95b18cecf96da962415c7faed37d6d7890013e
SHA256 b06dff73ce191b9ad5614ce509aba79828bee1d2933aa7fd32019e7fc48a303a
SHA512 02e310e26ce229a00f07a47b2a91878eb0c3a14af04db5bdfa86b32b7dc158da39f9d133ac1b6551d9e5f2bd019caeea1b20a34c12583d9c1a0461db08b50164

memory/2544-668-0x00000000001B0000-0x000000000021C000-memory.dmp

memory/2544-673-0x0000000000AD0000-0x0000000000AE0000-memory.dmp

memory/2544-672-0x0000000072B20000-0x00000000732D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 cc6a3528ebceb669bc5158b1e8806365
SHA1 89fa8e786cd888b144a925d7c1480ddb6796ffe4
SHA256 7959ca325a4208c6e07c7a77ca64f9cf9d9851d56418d68f83609a69727e3317
SHA512 d9583379e9ea5eae553cca20df520b545118a06622995bbbc24d8c08e826a72ca205d40590799034de32327dba53178c3a7e4017c95c96fdea9e8fcd1d3af36d

memory/2356-683-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2544-685-0x0000000002430000-0x0000000004430000-memory.dmp

memory/2356-687-0x00000000051B0000-0x00000000051C0000-memory.dmp

memory/2544-691-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/2356-690-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/3252-697-0x00000000066D0000-0x0000000006746000-memory.dmp

memory/3252-701-0x0000000006870000-0x000000000688E000-memory.dmp

memory/2356-745-0x0000000006FC0000-0x0000000007010000-memory.dmp

memory/2356-775-0x0000000007760000-0x0000000007922000-memory.dmp

memory/2356-778-0x0000000007E60000-0x000000000838C000-memory.dmp

memory/444-1033-0x0000000072B20000-0x00000000732D0000-memory.dmp

memory/444-1166-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/3164-1167-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/3164-1168-0x0000000005040000-0x00000000050D4000-memory.dmp

memory/3164-1169-0x00000000050D0000-0x000000000511C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2w5jlcwv.eeo.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 908ac3bcf77f46b96f3685f39d71bf9a
SHA1 1a408996005baa68467289aab892d341d3f9583f
SHA256 a19387eb71ef611f0a4ea1c98eafb670bfe50ed7792bbc6c53621bd973fde5a2
SHA512 b97ec257ebfc828622512d9f67456b9119d0eeab1d30338d57a86746935c09ef3c245ef514518278052f5004d8eab04a2cfbc14b5aa9c8cbf4a2a67a95eb7552

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 25b38c1cf0b5c28b8d5afd1746c9e88c
SHA1 399fa10f09ff0e4ea66b5ad5e3d44dc54ae63a0e
SHA256 856e11537eac11974df7e2dc362c5bd6979a3a616ccf939afbc3b84dea4d339f
SHA512 27e88a4e9ba5010f9967491076980303ca4767096aef96dd33d5fe75933f73c175922fe5b450c04135551b037949ff1238616371fa97def743b84bae52661850

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 893768341f0cde691bd48819c3557a41
SHA1 f06f6a21dfafa040a1547a8da25ae5c1448a08c0
SHA256 9572f0fb80ae5bc3bd77c99818eaaad43d7f5157c92603e826e10001a9d4c155
SHA512 192519080b9deeb87e560522bf28d11db5416c68cf44b1a89b6b4485de5825864b9ea1666c345a7cb8407d052362f741d5baca81773cf78ca81c8cff86733f14

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 44ffa844b490732f3c13d4ab996b3fdd
SHA1 e6fb8c2a9baa37bc9f2b10497356be583e448f0b
SHA256 e3a7d660ed8ae56501f00052ddc0130df09da7f479dbc62bd7225cb013d4c7c7
SHA512 b351d7a77b0edbecb91f1ebbb65916ddfd3378735c3d2464fd66cb0c71b9c65621b6440e1e809814d4be5ba3d0e372de48478d0d0718e301b26883a5cc2e836c

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 8c4b42ca740a2f0fb25370ecb15bd004
SHA1 6a909b17e241d36aed4d26acc2b057b9fc9bbbe0
SHA256 3ef7669f648554fa7e7c89834128d1a52ddf52fd630745205fb1f4f224b31bea
SHA512 b20dc75759f97874c2915cf2b9c872d973a0a23d39e49bcfd22b001fa583d3e54f1d27065d895f472a95d1fe7c6b077faf75e37dfcd08423fb18fc07f3747689

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 265399833c2416bb831d7e8a0bb54d8e
SHA1 75a00c73c9bbcaa30991e042ba88f40fdff5dfb4
SHA256 d782b4698a16399849ed12c46dcde2fa295c5f0db3561eac42607116059c8751
SHA512 ad18030601c737c0af65cd46285dfcf83bde47655f30778a12ab0de9ce694607a1eab2c473650511cc068ef8ee4d5efcdba4cb05a647b7db5a6ccbe76ef6dd6e

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1dfbfa155719f83b510b162d53402188
SHA1 5b77bb156fff78643da4c559ca920f760075906c
SHA256 b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831
SHA512 be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 ae47a2bf3df0762ebdfa13e53ff7f4ad
SHA1 71d5088f0743b2b9c28cb191b58b0c0a0c5fba59
SHA256 f10c5cbcd62dc107c5ddb3ef27f3b237005ca402891e4aa02d8069ba7521153e
SHA512 6fe3877dd48154d4bf90c7cc4f1d79282f2cb2367fdb4dfd2d42aaea0b258e80493010350c6f4ae379849aed7c12f2930d6ecd874d603da5ce7059d3c66ba8f8

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 ed164a472a75ec2563845f999d78e5f1
SHA1 e3708f6cab757ff669d58fc7df533e09dab8a046
SHA256 0841ec4dfcc4252d3e1cc3d2e68bbc75e2d308eb875e43bd94d344828e7d8dee
SHA512 01af685ac374555b4c73983d7f466d962a45199fdfd8ca78497d4f65acfa1d1dc95653d5a7315b34b3ef3f4bc0effee29debd6972df6125e83a448c7fc762b88

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 e737c486e1ff2cb34baca33f949b4aa4
SHA1 ba8f8fcf7f150583209f038ba9ffe7fc55854ae4
SHA256 192c5a87ee22bd28d58f8c232840509c00d7079a08826cef32306db7c14c1d39
SHA512 d0eb9a65d350db32da070c4dd079c4432df2ec81e08d903b91a22782a1a750fe452a0585b64284e87cde59a6e9bdbf33f33b0f595b9e42ede126b844a2f2e8d0

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 1c030911418dad5c97202d830fd9ea3c
SHA1 5870bf6fe2f4c00a4a296e501f3bd290ef223206
SHA256 dc6b43d41f061601181684c15018a14126b9a2497d9bba90d5d953bf89212341
SHA512 b0133faa5d2867f0ff6b6d7f45498a1d96ba4d57486739a5e09a144315c4352d73652afb0f0cf0d5181bb6baacdfe84c1192df6feebc548da7dbc4bbba6ab72d

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 c147d4ddf54c858ee51fbc03d7087a6e
SHA1 0f603086a2498f345ec6f79204e757d05996229f
SHA256 6907faa9ad60300ac0c0c9e74fe57557b7bb570c00acca716578f450d077080a
SHA512 6e153f7597a7aa144b0fbb96792810ca57179aa7e7399ad42f08a9c1dd1bd2b3db274a95bae9518f5ca5946a74ccf069a0d52d2d74db41187a44af5e9c9f1671

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 e901b6e2715aabb0f6325b4f4bd7ce97
SHA1 b96e3fa2d22daa576b85ae3d5b759e8a514a0ba8
SHA256 cb1dd6537a8ea6df81b2d9b2832d1809a0b164bf535016c05b0c00d6aa3805f5
SHA512 2aa63fb1481dfcb45d8b913ae2dff2f037256c71b71360b98de5b042bfee0d4ebbb3ce15dadd806f2fd38b135d0be809b2aa69c797c7f0e34258b37bfacae6f0

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 adc3814753fe3cf73c5781987041ad0c
SHA1 a29ceb7cb7703e46f7d415163e76b4433bd05c8a
SHA256 8dd28ef8a1feefbdb775b9ea44e2df11da89de9dae5597310437d038ea67e2c7
SHA512 fcc5297d68522dc3a63ad3abf2b70ebac65e98126163321a42b0da7a99f8713040f685c8a4342e8732f2ad5a430345731fa2866b660cf2e468fce5a9ac791715

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 329081245e83f9387da2e284d5c8c6cf
SHA1 286a52cf2d20ba51efe84a7499f1f501d1789154
SHA256 972d80dcb8e91e80a1e66fa2667b840d86e3a6222d4a3f8df21a46b56f3497a2
SHA512 fe7c9efab86cb896155a180c3bd11bee41ba58cafca3a0943695e9e3bc5a55adabae48ec23efa1595253e832a7b60768dcc0d96150f43cd02082c2635e423dbd

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 ec5fd22808f4554866061e41bf071e6c
SHA1 b7e658ca59fbfa2336701a948d27fcebea34e1e2
SHA256 8cbb960e261dd948a89a430dfb5d545cc07245e8abfdf0b513ca3b86196913c9
SHA512 5221600a51660e23063c1443eb6169fbf01378d3422646f9f5e1980bf704f1a09586714e92eeef8ce0ad8e5564d95e59dbf5e819fd7fc5512106357e8b98b9bc

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 b7b784828073fb2829cf2dfd17cd01d7
SHA1 4fad5ae0e40a0e5577ef39f29724d55b8def36d6
SHA256 e0a224372aaeea2acb735e99022a71b1b473df36da489058ea93633043b3002f
SHA512 3fc5bf39968788c43634cad3562ddd44a03e66c76e2137b966c11311065938b8893d62051a482e6d18bc23c75921c34ba4e61d0decbff1506401bb7159145ffc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 60bb0bd7d015ed25f7b8aef1b41bf2ba
SHA1 c93ef1b5066d2fff7a95839e29bb59de211aba25
SHA256 c7aa7af9101cae3e29fc822fe45c0eff63993d8f790fbb5efbd284627ff195f9
SHA512 5b9bb6be682d54c15d70bc7c9b9aaac49f9b78e9a8eb0b52eb9bec2c1eed2c4e88201e3694bfea0af113b0df1bb2a31f86bb1a0be48c7d67ccebbc8daf292688

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 d3e91fda39ad32d80ce0144761ce551a
SHA1 adb9ddae5f34c19ed48391007f1b4c74cd1e2b54
SHA256 60f04a05a1d37f202f2573292518725aa6668cc841294a023bfc65c69bc4c112
SHA512 fdc6d1cca2242fabc8308c62e51cf384542b86c69fa2b3f01b5347b86846cdf622fbcd56fb9577ba6175a2ee8968d7d2a176ce83d0cba342262b4718df11edef

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 be5dd8b7ee665c298c372c4883c3c15e
SHA1 f996f23d5a9d9702e564b94a658dddba4e185660
SHA256 ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098
SHA512 6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930

C:\Users\Admin\AppData\Local\Temp\nseB78A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe

MD5 68db7c53da79e753aa3a2925b8a8c0ad
SHA1 71afb05bb91250fd0af11a63ba73d48b59db1b52
SHA256 82ac70b200fad9c84896317b466a397c8260d4ed8af5e6e6f387cc9ec596adb7
SHA512 4be2e409c77e986673cb616e6b84770af2da2ed85ecde8b3e9952346a8b187281ee6a98b56a35384331c70cc55fd9ecf375413d36af0d966f579d5fd1eec2cc5

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 78aafdef87391a876cd8172d47de9f8f
SHA1 1bf8a0380cd9fd75e228048526d88453b37ab06c
SHA256 9681c13f447a25b207dface0ca068a45d6d48e9a713430ac0975eb4e09b31478
SHA512 c754f03f91b2335fcde8baa4940c5d04d263aee44824555ea001fafbea20c78b22265b436bb146fe7fe7e1f6d0f2a7b6355ae03a61fc92e98dc4eecbce3b309e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 08a1082b60d408553022d9d5b4e1fd30
SHA1 382dac8c7192f4c502de8e30b39780c6616e41f9
SHA256 60168cd51d0121ecc0cdb2926c3810ab848aa9f7dd809efc0b819197f2fb86ec
SHA512 cb62cd554074a5f64d43233ab8ee18838283a706bbc70da40e64d15661c36258e18c959f5cbf07ee0c89eb5f2de7850f9b85516dda52d9be4e58d98b9c6d81b1

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 219e7425b61f8b9f627e1a4659901f2d
SHA1 651ef7d25f58ddcc3d71d2d43078a9112929cde9
SHA256 137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9
SHA512 70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 c68e8643d21a9339eb6bf4ca1949754d
SHA1 732d205bab5415dd28ba4f85d3e81f19147eb392
SHA256 2ab5f18b67a0eb16d16e42a33b4f6e3fb930d737d165006a4843e898fe03b0d1
SHA512 bba219d2b7c701d4386e7f5e8692304ef6e1ae83220e495a2b05c78af85aa98cd6097c5fa95080b305c3b2ae320bf75447649a4f8a6811389daaf2c9c27facfc

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 480c3a1d6df37e4ae5b5eafb0ed80c12
SHA1 0ade00ceb9b9370ef6a65f0e61f1b90f822ae963
SHA256 14ca1347341b34d72f518a91fc6c6e44f82a8529a61f7958ec99ecda5c7609c2
SHA512 f1dd0276434985f5eace431bd8112e003b0d7df52792c27141093b875592c980f8c98047b5de78610ee0c910ea0502320cb7a4b683b31b330f7b094776291164

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 71173f23ae22ec1b6dc5bfae7caf4f22
SHA1 c6b401463f4b84660bb96885948c3f420a1197aa
SHA256 a21f5423fcc148b39d13ec7161d6aa9d197c1fa06b426b0b93791e3766ce0892
SHA512 193ac643ad1a2e4a7b1df666b7324ed96f62a416e82827a4f71452a7933ad1c49a2a93c2d122a2add97e5a1c40655553ca65fe9d344e69ca3d756fbf1a0aabf7

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 cc12ea1bd2448437b58b90e4f0b2c164
SHA1 7cb8351edd38dd3639bae269bb7dd38628a4fd74
SHA256 20b6beb65d25af203a6401f2825e6a2343b3b49f9c86ef691f3d228619b299d6
SHA512 e1e546ef726338a9e267d2c2d4c41dbaf3e71a68169d5f6f26a33f518b67b5ba0fe37a9a6e5eb1cad33cb3c473590558db84b20463b5863cadc1d1015a764176

C:\Windows\rss\csrss.exe

MD5 c48a9726fbe0cbf1ff1fc34234c6f8d2
SHA1 d85f68b140d6cc4a0940b97f7bbc2f91589af9ff
SHA256 f70d670b433b02657fef04cb8d1c5669d42beb07928275b5de4cceb6cc645c17
SHA512 d6ccbb835729c465e2c2c2f9ea29e54981afe9e647a3b7fe8bdc7ce7165abf2c4675cac8c42f63a42c45cf7cd4b0bacbed5baa4121f88dfd58bc7b89814a15a6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d2b2fdb2043e2415684cf24034aaf130
SHA1 804327ae0ef497644384211c8c74a0c34c04748e
SHA256 252dd2efa9b80025a9828495d44092be2a270a680bce8c1f78e168e47be358d0
SHA512 5758340d3f98e8de3f35ee43ea165cb228b1392ba20399e456105ddc45fd928e19d186caf38df27f96f0c3e7f3640fc5cdeacdf2d758d266a8f3c4fc924f0c03

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 57ecbc598b77d793223e056248dc769d
SHA1 53fe54c55108421fe1d4336f8512627699f1bb2a
SHA256 c62bdef7da02c8fb7a04badab5182d1fd867022dff40169a00aa8454675be8d4
SHA512 f270ea17e71ce6c816d9bae4cc44043da7bc665359b74fc7194221dc7c965bc174d1098c4a8208ac06ae0869d13f63a6ca5f9c38db7572458b9910d293bbe6cd

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 cc868817838921d9d6ef6a4b0b3ab330
SHA1 01a8c62e4b6b715052b7ddeb42290f3bf951b3cd
SHA256 cd4980867d89f76af2ceb44555f5d484bf4969e4ad547f7afbfeb6694c91ced4
SHA512 60907548bfbb6e4fce3bbb3b656a2191b08e58ead4ea74fe0e3871e809f788ea324ad65ffc224baf30e68161deeb372ec17f7b04ae9901bf5401a6d64a715ec2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 55ab88977cd3466b0affd372c9cda3f3
SHA1 fd5183b5ba087e51c457666823374769bc86463e
SHA256 18f991191b7ea4118f83b0cb4e648f5552d33e0b0bc118e58a2ed2db36a04449
SHA512 1ae7fd62efba9a5a0f448faaebc7f3278c60c4dd4c043f5409d6086ac1a29cb6cfeef45f6e232899f3772f05d68379e79f5dce913436755a9621363e2a7927f2

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 045091a8be6add4d196a2e65878246b3
SHA1 b2d8d8b4e59c071d9adf4a6c22f6de7d02f440be
SHA256 876c87f7d210a3655c07488b84cba1553fce5d90951b91479cedad7507492e0a
SHA512 5b74252945b7642832ff1c9be04d0168f90e5b2e1e638992e0307fa44128fb7f3693c27100aa1556ff63461609e66b2ed5c6a5c14a62f87cf94f585451403bd3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log

MD5 cad4caba9aaab897691a633527fd5cc8
SHA1 b3e4fc90c296f60de8a70dd1ca52c88b22311fb9
SHA256 38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e
SHA512 57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 ceb172f1cf7e2fe24bc8d3568d286cff
SHA1 2c71951192f03489b7db53bb3f697a3a7bf7b705
SHA256 1f2447f5f5aef2557d7822943254b30126ae27d7fb1bce6427a375d661427407
SHA512 a54e1ba75144d87cd58b0a48d07ae9e8d8b162db2c0efd22fdd1fab917ae29c13a589928009e60c8716b351d8539433b754037357bb07c986b0166b7338a1c11

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 91e7798e348f0d9557dc0b435eac3ad3
SHA1 7a714e3b7c1831fbed3d940cb3d0b38a8fb83282
SHA256 8ba70d9ff11b6c268fb6e93fe4155036eba3ccc1781dc0046152733204d5cef2
SHA512 0e642e1a6d5cf016c863cb7eb412c158e2e690d9fa066feda5b9b5988c62c17393b98841a8920fa6f00692cf7739558a59467922d51605cc84da3b4ba233028b

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 ff244b13307f50837a4dad053227fdff
SHA1 37344f6d9003fac3e16e6e6aac91c74da1f24119
SHA256 b0a2df0d29071c29d403658c5be40762248990016e74812fdafb5fa8e10837fc
SHA512 e6d52ac6cada1f3d5298705d6d4410c6377bcdc9699059c48c49f8f64edf1ccb0fd59acd689b403dfb4874401678bc9b738a36206a88fcc8a68472d0877b71b2

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 21a8c542428828a5e6a1cb034a44fed0
SHA1 844fb1c927eda73d1a8f612be9ad2269c2b410d9
SHA256 58fd67dc7b2bd50109bf21c72203288cb4d385a85661fc9f45d0b3591984ce3a
SHA512 85f0a2793e267566408ecf36405011d0549d8c1e2aa65b1be2f4a0aaca57e8f1743993536efaa84989a7a60907a8690b156664708345c8c411e426cfbf502670

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f0ccb5263368da32a9ccf21b88e4136d
SHA1 9916792c3f9e064486a787f4f43d3f547cbb9af6
SHA256 d665fadff48f92632e871f88a991c7dd5df16dcc424ae617919b784cb816fabf
SHA512 bb7d72ea54efdd3dfcb91d26123467948525de33da0c59884c92684a9c1d9a64185ae27d75da9fa1c65f1a6fbac9607bbc389cc80cfb8a869b2bfe0edfd0741c

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 5e40035a409cb817b6bfbd533d4f4b45
SHA1 be427862e4392cd41ead4136265cb6b30e113c38
SHA256 a2435879ecfad2aa3f24d8fe8a4e54e213b5bee7864b009ec9efe892db4033ef
SHA512 d811c77692c4252c01a8d89e8659d03464099d7f0934c4351d2b73474b6daefde0a80e8187b43fa610a02c6cd9187a1efc33b31d46183e53e1ab90615166c5fc

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 ef189d3e909148c06a72a6075f3fbfcc
SHA1 961c815e77626031d67e01986dd56b8dc6c43d9d
SHA256 58ab3bde91496302ef9ccf6ddd1dae1dbdfe9efd6c1eee0361500550fcf8cee2
SHA512 b7275fec86ab75f74ff64946da78818359a5459466eba0c5aa594ec1cf5a0819057b3f7283d2b064336ed3b51d85b0d05bc7913b16b1653ef82522b863761a02

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 0b978dec75094e8e0478e6f226cac3b9
SHA1 3eec4fe1be8cfe5ff755cb7626260bd622486bec
SHA256 c306fb42c268916b874630f47cf40e52afe510f8ff80e73a4a6e7f60d8058f63
SHA512 0166d7d1f520fc77fe4a6f0c669202866b8c3ff8a82de94b4227c156707a173116f50a4df0e0383d1389eb780b53ba80eb42b88281825ef6c21e74ebbf0fd920

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 07b763680e3e7d02028925fccad83d9e
SHA1 8756ec9a734e82e5ec9ec29625f81c56273103ea
SHA256 b0ee37a3b91c1ae0d535802e51980b4a3e45b00ae27b04c9fd929d9e71543c2d
SHA512 400e342402b3e4290e9463472cdb10c7f54cba83ff3b399702eec14870fe26bf8f002b5b3998fc0f32ebbae563d527fd36bc54e22f41611a7103d213df4a62bc

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 22acd3ae0414e0a7a311ae73cf8fcb06
SHA1 aea663fe67da569920f008925a5d940fe0adaad9
SHA256 f9794d31cd1fafc3f98162ed7a1f0a7f241bdeac9596f4b3093a7c4251e5b336
SHA512 23f332007180687a68dbb7e066a694d2acdb426f2b28e7703c93010e25d5dbb1c4a5de612c085dd15e0755ed97832784027224b2651ae24df3d1da3a948f92e3

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 87c2ae7aa92502ae81e7b3ff7509d206
SHA1 83b5cc7d9b1a2b1cce7a02968242c746cec125e9
SHA256 cc0d77af967e19775fb7b7cafe53287035953f11c79b704e9685fdc3c1af622c
SHA512 205b1165d462d0864217edc00a0ca13c60a3cb63e12a9aa2d84083153ddb21eeee92b2df96c4202cf235888a3b759cb83f89a3b7d771a811d25733f885dacfb8

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 16:21

Reported

2024-01-23 16:23

Platform

win7-20231215-en

Max time kernel

42s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

Signatures

Amadey

trojan amadey

Detect Vidar Stealer

stealer
Description Indicator Process Target
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Vidar

stealer vidar

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 384 set thread context of 1064 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 384 set thread context of 2992 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2628 set thread context of 1584 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1888 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1888 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1888 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1888 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2272 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2272 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
PID 2272 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
PID 2272 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
PID 2272 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
PID 2272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
PID 2272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
PID 2272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
PID 2272 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2480 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2272 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
PID 2272 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
PID 2272 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
PID 2272 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
PID 2480 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2480 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2480 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2480 wrote to memory of 2168 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2272 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
PID 2272 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
PID 2272 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
PID 2272 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
PID 2480 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2480 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2480 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2480 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2896 wrote to memory of 2276 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2480 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2480 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2480 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2480 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2272 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
PID 2272 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
PID 2272 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
PID 2272 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
PID 960 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 960 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 960 wrote to memory of 2056 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\choice.exe
PID 2400 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2400 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2400 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe C:\Windows\SysWOW64\WerFault.exe
PID 2400 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe C:\Windows\SysWOW64\WerFault.exe
PID 384 wrote to memory of 1064 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 384 wrote to memory of 1064 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 384 wrote to memory of 1064 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 144

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\40E7.exe

C:\Users\Admin\AppData\Local\Temp\40E7.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {E3F137C3-06F9-47A3-8CA9-0A3868410082} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\88E0.exe

C:\Users\Admin\AppData\Local\Temp\88E0.exe

C:\Users\Admin\AppData\Local\Temp\88E0.exe

C:\Users\Admin\AppData\Local\Temp\88E0.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\d88f5157-c769-474b-90c8-6318755fcfeb" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp

C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp

C:\Users\Admin\AppData\Local\Temp\88E0.exe

"C:\Users\Admin\AppData\Local\Temp\88E0.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240123162238.log C:\Windows\Logs\CBS\CbsPersist_20240123162238.cab

C:\Users\Admin\AppData\Local\Temp\88E0.exe

"C:\Users\Admin\AppData\Local\Temp\88E0.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\B2A.exe

C:\Users\Admin\AppData\Local\Temp\B2A.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe

"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe"

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe

"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe"

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe

"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
DE 185.172.128.90:80 185.172.128.90 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 185.172.128.53:80 tcp
NL 94.156.67.176:13781 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
DE 45.76.89.70:80 pool.hashvault.pro tcp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 brusuax.com udp
PA 190.218.35.224:80 brusuax.com tcp
DE 185.172.128.53:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 olivehr.co.za udp
ZA 41.185.8.154:80 olivehr.co.za tcp
DE 185.172.128.109:80 185.172.128.109 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 188.114.97.2:443 api.2ip.ua tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 146.0.41.68:80 tcp
PA 190.218.35.224:80 brusuax.com tcp
US 8.8.8.8:53 polishhistorynewzealand.org udp
US 209.182.200.172:443 polishhistorynewzealand.org tcp
US 209.182.200.172:443 polishhistorynewzealand.org tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
US 8.8.8.8:53 habrafa.com udp
BG 95.158.162.200:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp

Files

memory/1888-1-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/1888-0-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/1888-2-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/1888-4-0x0000000000530000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b06437ffb6c87f69539842cd536e78d3
SHA1 6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512 b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

memory/1888-13-0x00000000045F0000-0x00000000049F8000-memory.dmp

memory/2272-16-0x00000000003C0000-0x00000000007C8000-memory.dmp

memory/1888-12-0x0000000000F40000-0x0000000001348000-memory.dmp

memory/2272-17-0x00000000003C0000-0x00000000007C8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 4bf40a595b37b88d2f0967eb52a30d7d
SHA1 4ae12b7d109b46943121a6ee5feeff34b454e5f6
SHA256 1cf4a4b0f9432f78cd76b30cf8e6070d2d49b70d42ec4e2192da86d09a0a02fa
SHA512 01f49988f45eabe58fb2b33cd5e367d83373a87a7afe1bbc032e60d2cc5938b23b43fd39203179bdccd10f54217d20dad1339a372108a07cdf2b4611044ea2ba

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2480-50-0x0000000000D60000-0x00000000013CE000-memory.dmp

memory/1680-51-0x00000000022F0000-0x0000000002332000-memory.dmp

memory/1680-52-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/1680-55-0x0000000004840000-0x0000000004880000-memory.dmp

memory/1680-54-0x0000000004840000-0x0000000004880000-memory.dmp

memory/2480-53-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/1680-56-0x0000000002330000-0x000000000236E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 774510bcff294f80e47a210a19483749
SHA1 0de009eca6fe604d132b052a424479b76ca72448
SHA256 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955
SHA512 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741

\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 c4b5cccdf66906511e422b3277a1b0bf
SHA1 da2b11737abe0cfd2974c1c3c73453dae386ceac
SHA256 fe0b82eddbbe38bcc126c975a14ef0606d1f3e716ba77edee6e3bbd64d719ca3
SHA512 060c383ffe13b5d28b90dcebe7549a1b4c27c29e0895669e10939d9747a4f11409baed4d0b23007d2f4bcb4fd48033f41ac9e715d14ec676b5f1868a79904da0

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 f693118d35022f48a92b629d26b0d7ab
SHA1 342bcbacbdf8f7b89411bf142f7fcc845927c8a6
SHA256 9d532d05ae4bd069328e2f41174de31e75d09e4139eab0832543c69f0853381b
SHA512 2ed2a6fdec52853b7a07f3cc99b34222a65ab355a71eef377ae173680b2a60287f2f6891c91bf12632c967ff099823ded7799bb4e633396f6c6083f94e26060e

\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 34927273ba25cc3bf5f055bcff675c8d
SHA1 a56bf2edccde62cc69f9ebcf460473e11217f03d
SHA256 07cfd9bbbdee052d89283b60f3a282617f7d2659df8d43743b409d337fef7e14
SHA512 7a8626ba16f03508ce262c6b48b0d0f726485fdeb44270267eda97fc6cbc8c66a6b516b97808756caa0145654ad109b4eac3e6e0fe7ec9d9652ea40731a33504

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 d6e77d67486a5e3247322f43493fcff0
SHA1 8a92dc307033dfc92d366a2161383b0d7c68ca2b
SHA256 1c771a4f61baffe42b6988a2c8573ca291babd9ed8c273d0efe8e8a595171bc5
SHA512 49b7af597ed9a60a2390f388f29a3dd0e1fb007642c40fa5c84fa423f955adec4a4c7060affd3c2d17d7f54cc6abca17fff3e8d0128c5e3c41a41b1c99c750f2

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 a1617c549a3b92d7d32bd0c41cd41d19
SHA1 af85c83f5a4b40beaff01f63a66a1d0870ed8b50
SHA256 595e2af731c20a0f3b7c427103a382cb4edd79451713619917df82e1dcb519cb
SHA512 f119f7d2bb090ec2ec0446ec41b5cbb285c49ca69fba9029407bf793f678f38805f3d6d0f758d0bc9ea07cddba0d99a530c8e9a5257263a975a6bca123466999

memory/2272-81-0x0000000004930000-0x000000000536D000-memory.dmp

memory/2272-82-0x0000000004930000-0x000000000536D000-memory.dmp

memory/1680-70-0x0000000004840000-0x0000000004880000-memory.dmp

memory/2272-69-0x00000000003C0000-0x00000000007C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 0918dfeeaa139ad6c8a0575b385f8563
SHA1 602f762714d11aa2988008fba2252cdec16e4838
SHA256 0e362ad7c7340a464abc8d029d4c349cf91aa1a908b1c725a4b8d128e3418608
SHA512 95c16daeed0368edcf9dc7cb8bd09a017c18fc350636cc8e639eb0772a95458d51131b0e0f59524f02e9fd21acc75210194c481b9845152d7a3eedd67fbf847f

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 219e7425b61f8b9f627e1a4659901f2d
SHA1 651ef7d25f58ddcc3d71d2d43078a9112929cde9
SHA256 137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9
SHA512 70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694

\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 d75a38987ba68363fb67861537749274
SHA1 f0b3f8c862c01dc1d419ae9dd24b6c03e88b9969
SHA256 cfc25ec5eeba4d8b6ab70bc0ce66492119f07739ac34fbe97048d5d253547c05
SHA512 1153bbb754163200198e7355cd9e6a5362830246492b9872bd4034267910ca63f41a873839597d2c4549042baf142fcd766ba6617d0bc7e2b28582171994d324

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2656-99-0x000000013F1C0000-0x000000013FBFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 83458e80259fe3eb7207a48a114dd2be
SHA1 10b5baa484579758b01a488feeb4848e0fe6481e
SHA256 225cae9da2f2b33aa2dc9442d45e3e0abd577a9dfe3943adf85fadb9c80ef708
SHA512 cdde07939ef32c01f24abf9ebe344d20dfee3410b86708716e3c851855b2bc86d1d9b9b9fa758c56b6044675ec3efb4c8a8fb113fa6757a8c4fa9f1ea2aa00c0

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 edb1a2ac1db70af6e289c164379fb9aa
SHA1 617f104ecec828d0856d570e512e1d6139a98f1d
SHA256 7a9bdf15b71c44702e4d63397a7bd294515513be0b13b8145273647257cc16f1
SHA512 4a6d1bdd5ef87cc901bdf41bb17c3acbeb6ef7ab091dd9b099a9755557cab3de1b76a80f44f41ab3b40f0064b429c7cd2b881de53e232f1bfd452497ef9b4758

memory/692-140-0x0000000000E10000-0x0000000001208000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdCC65.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 4451bf12dc7be6aa2448561086570c8a
SHA1 5296cd7413ca23953e13759ede1cc787aa53794c
SHA256 f59a5b0febbfb403478dc41ba4089ef7d9a383d9d191e3e9aedd43d52c70230f
SHA512 4b2d3950b6685a7451db250ff5ec67ba13d6749e56c410e0051d0f0b0e2df826d7f58d8f80cf06e48424788c19f804cfea09f05d0f91de95c62d7ea8c3eaa85b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cdd020ea8a89c902685596b5c4b1fc05
SHA1 703ae5dec7b9a7b9aeb4f704be342502857c7ba2
SHA256 ad7ff70620043f4c063dfe2b2ab4716ef1bcd537a7a5cb3b8a831223364cc875
SHA512 851d485624ee80ed47af820cd594d19b5a1c017c90a0c42cb63c931cfb3eb8050d01a846988c215a17135a78c32803c68f21ac607187ddda6fb4cafe9014cfe4

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 8244f65c3a732ddf4f1efd3e5fd6b518
SHA1 1d144dd4af5bc24596da2cdf4e83d69b6cbf1b64
SHA256 769dca9ebcfe2a0ae9060d97a9b91d159dcab16debb2dffe9b06d28ae6425f01
SHA512 5549a81d1a85b475ef0e59b33b59b4377f07c56547c99ab35f671b76d948c70259d98dd75df4f9456814cced8f47205031579b9e6c764b5d3df15735e7b21a7e

memory/2400-126-0x0000000000300000-0x0000000000388000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 fa3122d5bc0476463ab4563dee952b49
SHA1 0b64eff88f600ea54657ebab4e198edd764ef778
SHA256 2d6ca111af09f2801bb9f8160c062c2cd29381b1fbb3ec1d11a32dca1d5d9cef
SHA512 4ffaaa21eaa9d7f7ef107ec47e0f97463e7b9c0201bb709334e169020771e7b34720e22b8b0fdd002b1a0ff625366d7fc73944cac95ebc78b963a58b2755aba2

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 3303bc5c1120a0e3c2c564a7a66078ae
SHA1 b7f57efcdd0e4abb312d199c77057b7baf339235
SHA256 b49a568e976108e10721372a2beb5b5e29e3693021b46dc2edb81659d10f7224
SHA512 e7faa1578c7952a6035e01b3d6c1f6b3c5b52b54eaee19a2f8e32c7aa0ce520580e7f15f6bbfd8d732256f93cbdc764c2f5a7505b664df557bc666a4da676e62

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 a74b4aa5091c1e38b60b8e98471b5330
SHA1 18342862ba9b0d9a71e311bccaa56624fb6ae465
SHA256 a0b67e7e8b23a89d3039561ba19b3ac17b31149dc5edc3c6fb7543aebff3c588
SHA512 b165c15d92bcbd0a7b11d604cee02b5404213fed9575590f9fbbd10aad569a75872df2f7807fba3e8a747b79efed33a3db33b102976d69c16aa6ebdad84f2f0a

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 be5dd8b7ee665c298c372c4883c3c15e
SHA1 f996f23d5a9d9702e564b94a658dddba4e185660
SHA256 ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098
SHA512 6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930

memory/2276-165-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/692-171-0x0000000000E10000-0x0000000001208000-memory.dmp

memory/892-173-0x0000000000AB0000-0x0000000000B04000-memory.dmp

memory/1064-177-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1064-179-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1064-181-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1064-178-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1064-176-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1064-175-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2656-162-0x000000013F1C0000-0x000000013FBFD000-memory.dmp

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 8daa51b3d4d9801f29dff71e9bc4dd67
SHA1 2722c1b4f5165e21d9b2a3670f6ace5bc36d9ecf
SHA256 e049e4fbda75c0cf404d2a755cca8cdb1831803fd4fdcf34b07b2eeaec39704d
SHA512 6efb6c10e25ed723a863c75d153e3c52e5aac0df4527bd1699e4785b5974af241b008693702b89372ea6ac9a049291150a464ff3ad963482e3fe73ae594b370b

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 af868c83b88a7437ab8d50f4a6de7877
SHA1 25affd2a2f5c2928f557e1000eac02ec369f42d4
SHA256 a82c49e1ec60b682ed9cd31e7218a1c3d2e73b98f00d470c1f82ce9302a85daf
SHA512 e04aa5dccce2e3edcdd47082c1769f144fd028989582f904c8e27984067871663843b3a68bc1a21cd570a1b824d961147ff248b4c014bfbba1288e093ca559ce

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 cd02c76f399bdbf3ac0f25b22ce219a6
SHA1 657a7b63251605be541a889f4f0cc02e99715230
SHA256 61cdd12897c8b6913ddef4bf9b0c0166abe6f7e74a71935d12c563d7e43a3a44
SHA512 b5007d43744c25d938b6b7b9ba70ab81c64d3fc7f73894946fafb73130bfecb3e3cb41362e42474f1636174dfd0d51f32a05976f3a7392e4963129f0781f96ec

memory/692-174-0x0000000002AC0000-0x00000000033AB000-memory.dmp

memory/2992-184-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2272-187-0x00000000003C0000-0x00000000007C8000-memory.dmp

memory/992-189-0x00000000FF860000-0x00000000FF8B2000-memory.dmp

memory/2992-188-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2400-190-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2168-193-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2168-192-0x00000000009C0000-0x0000000000AC0000-memory.dmp

memory/2992-191-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1384-195-0x00000000025D0000-0x00000000025E6000-memory.dmp

memory/2168-198-0x0000000000400000-0x000000000085C000-memory.dmp

memory/2992-194-0x0000000140000000-0x0000000140840000-memory.dmp

memory/892-196-0x0000000073CC0000-0x00000000743AE000-memory.dmp

memory/2992-197-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2992-201-0x0000000140000000-0x0000000140840000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 924e62af7c379f8b668a67152942954d
SHA1 13b875f3b08118445a652ee86a59f89583524d4b
SHA256 a42b84387b361e0bfece96748d9b36c91b76504a5848459f3951da6f67f454bd
SHA512 6e179822005b08336e0734e51e47f1da936f14a535a3dee15db181ebfa53fd7a48ed8c71d1e9a1476a8d0f39b3de90909ddbc86cdde2bc88d9abf7f5a0f9c416

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2992-219-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2992-202-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2992-221-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2276-222-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/692-213-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/384-224-0x000000013FF60000-0x000000014099D000-memory.dmp

memory/2992-225-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2272-234-0x00000000003C0000-0x00000000007C8000-memory.dmp

memory/2628-232-0x000000013FF60000-0x000000014099D000-memory.dmp

C:\Windows\TEMP\zamrbllfjgdb.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

memory/2992-228-0x0000000000100000-0x0000000000120000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2187.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2992-251-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2992-262-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2992-265-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2628-264-0x000000013FF60000-0x000000014099D000-memory.dmp

memory/2992-268-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1584-274-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2992-267-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar2DBA.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/1584-275-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1584-297-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1584-298-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1584-299-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9c14d143bf307db75f0be6cb02566d37
SHA1 f93a5aab1f090dc04cf914a8f8e1aeed4dc5db27
SHA256 7f1e729a90fbf1d0148f48698e7c556dd465dfa28d4e01a052503d7b589b8131
SHA512 1b201f4fa6b1c508b48f4df3fab50fe2a4430f115add188db1b3eda3b29b6279d934bbdd9f242d39608429ad1439712036991e948aad6c9053c9e6bd60a1eb9e

C:\Users\Admin\AppData\Local\Temp\40E7.exe

MD5 11ac7990dacb8fed9a583f69660a8310
SHA1 a891612189e2db49a16704a9ac08850c5a76be3d
SHA256 b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a
SHA512 7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5

C:\Users\Admin\AppData\Local\Temp\40E7.exe

MD5 6458e97f4cb7ca9cdefcb340181013da
SHA1 ebe4b363ed437ce641fdebd62d088fe43a5062e2
SHA256 271a2f38e28d72be33ded761655fe69065ccb13b1ec268511b4e40057d4ee23b
SHA512 2d4ac8766e882b77ab7de6efa9a4e45ff446b22df5ed6b42068be5e22a52553d7e4da74c0632755417cba756a38f8e17b7973e16ed69a70c10535a7279068505

memory/2272-377-0x00000000003C0000-0x00000000007C8000-memory.dmp

memory/692-379-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2272-383-0x00000000003C0000-0x00000000007C8000-memory.dmp

memory/1656-394-0x0000000000270000-0x000000000027E000-memory.dmp

memory/1656-396-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88E0.exe

MD5 fb41f20c1783dee1ff3ff24e9320ef44
SHA1 873e409ee8fd52a51031269bee1b5e56207b8cf8
SHA256 3f8c53cc5aff0effc748241349db40bff4d9c3004b557c091c00ed192d8f4226
SHA512 b83682f64c79dab3ac134a2f42fa111882a6e7555d59b112599953a532091e67b76a1fd0da3426e516912c3e650ebed79d0bdc0ba9b4317f0bfb341e0b4cd481

memory/2308-413-0x0000000000220000-0x00000000002B1000-memory.dmp

memory/2308-415-0x00000000004C0000-0x00000000005DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\88E0.exe

MD5 3392ef91665cb1e912d5e132417e7755
SHA1 a454a1e8f6ab9b777393d7150a9ede196c205b46
SHA256 ad6471ac5ecd739c889762207c151623cd59272c82fa5c971ab586516a995f98
SHA512 99b76c81dca910f47a78fd0c65d1cf80a4714150f3fbe096d5f061caa3bfdd0acd7c09db9879a1d51fd7557eb5533dc4235a34cdbd21f3454928fd5bd6ec657f

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1580-422-0x00000000002E0000-0x00000000002E8000-memory.dmp

memory/1680-423-0x0000000073CC0000-0x00000000743AE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2547824e95b4c9733672dc77772594e7
SHA1 8a863c0f64149372b1962ab000a6c37ecdc84c13
SHA256 32a0f9a67aacae7de41f94ff3d66095963f407f4b571ee7e5c544d53e99e6210
SHA512 e0641d16ec80a5112aa26c727533a3c33cfe3cabd71980b4ee30fe432ee3061419ea87c1b5692856d4a8da06faf2936ffdcd4898f4db41a48e07521e859d54b8

\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp

MD5 379fbc100c50379dae4dd1a7ea5782af
SHA1 a2079a19b40e117dbc115936fb37eeb0759a0074
SHA256 c8e870c9649b4dcd70e73cd9ecadce2f5f247b37f240a3eca9564048c56d2b36
SHA512 ded939694aee266fe260d185fb113ef581cda6d7a8e28bd8575a80c48028a5a226ce0f71b99bc20bef8da284dfae47acc5d43c8f2d50b826fdc1d1b91c196a7b

memory/936-455-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1108-480-0x00000000004C0000-0x0000000000551000-memory.dmp

memory/2968-549-0x0000000001250000-0x0000000001B04000-memory.dmp

memory/2608-548-0x00000000007C0000-0x00000000007CF000-memory.dmp

memory/2608-550-0x0000000000220000-0x000000000023C000-memory.dmp

memory/2608-551-0x0000000000400000-0x000000000062E000-memory.dmp

memory/692-552-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe

MD5 41b883a061c95e9b9cb17d4ca50de770
SHA1 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad
SHA256 fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408
SHA512 cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319

C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe

MD5 9b00df1cca53e81d90dfc2548f8d9114
SHA1 a783bde9346c8ece56aa6fec12348fea40fdf6ec
SHA256 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe
SHA512 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc

memory/2480-592-0x0000000000551000-0x0000000000569000-memory.dmp

memory/2480-593-0x0000000000230000-0x000000000025C000-memory.dmp