Analysis Overview
SHA256
38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
Threat Level: Known bad
The file b06437ffb6c87f69539842cd536e78d3.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
RisePro
Vidar
Djvu Ransomware
Glupteba payload
Detected Djvu ransomware
xmrig
Amadey
Glupteba
Detect ZGRat V1
RedLine payload
Stealc
ZGRat
SmokeLoader
Detect Vidar Stealer
XMRig Miner payload
Stops running service(s)
Downloads MZ/PE file
Creates new service(s)
Modifies Windows Firewall
Blocklisted process makes network request
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Checks BIOS information in registry
Checks computer location settings
Manipulates WinMonFS driver.
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Checks installed software on the system
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Program crash
Checks SCSI registry key(s)
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Delays execution with timeout.exe
Checks processor information in registry
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 16:21
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 16:21
Reported
2024-01-23 16:23
Platform
win10v2004-20231222-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\System32\Conhost.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\clnt = "C:\\Users\\Admin\\AppData\\Roaming\\clnt.exe" | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\Conhost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\system32\sc.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\system32\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-402 = "Arabic Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2161 = "Altai Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-434 = "Georgian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-71 = "Newfoundland Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\sc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\Conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\Conhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-652 = "AUS Central Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-12 = "Azores Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-621 = "Korea Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-292 = "Central European Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-341 = "Egypt Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-532 = "Sri Lanka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-692 = "Tasmania Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1832 = "Russia TZ 2 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-141 = "Canada Central Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-202 = "US Mountain Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2872 = "Magallanes Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\Conhost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2372 = "Easter Island Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Windows\windefender.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3680 -ip 3680
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 348
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp
C:\Users\Admin\AppData\Local\Temp\nsbBB64.tmp
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3576 -ip 3576
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 1288
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 9.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 20.113.35.45:38357 | tcp | |
| US | 8.8.8.8:53 | 45.35.113.20.in-addr.arpa | udp |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | 148.211.95.141.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| RU | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | 61.4.79.80.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 80.79.4.61:18236 | tcp | |
| GB | 104.77.160.23:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| HK | 154.92.15.189:443 | tcp | |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 172.67.141.68:443 | tcp | |
| US | 8.8.8.8:53 | braidfadefriendklypk.site | udp |
| US | 172.67.129.233:443 | braidfadefriendklypk.site | tcp |
| US | 8.8.8.8:53 | 68.141.67.172.in-addr.arpa | udp |
| NL | 94.156.67.176:13781 | tcp | |
| US | 104.21.61.62:443 | tcp | |
| US | 8.8.8.8:53 | cooperatecliqueobstac.site | udp |
| US | 188.114.96.2:443 | cooperatecliqueobstac.site | tcp |
| US | 8.8.8.8:53 | 176.67.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 62.61.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vesselspeedcrosswakew.site | udp |
| US | 104.21.17.48:443 | vesselspeedcrosswakew.site | tcp |
| US | 8.8.8.8:53 | carvewomanflavourwop.site | udp |
| US | 172.67.129.86:443 | carvewomanflavourwop.site | tcp |
| US | 172.67.216.203:443 | tcp | |
| US | 8.8.8.8:53 | 48.17.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.129.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | retainfactorypunishjkw.site | udp |
| US | 188.114.97.2:443 | retainfactorypunishjkw.site | tcp |
| US | 8.8.8.8:53 | brickabsorptiondullyi.site | udp |
| US | 188.114.96.2:443 | brickabsorptiondullyi.site | tcp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | 79.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server5.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| IT | 142.251.27.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.27.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.2:443 | walkinglate.com | tcp |
| US | 172.67.177.31:443 | tcp | |
| DE | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | 31.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.179.17.96.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| HK | 154.92.15.189:80 | tcp | |
| RU | 185.215.113.68:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 2.18.110.57:80 | tcp | |
| US | 8.8.8.8:53 | qualifiedbehaviorrykej.site | udp |
| US | 172.67.175.187:443 | qualifiedbehaviorrykej.site | tcp |
| US | 8.8.8.8:53 | combinethemepiggerygoj.site | udp |
| US | 8.8.8.8:53 | 187.175.67.172.in-addr.arpa | udp |
| US | 188.114.97.2:443 | combinethemepiggerygoj.site | tcp |
| US | 8.8.8.8:53 | weedpairfolkloredheryw.site | udp |
| US | 172.67.174.43:443 | weedpairfolkloredheryw.site | tcp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 138.91.171.81:80 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | 43.174.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 185.172.128.53:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 173.222.13.40:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.85.23.86:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.242.39.171:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 13.85.23.86:443 | tcp | |
| N/A | 13.85.23.86:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | expenditureddisumilarwo.site | udp |
| US | 188.114.96.2:443 | expenditureddisumilarwo.site | tcp |
| GB | 2.18.110.57:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.104:443 | server5.datadumpcloud.org | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 64.52.171.220:56001 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 64.52.171.220:56002 | tcp | |
| US | 64.52.171.220:56003 | tcp |
Files
memory/836-1-0x00000000000A0000-0x00000000004A8000-memory.dmp
memory/836-0-0x00000000000A0000-0x00000000004A8000-memory.dmp
memory/836-2-0x00000000000A0000-0x00000000004A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b06437ffb6c87f69539842cd536e78d3 |
| SHA1 | 6799f24d5ff74fe1a045ea9845704bbbd1c818f6 |
| SHA256 | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf |
| SHA512 | b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10 |
memory/836-13-0x00000000000A0000-0x00000000004A8000-memory.dmp
memory/4428-16-0x0000000000D50000-0x0000000001158000-memory.dmp
memory/4428-19-0x0000000000D50000-0x0000000001158000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | 3df45d19c8990f36b70095db310a1722 |
| SHA1 | cc0bce2c34216bf8e3844982ebd2c97133f6862b |
| SHA256 | 3eb37a66747b4e3420c08292be12c1206dd63cd3a0d489fab02fd087a6fd299b |
| SHA512 | f427d873d120cbc332c7b92bd6e055bc1f2f3668bdcba2f106f4391d0b94d5f4f88d1fc076cfccfa5ebc8e556dce0c50e263ac5a42abbe7613b1accca23d5cbd |
memory/2796-36-0x0000000000580000-0x0000000000A63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 3ef515bb081e3a8546a39219bf1310a4 |
| SHA1 | 65b19bc8100f6b67368c46b33d39ef441aaeaeb0 |
| SHA256 | 9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394 |
| SHA512 | 22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1 |
memory/3164-58-0x0000000000450000-0x000000000054A000-memory.dmp
memory/3164-59-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3164-60-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/3164-61-0x0000000004E00000-0x0000000004EFC000-memory.dmp
memory/3164-62-0x0000000004F00000-0x0000000004FFC000-memory.dmp
memory/3164-63-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-64-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-66-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-68-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-70-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-74-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-72-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-76-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-78-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-88-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-86-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-84-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-82-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-80-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-92-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-102-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-108-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-114-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-116-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-118-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-112-0x0000000004F00000-0x0000000004FF7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 9c23c0dec00a22ac717b3b347926f3bf |
| SHA1 | 0d06e1e27797cfafe0401956c3c9ad0a8c1bb5c1 |
| SHA256 | 186a66ccd81df989981e24fea1111a1ea404bb12dc9a31767c095e3f70e62597 |
| SHA512 | e4b714b601fbb95946a63b364745d7e624d6a5882932a0a1db6e64ca841342d8b3b83f8fb89a3f38bc86f4079a070dc57b8f5b3e683a3457a686e1ab447c5212 |
memory/3164-131-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-120-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-110-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-106-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-104-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-100-0x0000000004F00000-0x0000000004FF7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 1e5569ff11938998364fd08ad50f3e95 |
| SHA1 | 8dd9b73282fc7c6d4d935234b4ea0af44a6f8e9b |
| SHA256 | 4436e32f76af61465e1b7f19df5f0e651a995543c8dbb8fec2eab343ebf62620 |
| SHA512 | 9dbd4b68025964923b4ff5dae14e0464fa957425d3094ad9f15cc2f1995551bdaa1f3ee13680e4cd367c41bc7c0722cba592911a1b1d9fc030bce37d02476be4 |
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 88f9faa4ded1d919a3e59609c6de913d |
| SHA1 | 0762f6882acb0ce10369a01b5d0ff54296123fca |
| SHA256 | 6dcfdca6ea6f69812ecefdc63d46b4a1effcf72a53defe05cb941831fd4e355f |
| SHA512 | 4b1ebdb00ee98a8edfddd04efc385bbb559caf85cb8e43b09af64ebc68b612ad6c69e46bca3a152eb407180e141a1f76b6672bf2c77babf74869f23b687f0472 |
memory/2036-156-0x0000000000FA0000-0x0000000001004000-memory.dmp
memory/2036-164-0x0000000005930000-0x0000000005940000-memory.dmp
memory/2036-157-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3164-98-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-96-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/3164-94-0x0000000004F00000-0x0000000004FF7000-memory.dmp
memory/2036-175-0x0000000003300000-0x0000000005300000-memory.dmp
memory/1652-179-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1652-186-0x0000000005980000-0x0000000005F24000-memory.dmp
memory/1652-189-0x00000000054B0000-0x0000000005542000-memory.dmp
memory/1652-196-0x0000000005460000-0x0000000005470000-memory.dmp
memory/2036-181-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/1652-180-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/1652-199-0x0000000005650000-0x000000000565A000-memory.dmp
memory/3164-90-0x0000000004F00000-0x0000000004FF7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 5b97d7769e17c999933f74a789646679 |
| SHA1 | ccb46ca4ffa661f16356a3b6d31480fc6a39466c |
| SHA256 | a5858c766febc33ca10fcc36a2c25cc67a8c6160151cfc9e3f622f5790c0741a |
| SHA512 | 44dd0e00a8ddff68b18f1b091c1284397600efc5eef27e2fde9f5f9a28ad5d8915ac883af2675bb8ec668d7c60fbe50be66e054c9297b6e566a0f07667ebdac2 |
memory/1652-234-0x0000000008210000-0x000000000831A000-memory.dmp
memory/1652-231-0x0000000006860000-0x0000000006E78000-memory.dmp
memory/1652-245-0x0000000008380000-0x00000000083BC000-memory.dmp
memory/2356-251-0x0000000000E90000-0x0000000000EE6000-memory.dmp
memory/2356-254-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/4428-252-0x0000000000D50000-0x0000000001158000-memory.dmp
memory/4428-259-0x0000000000D50000-0x0000000001158000-memory.dmp
memory/1652-250-0x00000000083D0000-0x000000000841C000-memory.dmp
memory/2356-262-0x00000000057F0000-0x0000000005800000-memory.dmp
memory/2796-265-0x0000000000580000-0x0000000000A63000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 6ada80146cbe71a083293db409c5dcbf |
| SHA1 | 5ac169c7100c2f82ba09b71d4ebca71bb36c01f8 |
| SHA256 | 696cda73056273607321d64e920cb9f2bc8cff907d0d5d933c4ebbc42535885b |
| SHA512 | 620e19c188cea724f7cdeb648800eaf489288d42ea996a355d5e530e98a6976e9212f84b2ab0acb8ef1b5a0eb327186fc29f90e300fd1de682d519bbc4a45e31 |
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 06112fe709368a565861d30429cb6cb9 |
| SHA1 | 1daf4391e10bf64e8aaadc7072f841026d2ad781 |
| SHA256 | ae4365d7635d602cb6aadff13b228631a3baa69f2eed485c4ea3282e8dd3dd8f |
| SHA512 | 7d30351c0fcb02d958c6a479fa04f0c04bd63133715b151b638aaa6e308e82d0e6d9806970c614d432dd89741d70db67099394116666b797bc4a27f754cb3b70 |
memory/1652-236-0x0000000008320000-0x0000000008332000-memory.dmp
memory/2356-273-0x0000000003160000-0x0000000005160000-memory.dmp
memory/444-272-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | d97033bf19d63a7812a8c1e8bac31e35 |
| SHA1 | 4b6a34daabfab8f77cedaa2f2c62ac2d500c3861 |
| SHA256 | a1dda0bd6342520ce6798b0a0acecd0e62556dea47dce390d9cbf6b4a698d60f |
| SHA512 | fb72816bd1ba110bb5cf78baa92754beceb7c9a62726b77c3ac89be80abdc22574f88319b2db859a00b94818e2bd21b9514ce3e190adcce7370be213097ad4be |
memory/444-290-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3164-291-0x0000000004DF0000-0x0000000004E00000-memory.dmp
memory/2356-278-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3164-277-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3632-310-0x0000000072B20000-0x00000000732D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 6f194111ad5f8dee8be5e872c3d9be4d |
| SHA1 | 468efdd5d718d35c91e154882f269141b4fd2833 |
| SHA256 | 4d54eaf06b7b67cf40c73a1584c9f7990c2b39b903298c4e4e28202614bd6276 |
| SHA512 | 869c29c1d83825b7fc99f7475d3f312785339c202722a135b42dbfa79f4247a05d5fb6462f360ca1eeeb62cc1f97a3e05c1c86905298c3d1a6d77c519221d1f0 |
memory/3632-314-0x0000000000DA0000-0x0000000000DF4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | a64582fa6f9d706812e490bcb32b681e |
| SHA1 | 2d80b80f2b6f2502e15ff64df43fb53cb69949ca |
| SHA256 | 65478137bcd3e4141c8c592d4eaa632f1532758dc95d42f893bcdb934d6468fb |
| SHA512 | 78153457a843e235330cf04d3923d6c65e8c22a8939707a8332e21d0203170332aafcb9668fa871d22379214bacbaade61a656e30f06b83259e1f3c2bf214f11 |
memory/3632-318-0x00000000058B0000-0x00000000058C0000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | b78fb21c7830f530ecd1d3ceaa2a9402 |
| SHA1 | 39bb3a77ef52a612360936bb8f28d05c3e8d12ef |
| SHA256 | e01823a22f0240fa81b68a42c78a36ef7693799719688f9a9cf19393d7733078 |
| SHA512 | ae2266fc35bbf11b709b4f1745b057ac5cdf0c1203fe28df90eb6e07319caf365b489ae18dcf3fcc9c37cf13c1d1c07fd067cad123643b7fb2fbd4d8b662527f |
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 7f1d299d10be362c989c48ad7b7bd607 |
| SHA1 | 2a56c75cd7ef2a6226215e24578adae089362eb5 |
| SHA256 | a74f642db8c259687f860c325ab66ee7884c87b7f4d4b990ab74fd91e605013a |
| SHA512 | e3c93ba02fc3a26e9df0bee4bcee67251c16f20be5a02164ebdab35da6c02bae2eceded0f349c602929e621713b0ef0d2b303d729ef96189bf895ae45c7db97c |
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | a220d711a686988c5b0e89166eed2e0a |
| SHA1 | 5d7ed1406277bc0ca09ef569edda2eb08b55730f |
| SHA256 | 3d08ee58bda062a65abaced0d99154d5d6ef93d78c23658c5238f59afbd9f3b7 |
| SHA512 | ea27aa81b1e58acbb33dee178bde737fa0fa26db4ff937305958ba5d318621650e703cfd374687f42bae1015f43391d8255f912a828e74bd26e0e659f4afe282 |
memory/3252-551-0x0000000001120000-0x000000000117A000-memory.dmp
memory/3252-556-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3252-558-0x0000000005600000-0x0000000005610000-memory.dmp
memory/1652-561-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3252-629-0x0000000005A90000-0x0000000005AF6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 8353c8e2769ef6959b1fe147d3e98ee6 |
| SHA1 | 0d9009a0a7c2913a7a3092d9a83a26d4b9ae57b2 |
| SHA256 | bc901189d6c1079ba4d70dab59f77472d7b03bec807e5cca73848c67c7f3ac87 |
| SHA512 | f2838eccd8a1910bf46b46e21c24a0ca459944d46c0b7e4f1486c9663e493ce9842aa8634ca052623a4ae512ddd8337035ce45ab23335df69e3dc89252222c69 |
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 1bf77200320ce12125247fa912480682 |
| SHA1 | 3f95b18cecf96da962415c7faed37d6d7890013e |
| SHA256 | b06dff73ce191b9ad5614ce509aba79828bee1d2933aa7fd32019e7fc48a303a |
| SHA512 | 02e310e26ce229a00f07a47b2a91878eb0c3a14af04db5bdfa86b32b7dc158da39f9d133ac1b6551d9e5f2bd019caeea1b20a34c12583d9c1a0461db08b50164 |
memory/2544-668-0x00000000001B0000-0x000000000021C000-memory.dmp
memory/2544-673-0x0000000000AD0000-0x0000000000AE0000-memory.dmp
memory/2544-672-0x0000000072B20000-0x00000000732D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | cc6a3528ebceb669bc5158b1e8806365 |
| SHA1 | 89fa8e786cd888b144a925d7c1480ddb6796ffe4 |
| SHA256 | 7959ca325a4208c6e07c7a77ca64f9cf9d9851d56418d68f83609a69727e3317 |
| SHA512 | d9583379e9ea5eae553cca20df520b545118a06622995bbbc24d8c08e826a72ca205d40590799034de32327dba53178c3a7e4017c95c96fdea9e8fcd1d3af36d |
memory/2356-683-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2544-685-0x0000000002430000-0x0000000004430000-memory.dmp
memory/2356-687-0x00000000051B0000-0x00000000051C0000-memory.dmp
memory/2544-691-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/2356-690-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/3252-697-0x00000000066D0000-0x0000000006746000-memory.dmp
memory/3252-701-0x0000000006870000-0x000000000688E000-memory.dmp
memory/2356-745-0x0000000006FC0000-0x0000000007010000-memory.dmp
memory/2356-775-0x0000000007760000-0x0000000007922000-memory.dmp
memory/2356-778-0x0000000007E60000-0x000000000838C000-memory.dmp
memory/444-1033-0x0000000072B20000-0x00000000732D0000-memory.dmp
memory/444-1166-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/3164-1167-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/3164-1168-0x0000000005040000-0x00000000050D4000-memory.dmp
memory/3164-1169-0x00000000050D0000-0x000000000511C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2w5jlcwv.eeo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 908ac3bcf77f46b96f3685f39d71bf9a |
| SHA1 | 1a408996005baa68467289aab892d341d3f9583f |
| SHA256 | a19387eb71ef611f0a4ea1c98eafb670bfe50ed7792bbc6c53621bd973fde5a2 |
| SHA512 | b97ec257ebfc828622512d9f67456b9119d0eeab1d30338d57a86746935c09ef3c245ef514518278052f5004d8eab04a2cfbc14b5aa9c8cbf4a2a67a95eb7552 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 25b38c1cf0b5c28b8d5afd1746c9e88c |
| SHA1 | 399fa10f09ff0e4ea66b5ad5e3d44dc54ae63a0e |
| SHA256 | 856e11537eac11974df7e2dc362c5bd6979a3a616ccf939afbc3b84dea4d339f |
| SHA512 | 27e88a4e9ba5010f9967491076980303ca4767096aef96dd33d5fe75933f73c175922fe5b450c04135551b037949ff1238616371fa97def743b84bae52661850 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 893768341f0cde691bd48819c3557a41 |
| SHA1 | f06f6a21dfafa040a1547a8da25ae5c1448a08c0 |
| SHA256 | 9572f0fb80ae5bc3bd77c99818eaaad43d7f5157c92603e826e10001a9d4c155 |
| SHA512 | 192519080b9deeb87e560522bf28d11db5416c68cf44b1a89b6b4485de5825864b9ea1666c345a7cb8407d052362f741d5baca81773cf78ca81c8cff86733f14 |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 44ffa844b490732f3c13d4ab996b3fdd |
| SHA1 | e6fb8c2a9baa37bc9f2b10497356be583e448f0b |
| SHA256 | e3a7d660ed8ae56501f00052ddc0130df09da7f479dbc62bd7225cb013d4c7c7 |
| SHA512 | b351d7a77b0edbecb91f1ebbb65916ddfd3378735c3d2464fd66cb0c71b9c65621b6440e1e809814d4be5ba3d0e372de48478d0d0718e301b26883a5cc2e836c |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 8c4b42ca740a2f0fb25370ecb15bd004 |
| SHA1 | 6a909b17e241d36aed4d26acc2b057b9fc9bbbe0 |
| SHA256 | 3ef7669f648554fa7e7c89834128d1a52ddf52fd630745205fb1f4f224b31bea |
| SHA512 | b20dc75759f97874c2915cf2b9c872d973a0a23d39e49bcfd22b001fa583d3e54f1d27065d895f472a95d1fe7c6b077faf75e37dfcd08423fb18fc07f3747689 |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 265399833c2416bb831d7e8a0bb54d8e |
| SHA1 | 75a00c73c9bbcaa30991e042ba88f40fdff5dfb4 |
| SHA256 | d782b4698a16399849ed12c46dcde2fa295c5f0db3561eac42607116059c8751 |
| SHA512 | ad18030601c737c0af65cd46285dfcf83bde47655f30778a12ab0de9ce694607a1eab2c473650511cc068ef8ee4d5efcdba4cb05a647b7db5a6ccbe76ef6dd6e |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1dfbfa155719f83b510b162d53402188 |
| SHA1 | 5b77bb156fff78643da4c559ca920f760075906c |
| SHA256 | b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831 |
| SHA512 | be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad |
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | ae47a2bf3df0762ebdfa13e53ff7f4ad |
| SHA1 | 71d5088f0743b2b9c28cb191b58b0c0a0c5fba59 |
| SHA256 | f10c5cbcd62dc107c5ddb3ef27f3b237005ca402891e4aa02d8069ba7521153e |
| SHA512 | 6fe3877dd48154d4bf90c7cc4f1d79282f2cb2367fdb4dfd2d42aaea0b258e80493010350c6f4ae379849aed7c12f2930d6ecd874d603da5ce7059d3c66ba8f8 |
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | ed164a472a75ec2563845f999d78e5f1 |
| SHA1 | e3708f6cab757ff669d58fc7df533e09dab8a046 |
| SHA256 | 0841ec4dfcc4252d3e1cc3d2e68bbc75e2d308eb875e43bd94d344828e7d8dee |
| SHA512 | 01af685ac374555b4c73983d7f466d962a45199fdfd8ca78497d4f65acfa1d1dc95653d5a7315b34b3ef3f4bc0effee29debd6972df6125e83a448c7fc762b88 |
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | e737c486e1ff2cb34baca33f949b4aa4 |
| SHA1 | ba8f8fcf7f150583209f038ba9ffe7fc55854ae4 |
| SHA256 | 192c5a87ee22bd28d58f8c232840509c00d7079a08826cef32306db7c14c1d39 |
| SHA512 | d0eb9a65d350db32da070c4dd079c4432df2ec81e08d903b91a22782a1a750fe452a0585b64284e87cde59a6e9bdbf33f33b0f595b9e42ede126b844a2f2e8d0 |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 1c030911418dad5c97202d830fd9ea3c |
| SHA1 | 5870bf6fe2f4c00a4a296e501f3bd290ef223206 |
| SHA256 | dc6b43d41f061601181684c15018a14126b9a2497d9bba90d5d953bf89212341 |
| SHA512 | b0133faa5d2867f0ff6b6d7f45498a1d96ba4d57486739a5e09a144315c4352d73652afb0f0cf0d5181bb6baacdfe84c1192df6feebc548da7dbc4bbba6ab72d |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | c147d4ddf54c858ee51fbc03d7087a6e |
| SHA1 | 0f603086a2498f345ec6f79204e757d05996229f |
| SHA256 | 6907faa9ad60300ac0c0c9e74fe57557b7bb570c00acca716578f450d077080a |
| SHA512 | 6e153f7597a7aa144b0fbb96792810ca57179aa7e7399ad42f08a9c1dd1bd2b3db274a95bae9518f5ca5946a74ccf069a0d52d2d74db41187a44af5e9c9f1671 |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | e901b6e2715aabb0f6325b4f4bd7ce97 |
| SHA1 | b96e3fa2d22daa576b85ae3d5b759e8a514a0ba8 |
| SHA256 | cb1dd6537a8ea6df81b2d9b2832d1809a0b164bf535016c05b0c00d6aa3805f5 |
| SHA512 | 2aa63fb1481dfcb45d8b913ae2dff2f037256c71b71360b98de5b042bfee0d4ebbb3ce15dadd806f2fd38b135d0be809b2aa69c797c7f0e34258b37bfacae6f0 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | adc3814753fe3cf73c5781987041ad0c |
| SHA1 | a29ceb7cb7703e46f7d415163e76b4433bd05c8a |
| SHA256 | 8dd28ef8a1feefbdb775b9ea44e2df11da89de9dae5597310437d038ea67e2c7 |
| SHA512 | fcc5297d68522dc3a63ad3abf2b70ebac65e98126163321a42b0da7a99f8713040f685c8a4342e8732f2ad5a430345731fa2866b660cf2e468fce5a9ac791715 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 329081245e83f9387da2e284d5c8c6cf |
| SHA1 | 286a52cf2d20ba51efe84a7499f1f501d1789154 |
| SHA256 | 972d80dcb8e91e80a1e66fa2667b840d86e3a6222d4a3f8df21a46b56f3497a2 |
| SHA512 | fe7c9efab86cb896155a180c3bd11bee41ba58cafca3a0943695e9e3bc5a55adabae48ec23efa1595253e832a7b60768dcc0d96150f43cd02082c2635e423dbd |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | ec5fd22808f4554866061e41bf071e6c |
| SHA1 | b7e658ca59fbfa2336701a948d27fcebea34e1e2 |
| SHA256 | 8cbb960e261dd948a89a430dfb5d545cc07245e8abfdf0b513ca3b86196913c9 |
| SHA512 | 5221600a51660e23063c1443eb6169fbf01378d3422646f9f5e1980bf704f1a09586714e92eeef8ce0ad8e5564d95e59dbf5e819fd7fc5512106357e8b98b9bc |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | b7b784828073fb2829cf2dfd17cd01d7 |
| SHA1 | 4fad5ae0e40a0e5577ef39f29724d55b8def36d6 |
| SHA256 | e0a224372aaeea2acb735e99022a71b1b473df36da489058ea93633043b3002f |
| SHA512 | 3fc5bf39968788c43634cad3562ddd44a03e66c76e2137b966c11311065938b8893d62051a482e6d18bc23c75921c34ba4e61d0decbff1506401bb7159145ffc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 60bb0bd7d015ed25f7b8aef1b41bf2ba |
| SHA1 | c93ef1b5066d2fff7a95839e29bb59de211aba25 |
| SHA256 | c7aa7af9101cae3e29fc822fe45c0eff63993d8f790fbb5efbd284627ff195f9 |
| SHA512 | 5b9bb6be682d54c15d70bc7c9b9aaac49f9b78e9a8eb0b52eb9bec2c1eed2c4e88201e3694bfea0af113b0df1bb2a31f86bb1a0be48c7d67ccebbc8daf292688 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | d3e91fda39ad32d80ce0144761ce551a |
| SHA1 | adb9ddae5f34c19ed48391007f1b4c74cd1e2b54 |
| SHA256 | 60f04a05a1d37f202f2573292518725aa6668cc841294a023bfc65c69bc4c112 |
| SHA512 | fdc6d1cca2242fabc8308c62e51cf384542b86c69fa2b3f01b5347b86846cdf622fbcd56fb9577ba6175a2ee8968d7d2a176ce83d0cba342262b4718df11edef |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | be5dd8b7ee665c298c372c4883c3c15e |
| SHA1 | f996f23d5a9d9702e564b94a658dddba4e185660 |
| SHA256 | ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098 |
| SHA512 | 6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930 |
C:\Users\Admin\AppData\Local\Temp\nseB78A.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
| MD5 | 68db7c53da79e753aa3a2925b8a8c0ad |
| SHA1 | 71afb05bb91250fd0af11a63ba73d48b59db1b52 |
| SHA256 | 82ac70b200fad9c84896317b466a397c8260d4ed8af5e6e6f387cc9ec596adb7 |
| SHA512 | 4be2e409c77e986673cb616e6b84770af2da2ed85ecde8b3e9952346a8b187281ee6a98b56a35384331c70cc55fd9ecf375413d36af0d966f579d5fd1eec2cc5 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 78aafdef87391a876cd8172d47de9f8f |
| SHA1 | 1bf8a0380cd9fd75e228048526d88453b37ab06c |
| SHA256 | 9681c13f447a25b207dface0ca068a45d6d48e9a713430ac0975eb4e09b31478 |
| SHA512 | c754f03f91b2335fcde8baa4940c5d04d263aee44824555ea001fafbea20c78b22265b436bb146fe7fe7e1f6d0f2a7b6355ae03a61fc92e98dc4eecbce3b309e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 08a1082b60d408553022d9d5b4e1fd30 |
| SHA1 | 382dac8c7192f4c502de8e30b39780c6616e41f9 |
| SHA256 | 60168cd51d0121ecc0cdb2926c3810ab848aa9f7dd809efc0b819197f2fb86ec |
| SHA512 | cb62cd554074a5f64d43233ab8ee18838283a706bbc70da40e64d15661c36258e18c959f5cbf07ee0c89eb5f2de7850f9b85516dda52d9be4e58d98b9c6d81b1 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 219e7425b61f8b9f627e1a4659901f2d |
| SHA1 | 651ef7d25f58ddcc3d71d2d43078a9112929cde9 |
| SHA256 | 137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9 |
| SHA512 | 70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | c68e8643d21a9339eb6bf4ca1949754d |
| SHA1 | 732d205bab5415dd28ba4f85d3e81f19147eb392 |
| SHA256 | 2ab5f18b67a0eb16d16e42a33b4f6e3fb930d737d165006a4843e898fe03b0d1 |
| SHA512 | bba219d2b7c701d4386e7f5e8692304ef6e1ae83220e495a2b05c78af85aa98cd6097c5fa95080b305c3b2ae320bf75447649a4f8a6811389daaf2c9c27facfc |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 480c3a1d6df37e4ae5b5eafb0ed80c12 |
| SHA1 | 0ade00ceb9b9370ef6a65f0e61f1b90f822ae963 |
| SHA256 | 14ca1347341b34d72f518a91fc6c6e44f82a8529a61f7958ec99ecda5c7609c2 |
| SHA512 | f1dd0276434985f5eace431bd8112e003b0d7df52792c27141093b875592c980f8c98047b5de78610ee0c910ea0502320cb7a4b683b31b330f7b094776291164 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 71173f23ae22ec1b6dc5bfae7caf4f22 |
| SHA1 | c6b401463f4b84660bb96885948c3f420a1197aa |
| SHA256 | a21f5423fcc148b39d13ec7161d6aa9d197c1fa06b426b0b93791e3766ce0892 |
| SHA512 | 193ac643ad1a2e4a7b1df666b7324ed96f62a416e82827a4f71452a7933ad1c49a2a93c2d122a2add97e5a1c40655553ca65fe9d344e69ca3d756fbf1a0aabf7 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | cc12ea1bd2448437b58b90e4f0b2c164 |
| SHA1 | 7cb8351edd38dd3639bae269bb7dd38628a4fd74 |
| SHA256 | 20b6beb65d25af203a6401f2825e6a2343b3b49f9c86ef691f3d228619b299d6 |
| SHA512 | e1e546ef726338a9e267d2c2d4c41dbaf3e71a68169d5f6f26a33f518b67b5ba0fe37a9a6e5eb1cad33cb3c473590558db84b20463b5863cadc1d1015a764176 |
C:\Windows\rss\csrss.exe
| MD5 | c48a9726fbe0cbf1ff1fc34234c6f8d2 |
| SHA1 | d85f68b140d6cc4a0940b97f7bbc2f91589af9ff |
| SHA256 | f70d670b433b02657fef04cb8d1c5669d42beb07928275b5de4cceb6cc645c17 |
| SHA512 | d6ccbb835729c465e2c2c2f9ea29e54981afe9e647a3b7fe8bdc7ce7165abf2c4675cac8c42f63a42c45cf7cd4b0bacbed5baa4121f88dfd58bc7b89814a15a6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d2b2fdb2043e2415684cf24034aaf130 |
| SHA1 | 804327ae0ef497644384211c8c74a0c34c04748e |
| SHA256 | 252dd2efa9b80025a9828495d44092be2a270a680bce8c1f78e168e47be358d0 |
| SHA512 | 5758340d3f98e8de3f35ee43ea165cb228b1392ba20399e456105ddc45fd928e19d186caf38df27f96f0c3e7f3640fc5cdeacdf2d758d266a8f3c4fc924f0c03 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | 57ecbc598b77d793223e056248dc769d |
| SHA1 | 53fe54c55108421fe1d4336f8512627699f1bb2a |
| SHA256 | c62bdef7da02c8fb7a04badab5182d1fd867022dff40169a00aa8454675be8d4 |
| SHA512 | f270ea17e71ce6c816d9bae4cc44043da7bc665359b74fc7194221dc7c965bc174d1098c4a8208ac06ae0869d13f63a6ca5f9c38db7572458b9910d293bbe6cd |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | cc868817838921d9d6ef6a4b0b3ab330 |
| SHA1 | 01a8c62e4b6b715052b7ddeb42290f3bf951b3cd |
| SHA256 | cd4980867d89f76af2ceb44555f5d484bf4969e4ad547f7afbfeb6694c91ced4 |
| SHA512 | 60907548bfbb6e4fce3bbb3b656a2191b08e58ead4ea74fe0e3871e809f788ea324ad65ffc224baf30e68161deeb372ec17f7b04ae9901bf5401a6d64a715ec2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 55ab88977cd3466b0affd372c9cda3f3 |
| SHA1 | fd5183b5ba087e51c457666823374769bc86463e |
| SHA256 | 18f991191b7ea4118f83b0cb4e648f5552d33e0b0bc118e58a2ed2db36a04449 |
| SHA512 | 1ae7fd62efba9a5a0f448faaebc7f3278c60c4dd4c043f5409d6086ac1a29cb6cfeef45f6e232899f3772f05d68379e79f5dce913436755a9621363e2a7927f2 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | 045091a8be6add4d196a2e65878246b3 |
| SHA1 | b2d8d8b4e59c071d9adf4a6c22f6de7d02f440be |
| SHA256 | 876c87f7d210a3655c07488b84cba1553fce5d90951b91479cedad7507492e0a |
| SHA512 | 5b74252945b7642832ff1c9be04d0168f90e5b2e1e638992e0307fa44128fb7f3693c27100aa1556ff63461609e66b2ed5c6a5c14a62f87cf94f585451403bd3 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log
| MD5 | cad4caba9aaab897691a633527fd5cc8 |
| SHA1 | b3e4fc90c296f60de8a70dd1ca52c88b22311fb9 |
| SHA256 | 38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e |
| SHA512 | 57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | ceb172f1cf7e2fe24bc8d3568d286cff |
| SHA1 | 2c71951192f03489b7db53bb3f697a3a7bf7b705 |
| SHA256 | 1f2447f5f5aef2557d7822943254b30126ae27d7fb1bce6427a375d661427407 |
| SHA512 | a54e1ba75144d87cd58b0a48d07ae9e8d8b162db2c0efd22fdd1fab917ae29c13a589928009e60c8716b351d8539433b754037357bb07c986b0166b7338a1c11 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 91e7798e348f0d9557dc0b435eac3ad3 |
| SHA1 | 7a714e3b7c1831fbed3d940cb3d0b38a8fb83282 |
| SHA256 | 8ba70d9ff11b6c268fb6e93fe4155036eba3ccc1781dc0046152733204d5cef2 |
| SHA512 | 0e642e1a6d5cf016c863cb7eb412c158e2e690d9fa066feda5b9b5988c62c17393b98841a8920fa6f00692cf7739558a59467922d51605cc84da3b4ba233028b |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | ff244b13307f50837a4dad053227fdff |
| SHA1 | 37344f6d9003fac3e16e6e6aac91c74da1f24119 |
| SHA256 | b0a2df0d29071c29d403658c5be40762248990016e74812fdafb5fa8e10837fc |
| SHA512 | e6d52ac6cada1f3d5298705d6d4410c6377bcdc9699059c48c49f8f64edf1ccb0fd59acd689b403dfb4874401678bc9b738a36206a88fcc8a68472d0877b71b2 |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 21a8c542428828a5e6a1cb034a44fed0 |
| SHA1 | 844fb1c927eda73d1a8f612be9ad2269c2b410d9 |
| SHA256 | 58fd67dc7b2bd50109bf21c72203288cb4d385a85661fc9f45d0b3591984ce3a |
| SHA512 | 85f0a2793e267566408ecf36405011d0549d8c1e2aa65b1be2f4a0aaca57e8f1743993536efaa84989a7a60907a8690b156664708345c8c411e426cfbf502670 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f0ccb5263368da32a9ccf21b88e4136d |
| SHA1 | 9916792c3f9e064486a787f4f43d3f547cbb9af6 |
| SHA256 | d665fadff48f92632e871f88a991c7dd5df16dcc424ae617919b784cb816fabf |
| SHA512 | bb7d72ea54efdd3dfcb91d26123467948525de33da0c59884c92684a9c1d9a64185ae27d75da9fa1c65f1a6fbac9607bbc389cc80cfb8a869b2bfe0edfd0741c |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 5e40035a409cb817b6bfbd533d4f4b45 |
| SHA1 | be427862e4392cd41ead4136265cb6b30e113c38 |
| SHA256 | a2435879ecfad2aa3f24d8fe8a4e54e213b5bee7864b009ec9efe892db4033ef |
| SHA512 | d811c77692c4252c01a8d89e8659d03464099d7f0934c4351d2b73474b6daefde0a80e8187b43fa610a02c6cd9187a1efc33b31d46183e53e1ab90615166c5fc |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | ef189d3e909148c06a72a6075f3fbfcc |
| SHA1 | 961c815e77626031d67e01986dd56b8dc6c43d9d |
| SHA256 | 58ab3bde91496302ef9ccf6ddd1dae1dbdfe9efd6c1eee0361500550fcf8cee2 |
| SHA512 | b7275fec86ab75f74ff64946da78818359a5459466eba0c5aa594ec1cf5a0819057b3f7283d2b064336ed3b51d85b0d05bc7913b16b1653ef82522b863761a02 |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 0b978dec75094e8e0478e6f226cac3b9 |
| SHA1 | 3eec4fe1be8cfe5ff755cb7626260bd622486bec |
| SHA256 | c306fb42c268916b874630f47cf40e52afe510f8ff80e73a4a6e7f60d8058f63 |
| SHA512 | 0166d7d1f520fc77fe4a6f0c669202866b8c3ff8a82de94b4227c156707a173116f50a4df0e0383d1389eb780b53ba80eb42b88281825ef6c21e74ebbf0fd920 |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 07b763680e3e7d02028925fccad83d9e |
| SHA1 | 8756ec9a734e82e5ec9ec29625f81c56273103ea |
| SHA256 | b0ee37a3b91c1ae0d535802e51980b4a3e45b00ae27b04c9fd929d9e71543c2d |
| SHA512 | 400e342402b3e4290e9463472cdb10c7f54cba83ff3b399702eec14870fe26bf8f002b5b3998fc0f32ebbae563d527fd36bc54e22f41611a7103d213df4a62bc |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 22acd3ae0414e0a7a311ae73cf8fcb06 |
| SHA1 | aea663fe67da569920f008925a5d940fe0adaad9 |
| SHA256 | f9794d31cd1fafc3f98162ed7a1f0a7f241bdeac9596f4b3093a7c4251e5b336 |
| SHA512 | 23f332007180687a68dbb7e066a694d2acdb426f2b28e7703c93010e25d5dbb1c4a5de612c085dd15e0755ed97832784027224b2651ae24df3d1da3a948f92e3 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 87c2ae7aa92502ae81e7b3ff7509d206 |
| SHA1 | 83b5cc7d9b1a2b1cce7a02968242c746cec125e9 |
| SHA256 | cc0d77af967e19775fb7b7cafe53287035953f11c79b704e9685fdc3c1af622c |
| SHA512 | 205b1165d462d0864217edc00a0ca13c60a3cb63e12a9aa2d84083153ddb21eeee92b2df96c4202cf235888a3b759cb83f89a3b7d771a811d25733f885dacfb8 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 16:21
Reported
2024-01-23 16:23
Platform
win7-20231215-en
Max time kernel
42s
Max time network
154s
Command Line
Signatures
Amadey
Detect Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
Vidar
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\rty25.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 384 set thread context of 1064 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 384 set thread context of 2992 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 2628 set thread context of 1584 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\rty25.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\rty25.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 144
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\40E7.exe
C:\Users\Admin\AppData\Local\Temp\40E7.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\taskeng.exe
taskeng.exe {E3F137C3-06F9-47A3-8CA9-0A3868410082} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\88E0.exe
C:\Users\Admin\AppData\Local\Temp\88E0.exe
C:\Users\Admin\AppData\Local\Temp\88E0.exe
C:\Users\Admin\AppData\Local\Temp\88E0.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\d88f5157-c769-474b-90c8-6318755fcfeb" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp
C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp
C:\Users\Admin\AppData\Local\Temp\88E0.exe
"C:\Users\Admin\AppData\Local\Temp\88E0.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240123162238.log C:\Windows\Logs\CBS\CbsPersist_20240123162238.cab
C:\Users\Admin\AppData\Local\Temp\88E0.exe
"C:\Users\Admin\AppData\Local\Temp\88E0.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\B2A.exe
C:\Users\Admin\AppData\Local\Temp\B2A.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe
"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe"
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe
"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe"
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe
"C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 185.172.128.53:80 | tcp | |
| NL | 94.156.67.176:13781 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| PA | 190.218.35.224:80 | brusuax.com | tcp |
| DE | 185.172.128.53:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | olivehr.co.za | udp |
| ZA | 41.185.8.154:80 | olivehr.co.za | tcp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 146.0.41.68:80 | tcp | |
| PA | 190.218.35.224:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | polishhistorynewzealand.org | udp |
| US | 209.182.200.172:443 | polishhistorynewzealand.org | tcp |
| US | 209.182.200.172:443 | polishhistorynewzealand.org | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| BG | 95.158.162.200:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
Files
memory/1888-1-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/1888-0-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/1888-2-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/1888-4-0x0000000000530000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b06437ffb6c87f69539842cd536e78d3 |
| SHA1 | 6799f24d5ff74fe1a045ea9845704bbbd1c818f6 |
| SHA256 | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf |
| SHA512 | b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10 |
memory/1888-13-0x00000000045F0000-0x00000000049F8000-memory.dmp
memory/2272-16-0x00000000003C0000-0x00000000007C8000-memory.dmp
memory/1888-12-0x0000000000F40000-0x0000000001348000-memory.dmp
memory/2272-17-0x00000000003C0000-0x00000000007C8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 4bf40a595b37b88d2f0967eb52a30d7d |
| SHA1 | 4ae12b7d109b46943121a6ee5feeff34b454e5f6 |
| SHA256 | 1cf4a4b0f9432f78cd76b30cf8e6070d2d49b70d42ec4e2192da86d09a0a02fa |
| SHA512 | 01f49988f45eabe58fb2b33cd5e367d83373a87a7afe1bbc032e60d2cc5938b23b43fd39203179bdccd10f54217d20dad1339a372108a07cdf2b4611044ea2ba |
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2480-50-0x0000000000D60000-0x00000000013CE000-memory.dmp
memory/1680-51-0x00000000022F0000-0x0000000002332000-memory.dmp
memory/1680-52-0x0000000073CC0000-0x00000000743AE000-memory.dmp
memory/1680-55-0x0000000004840000-0x0000000004880000-memory.dmp
memory/1680-54-0x0000000004840000-0x0000000004880000-memory.dmp
memory/2480-53-0x0000000073CC0000-0x00000000743AE000-memory.dmp
memory/1680-56-0x0000000002330000-0x000000000236E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | 774510bcff294f80e47a210a19483749 |
| SHA1 | 0de009eca6fe604d132b052a424479b76ca72448 |
| SHA256 | 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955 |
| SHA512 | 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741 |
\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | c4b5cccdf66906511e422b3277a1b0bf |
| SHA1 | da2b11737abe0cfd2974c1c3c73453dae386ceac |
| SHA256 | fe0b82eddbbe38bcc126c975a14ef0606d1f3e716ba77edee6e3bbd64d719ca3 |
| SHA512 | 060c383ffe13b5d28b90dcebe7549a1b4c27c29e0895669e10939d9747a4f11409baed4d0b23007d2f4bcb4fd48033f41ac9e715d14ec676b5f1868a79904da0 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | f693118d35022f48a92b629d26b0d7ab |
| SHA1 | 342bcbacbdf8f7b89411bf142f7fcc845927c8a6 |
| SHA256 | 9d532d05ae4bd069328e2f41174de31e75d09e4139eab0832543c69f0853381b |
| SHA512 | 2ed2a6fdec52853b7a07f3cc99b34222a65ab355a71eef377ae173680b2a60287f2f6891c91bf12632c967ff099823ded7799bb4e633396f6c6083f94e26060e |
\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | 34927273ba25cc3bf5f055bcff675c8d |
| SHA1 | a56bf2edccde62cc69f9ebcf460473e11217f03d |
| SHA256 | 07cfd9bbbdee052d89283b60f3a282617f7d2659df8d43743b409d337fef7e14 |
| SHA512 | 7a8626ba16f03508ce262c6b48b0d0f726485fdeb44270267eda97fc6cbc8c66a6b516b97808756caa0145654ad109b4eac3e6e0fe7ec9d9652ea40731a33504 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | d6e77d67486a5e3247322f43493fcff0 |
| SHA1 | 8a92dc307033dfc92d366a2161383b0d7c68ca2b |
| SHA256 | 1c771a4f61baffe42b6988a2c8573ca291babd9ed8c273d0efe8e8a595171bc5 |
| SHA512 | 49b7af597ed9a60a2390f388f29a3dd0e1fb007642c40fa5c84fa423f955adec4a4c7060affd3c2d17d7f54cc6abca17fff3e8d0128c5e3c41a41b1c99c750f2 |
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | a1617c549a3b92d7d32bd0c41cd41d19 |
| SHA1 | af85c83f5a4b40beaff01f63a66a1d0870ed8b50 |
| SHA256 | 595e2af731c20a0f3b7c427103a382cb4edd79451713619917df82e1dcb519cb |
| SHA512 | f119f7d2bb090ec2ec0446ec41b5cbb285c49ca69fba9029407bf793f678f38805f3d6d0f758d0bc9ea07cddba0d99a530c8e9a5257263a975a6bca123466999 |
memory/2272-81-0x0000000004930000-0x000000000536D000-memory.dmp
memory/2272-82-0x0000000004930000-0x000000000536D000-memory.dmp
memory/1680-70-0x0000000004840000-0x0000000004880000-memory.dmp
memory/2272-69-0x00000000003C0000-0x00000000007C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 0918dfeeaa139ad6c8a0575b385f8563 |
| SHA1 | 602f762714d11aa2988008fba2252cdec16e4838 |
| SHA256 | 0e362ad7c7340a464abc8d029d4c349cf91aa1a908b1c725a4b8d128e3418608 |
| SHA512 | 95c16daeed0368edcf9dc7cb8bd09a017c18fc350636cc8e639eb0772a95458d51131b0e0f59524f02e9fd21acc75210194c481b9845152d7a3eedd67fbf847f |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 219e7425b61f8b9f627e1a4659901f2d |
| SHA1 | 651ef7d25f58ddcc3d71d2d43078a9112929cde9 |
| SHA256 | 137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9 |
| SHA512 | 70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694 |
\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | d75a38987ba68363fb67861537749274 |
| SHA1 | f0b3f8c862c01dc1d419ae9dd24b6c03e88b9969 |
| SHA256 | cfc25ec5eeba4d8b6ab70bc0ce66492119f07739ac34fbe97048d5d253547c05 |
| SHA512 | 1153bbb754163200198e7355cd9e6a5362830246492b9872bd4034267910ca63f41a873839597d2c4549042baf142fcd766ba6617d0bc7e2b28582171994d324 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2656-99-0x000000013F1C0000-0x000000013FBFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 83458e80259fe3eb7207a48a114dd2be |
| SHA1 | 10b5baa484579758b01a488feeb4848e0fe6481e |
| SHA256 | 225cae9da2f2b33aa2dc9442d45e3e0abd577a9dfe3943adf85fadb9c80ef708 |
| SHA512 | cdde07939ef32c01f24abf9ebe344d20dfee3410b86708716e3c851855b2bc86d1d9b9b9fa758c56b6044675ec3efb4c8a8fb113fa6757a8c4fa9f1ea2aa00c0 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | edb1a2ac1db70af6e289c164379fb9aa |
| SHA1 | 617f104ecec828d0856d570e512e1d6139a98f1d |
| SHA256 | 7a9bdf15b71c44702e4d63397a7bd294515513be0b13b8145273647257cc16f1 |
| SHA512 | 4a6d1bdd5ef87cc901bdf41bb17c3acbeb6ef7ab091dd9b099a9755557cab3de1b76a80f44f41ab3b40f0064b429c7cd2b881de53e232f1bfd452497ef9b4758 |
memory/692-140-0x0000000000E10000-0x0000000001208000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsdCC65.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 4451bf12dc7be6aa2448561086570c8a |
| SHA1 | 5296cd7413ca23953e13759ede1cc787aa53794c |
| SHA256 | f59a5b0febbfb403478dc41ba4089ef7d9a383d9d191e3e9aedd43d52c70230f |
| SHA512 | 4b2d3950b6685a7451db250ff5ec67ba13d6749e56c410e0051d0f0b0e2df826d7f58d8f80cf06e48424788c19f804cfea09f05d0f91de95c62d7ea8c3eaa85b |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | cdd020ea8a89c902685596b5c4b1fc05 |
| SHA1 | 703ae5dec7b9a7b9aeb4f704be342502857c7ba2 |
| SHA256 | ad7ff70620043f4c063dfe2b2ab4716ef1bcd537a7a5cb3b8a831223364cc875 |
| SHA512 | 851d485624ee80ed47af820cd594d19b5a1c017c90a0c42cb63c931cfb3eb8050d01a846988c215a17135a78c32803c68f21ac607187ddda6fb4cafe9014cfe4 |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 8244f65c3a732ddf4f1efd3e5fd6b518 |
| SHA1 | 1d144dd4af5bc24596da2cdf4e83d69b6cbf1b64 |
| SHA256 | 769dca9ebcfe2a0ae9060d97a9b91d159dcab16debb2dffe9b06d28ae6425f01 |
| SHA512 | 5549a81d1a85b475ef0e59b33b59b4377f07c56547c99ab35f671b76d948c70259d98dd75df4f9456814cced8f47205031579b9e6c764b5d3df15735e7b21a7e |
memory/2400-126-0x0000000000300000-0x0000000000388000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | fa3122d5bc0476463ab4563dee952b49 |
| SHA1 | 0b64eff88f600ea54657ebab4e198edd764ef778 |
| SHA256 | 2d6ca111af09f2801bb9f8160c062c2cd29381b1fbb3ec1d11a32dca1d5d9cef |
| SHA512 | 4ffaaa21eaa9d7f7ef107ec47e0f97463e7b9c0201bb709334e169020771e7b34720e22b8b0fdd002b1a0ff625366d7fc73944cac95ebc78b963a58b2755aba2 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 3303bc5c1120a0e3c2c564a7a66078ae |
| SHA1 | b7f57efcdd0e4abb312d199c77057b7baf339235 |
| SHA256 | b49a568e976108e10721372a2beb5b5e29e3693021b46dc2edb81659d10f7224 |
| SHA512 | e7faa1578c7952a6035e01b3d6c1f6b3c5b52b54eaee19a2f8e32c7aa0ce520580e7f15f6bbfd8d732256f93cbdc764c2f5a7505b664df557bc666a4da676e62 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | a74b4aa5091c1e38b60b8e98471b5330 |
| SHA1 | 18342862ba9b0d9a71e311bccaa56624fb6ae465 |
| SHA256 | a0b67e7e8b23a89d3039561ba19b3ac17b31149dc5edc3c6fb7543aebff3c588 |
| SHA512 | b165c15d92bcbd0a7b11d604cee02b5404213fed9575590f9fbbd10aad569a75872df2f7807fba3e8a747b79efed33a3db33b102976d69c16aa6ebdad84f2f0a |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | be5dd8b7ee665c298c372c4883c3c15e |
| SHA1 | f996f23d5a9d9702e564b94a658dddba4e185660 |
| SHA256 | ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098 |
| SHA512 | 6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930 |
memory/2276-165-0x00000000001D0000-0x00000000001D1000-memory.dmp
memory/692-171-0x0000000000E10000-0x0000000001208000-memory.dmp
memory/892-173-0x0000000000AB0000-0x0000000000B04000-memory.dmp
memory/1064-177-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1064-179-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1064-181-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1064-178-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1064-176-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1064-175-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2656-162-0x000000013F1C0000-0x000000013FBFD000-memory.dmp
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 8daa51b3d4d9801f29dff71e9bc4dd67 |
| SHA1 | 2722c1b4f5165e21d9b2a3670f6ace5bc36d9ecf |
| SHA256 | e049e4fbda75c0cf404d2a755cca8cdb1831803fd4fdcf34b07b2eeaec39704d |
| SHA512 | 6efb6c10e25ed723a863c75d153e3c52e5aac0df4527bd1699e4785b5974af241b008693702b89372ea6ac9a049291150a464ff3ad963482e3fe73ae594b370b |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | af868c83b88a7437ab8d50f4a6de7877 |
| SHA1 | 25affd2a2f5c2928f557e1000eac02ec369f42d4 |
| SHA256 | a82c49e1ec60b682ed9cd31e7218a1c3d2e73b98f00d470c1f82ce9302a85daf |
| SHA512 | e04aa5dccce2e3edcdd47082c1769f144fd028989582f904c8e27984067871663843b3a68bc1a21cd570a1b824d961147ff248b4c014bfbba1288e093ca559ce |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | cd02c76f399bdbf3ac0f25b22ce219a6 |
| SHA1 | 657a7b63251605be541a889f4f0cc02e99715230 |
| SHA256 | 61cdd12897c8b6913ddef4bf9b0c0166abe6f7e74a71935d12c563d7e43a3a44 |
| SHA512 | b5007d43744c25d938b6b7b9ba70ab81c64d3fc7f73894946fafb73130bfecb3e3cb41362e42474f1636174dfd0d51f32a05976f3a7392e4963129f0781f96ec |
memory/692-174-0x0000000002AC0000-0x00000000033AB000-memory.dmp
memory/2992-184-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2272-187-0x00000000003C0000-0x00000000007C8000-memory.dmp
memory/992-189-0x00000000FF860000-0x00000000FF8B2000-memory.dmp
memory/2992-188-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2400-190-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2168-193-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2168-192-0x00000000009C0000-0x0000000000AC0000-memory.dmp
memory/2992-191-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1384-195-0x00000000025D0000-0x00000000025E6000-memory.dmp
memory/2168-198-0x0000000000400000-0x000000000085C000-memory.dmp
memory/2992-194-0x0000000140000000-0x0000000140840000-memory.dmp
memory/892-196-0x0000000073CC0000-0x00000000743AE000-memory.dmp
memory/2992-197-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2992-201-0x0000000140000000-0x0000000140840000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 924e62af7c379f8b668a67152942954d |
| SHA1 | 13b875f3b08118445a652ee86a59f89583524d4b |
| SHA256 | a42b84387b361e0bfece96748d9b36c91b76504a5848459f3951da6f67f454bd |
| SHA512 | 6e179822005b08336e0734e51e47f1da936f14a535a3dee15db181ebfa53fd7a48ed8c71d1e9a1476a8d0f39b3de90909ddbc86cdde2bc88d9abf7f5a0f9c416 |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2992-219-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2992-202-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2992-221-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2276-222-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/692-213-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/384-224-0x000000013FF60000-0x000000014099D000-memory.dmp
memory/2992-225-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2272-234-0x00000000003C0000-0x00000000007C8000-memory.dmp
memory/2628-232-0x000000013FF60000-0x000000014099D000-memory.dmp
C:\Windows\TEMP\zamrbllfjgdb.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
memory/2992-228-0x0000000000100000-0x0000000000120000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab2187.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2992-251-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2992-262-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2992-265-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2628-264-0x000000013FF60000-0x000000014099D000-memory.dmp
memory/2992-268-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1584-274-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2992-267-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar2DBA.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
memory/1584-275-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1584-297-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1584-298-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1584-299-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9c14d143bf307db75f0be6cb02566d37 |
| SHA1 | f93a5aab1f090dc04cf914a8f8e1aeed4dc5db27 |
| SHA256 | 7f1e729a90fbf1d0148f48698e7c556dd465dfa28d4e01a052503d7b589b8131 |
| SHA512 | 1b201f4fa6b1c508b48f4df3fab50fe2a4430f115add188db1b3eda3b29b6279d934bbdd9f242d39608429ad1439712036991e948aad6c9053c9e6bd60a1eb9e |
C:\Users\Admin\AppData\Local\Temp\40E7.exe
| MD5 | 11ac7990dacb8fed9a583f69660a8310 |
| SHA1 | a891612189e2db49a16704a9ac08850c5a76be3d |
| SHA256 | b6d7d2ab6d7e66ba154aac8266fd5e0f6667c11d3cc682b241da586a5577581a |
| SHA512 | 7613b538549467fb21b3d3a4c25c82a6ab44a384b832efc6cd420b32083bf81e4563f4e558cf316532cc7d8fed68f5d232c9bfeb4335230e8c6db20c036a20d5 |
C:\Users\Admin\AppData\Local\Temp\40E7.exe
| MD5 | 6458e97f4cb7ca9cdefcb340181013da |
| SHA1 | ebe4b363ed437ce641fdebd62d088fe43a5062e2 |
| SHA256 | 271a2f38e28d72be33ded761655fe69065ccb13b1ec268511b4e40057d4ee23b |
| SHA512 | 2d4ac8766e882b77ab7de6efa9a4e45ff446b22df5ed6b42068be5e22a52553d7e4da74c0632755417cba756a38f8e17b7973e16ed69a70c10535a7279068505 |
memory/2272-377-0x00000000003C0000-0x00000000007C8000-memory.dmp
memory/692-379-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2272-383-0x00000000003C0000-0x00000000007C8000-memory.dmp
memory/1656-394-0x0000000000270000-0x000000000027E000-memory.dmp
memory/1656-396-0x0000000000400000-0x000000000043C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\88E0.exe
| MD5 | fb41f20c1783dee1ff3ff24e9320ef44 |
| SHA1 | 873e409ee8fd52a51031269bee1b5e56207b8cf8 |
| SHA256 | 3f8c53cc5aff0effc748241349db40bff4d9c3004b557c091c00ed192d8f4226 |
| SHA512 | b83682f64c79dab3ac134a2f42fa111882a6e7555d59b112599953a532091e67b76a1fd0da3426e516912c3e650ebed79d0bdc0ba9b4317f0bfb341e0b4cd481 |
memory/2308-413-0x0000000000220000-0x00000000002B1000-memory.dmp
memory/2308-415-0x00000000004C0000-0x00000000005DB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\88E0.exe
| MD5 | 3392ef91665cb1e912d5e132417e7755 |
| SHA1 | a454a1e8f6ab9b777393d7150a9ede196c205b46 |
| SHA256 | ad6471ac5ecd739c889762207c151623cd59272c82fa5c971ab586516a995f98 |
| SHA512 | 99b76c81dca910f47a78fd0c65d1cf80a4714150f3fbe096d5f061caa3bfdd0acd7c09db9879a1d51fd7557eb5533dc4235a34cdbd21f3454928fd5bd6ec657f |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/1580-422-0x00000000002E0000-0x00000000002E8000-memory.dmp
memory/1680-423-0x0000000073CC0000-0x00000000743AE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2547824e95b4c9733672dc77772594e7 |
| SHA1 | 8a863c0f64149372b1962ab000a6c37ecdc84c13 |
| SHA256 | 32a0f9a67aacae7de41f94ff3d66095963f407f4b571ee7e5c544d53e99e6210 |
| SHA512 | e0641d16ec80a5112aa26c727533a3c33cfe3cabd71980b4ee30fe432ee3061419ea87c1b5692856d4a8da06faf2936ffdcd4898f4db41a48e07521e859d54b8 |
\Users\Admin\AppData\Local\Temp\nsj2BE4.tmp
| MD5 | 379fbc100c50379dae4dd1a7ea5782af |
| SHA1 | a2079a19b40e117dbc115936fb37eeb0759a0074 |
| SHA256 | c8e870c9649b4dcd70e73cd9ecadce2f5f247b37f240a3eca9564048c56d2b36 |
| SHA512 | ded939694aee266fe260d185fb113ef581cda6d7a8e28bd8575a80c48028a5a226ce0f71b99bc20bef8da284dfae47acc5d43c8f2d50b826fdc1d1b91c196a7b |
memory/936-455-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1108-480-0x00000000004C0000-0x0000000000551000-memory.dmp
memory/2968-549-0x0000000001250000-0x0000000001B04000-memory.dmp
memory/2608-548-0x00000000007C0000-0x00000000007CF000-memory.dmp
memory/2608-550-0x0000000000220000-0x000000000023C000-memory.dmp
memory/2608-551-0x0000000000400000-0x000000000062E000-memory.dmp
memory/692-552-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build3.exe
| MD5 | 41b883a061c95e9b9cb17d4ca50de770 |
| SHA1 | 1daf96ec21d53d9a4699cea9b4db08cda6fbb5ad |
| SHA256 | fef2c8ca07c500e416fd7700a381c39899ee26ce1119f62e7c65cf922ce8b408 |
| SHA512 | cdd1bb3a36182575cd715a52815765161eeaa3849e72c1c2a9a4e84cc43af9f8ec4997e642702bb3de41f162d2e8fd8717f6f8302bba5306821ee4d155626319 |
C:\Users\Admin\AppData\Local\f96013e5-9685-480e-8595-25da6a65df31\build2.exe
| MD5 | 9b00df1cca53e81d90dfc2548f8d9114 |
| SHA1 | a783bde9346c8ece56aa6fec12348fea40fdf6ec |
| SHA256 | 1ae4509fb8949fab80d4cc0fefec087af17e7c5654f2a66ac04f7372edaec5fe |
| SHA512 | 406e14898fadc9aa63021d15c1e23cc812f472c6dd1fb59a29de2c4660b573e26ba13b892b2d3755e29d6fe5fe30a4d1c0550e0aca9d0bf5ae936e59d3141ffc |
memory/2480-592-0x0000000000551000-0x0000000000569000-memory.dmp
memory/2480-593-0x0000000000230000-0x000000000025C000-memory.dmp