Analysis Overview
SHA256
38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
Threat Level: Known bad
The file b06437ffb6c87f69539842cd536e78d3.exe was found to be: Known bad.
Malicious Activity Summary
RisePro
Detect ZGRat V1
RedLine
ZGRat
RedLine payload
Amadey
Creates new service(s)
Stops running service(s)
Downloads MZ/PE file
Blocklisted process makes network request
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-23 16:23
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-23 16:23
Reported
2024-01-23 16:25
Platform
win7-20231215-en
Max time kernel
143s
Max time network
156s
Command Line
Signatures
Amadey
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\system32\taskeng.exe
taskeng.exe {A37A31EC-5266-46B5-A5F8-5BA07FCEC621} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
Files
memory/1744-0-0x0000000001010000-0x0000000001418000-memory.dmp
memory/1744-2-0x0000000001010000-0x0000000001418000-memory.dmp
memory/1744-3-0x0000000000520000-0x0000000000521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b06437ffb6c87f69539842cd536e78d3 |
| SHA1 | 6799f24d5ff74fe1a045ea9845704bbbd1c818f6 |
| SHA256 | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf |
| SHA512 | b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10 |
memory/2776-13-0x0000000000300000-0x0000000000708000-memory.dmp
memory/1744-11-0x0000000001010000-0x0000000001418000-memory.dmp
memory/2776-14-0x0000000000300000-0x0000000000708000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2776-26-0x0000000000300000-0x0000000000708000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2776-41-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-42-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-43-0x0000000000300000-0x0000000000708000-memory.dmp
memory/684-46-0x0000000000300000-0x0000000000708000-memory.dmp
memory/684-49-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-50-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-51-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-52-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-53-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-54-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-55-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2124-57-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2124-61-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-62-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-63-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-64-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-65-0x0000000000300000-0x0000000000708000-memory.dmp
memory/2776-66-0x0000000000300000-0x0000000000708000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-23 16:23
Reported
2024-01-23 16:26
Platform
win10v2004-20231215-en
Max time kernel
29s
Max time network
168s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4356 set thread context of 1868 | N/A | C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe | C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp |
| PID 4964 set thread context of 4308 | N/A | C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3712 set thread context of 3316 | N/A | C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
"C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1064 -ip 1064
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 348
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1868 -ip 1868
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 2372
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.179.17.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 87.251.77.166:80 | 87.251.77.166 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.77.251.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 141.95.211.148:46011 | tcp | |
| DE | 20.113.35.45:38357 | tcp | |
| US | 8.8.8.8:53 | 148.211.95.141.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.35.113.20.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| RU | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | tcp | |
| IE | 40.127.169.103:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| IE | 20.166.126.56:443 | tcp | |
| IE | 40.127.169.103:443 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| DE | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.15.92.154.in-addr.arpa | udp |
| HK | 154.92.15.189:443 | tcp | |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | consciouosoepewmausj.site | udp |
| US | 172.67.141.68:443 | consciouosoepewmausj.site | tcp |
| NL | 94.156.67.176:13781 | tcp | |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 68.141.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.67.156.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | braidfadefriendklypk.site | udp |
| US | 188.114.96.2:443 | braidfadefriendklypk.site | tcp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | racerecessionrestrai.site | udp |
| US | 172.67.206.188:443 | racerecessionrestrai.site | tcp |
| US | 8.8.8.8:53 | 188.206.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cooperatecliqueobstac.site | udp |
| US | 188.114.97.2:443 | cooperatecliqueobstac.site | tcp |
| US | 8.8.8.8:53 | vesselspeedcrosswakew.site | udp |
| US | 172.67.222.78:443 | vesselspeedcrosswakew.site | tcp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | carvewomanflavourwop.site | udp |
| US | 172.67.129.86:443 | carvewomanflavourwop.site | tcp |
| US | 8.8.8.8:53 | 78.222.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.129.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | communicationinchoicer.site | udp |
| US | 172.67.216.203:443 | communicationinchoicer.site | tcp |
| US | 8.8.8.8:53 | 203.216.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | retainfactorypunishjkw.site | udp |
| US | 188.114.97.2:443 | retainfactorypunishjkw.site | tcp |
| DE | 185.172.128.53:80 | tcp | |
| US | 8.8.8.8:53 | brickabsorptiondullyi.site | udp |
| US | 188.114.96.2:443 | brickabsorptiondullyi.site | tcp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| US | 8.8.8.8:53 | 109.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | paperambiguonusphoterew.site | udp |
| US | 172.67.177.31:443 | paperambiguonusphoterew.site | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | 31.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.179.17.96.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | bf3bc7e6-13bf-4449-9c30-4ab9c2e57ad9.uuid.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | tcp | |
| US | 8.8.8.8:53 | qualifiedbehaviorrykej.site | udp |
| US | 172.67.175.187:443 | qualifiedbehaviorrykej.site | tcp |
| US | 8.8.8.8:53 | 187.175.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.203.100.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | combinethemepiggerygoj.site | udp |
| US | 172.67.137.14:443 | combinethemepiggerygoj.site | tcp |
| US | 8.8.8.8:53 | weedpairfolkloredheryw.site | udp |
| US | 188.114.96.2:443 | weedpairfolkloredheryw.site | tcp |
| US | 8.8.8.8:53 | 14.137.67.172.in-addr.arpa | udp |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server15.datadumpcloud.org | udp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 162.159.129.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server15.datadumpcloud.org | tcp |
| IT | 142.251.27.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.2:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.129.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.27.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| BG | 185.82.216.104:443 | server15.datadumpcloud.org | tcp |
| GB | 2.18.110.57:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| NL | 94.156.66.203:13781 | tcp | |
| US | 8.8.8.8:53 | expenditureddisumilarwo.site | udp |
| US | 172.67.133.222:443 | expenditureddisumilarwo.site | tcp |
| US | 8.8.8.8:53 | 222.133.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
| GB | 173.222.13.40:80 | tcp |
Files
memory/2920-0-0x0000000000450000-0x0000000000858000-memory.dmp
memory/2920-1-0x0000000000450000-0x0000000000858000-memory.dmp
memory/2920-2-0x0000000000450000-0x0000000000858000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b06437ffb6c87f69539842cd536e78d3 |
| SHA1 | 6799f24d5ff74fe1a045ea9845704bbbd1c818f6 |
| SHA256 | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf |
| SHA512 | b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | fa86f1d460a7f863325f062dda8a36bf |
| SHA1 | 5d307df15449c65842855566453da12126402813 |
| SHA256 | f312a712b312ce575f26579cf82e732fc84e5e5e683fa8d4a00e380656454fa3 |
| SHA512 | 2779d42f04ca6f78ccc9333157058db22f4bc1c233a615a496430c9df721e9ce8f62429bb9957ae69db46e0dbd23f2c1ae60c0c7521a45a30c7751bd11ca10cc |
memory/2920-14-0x0000000000450000-0x0000000000858000-memory.dmp
memory/1820-16-0x0000000000C70000-0x0000000001078000-memory.dmp
memory/1820-15-0x0000000000C70000-0x0000000001078000-memory.dmp
memory/1820-17-0x0000000000C70000-0x0000000001078000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 85adfc825e1e654524565fa313b7ddbd |
| SHA1 | f92418c2f842c6441dc00eea517edae7a3989aef |
| SHA256 | 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089 |
| SHA512 | e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0 |
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
| MD5 | 5efd94a0f19897373dac6a00810944f4 |
| SHA1 | 5a9217ae14a408687e07ef128a50262a261e5364 |
| SHA256 | ec0ecfc997c11743bb181f82256b53d771bc6d06d17a485db722d997f44b0335 |
| SHA512 | ad9ca024b9b844fd3aadb5ab4f258d58cb68c15cf820540be61fddbd9e3d85c8fa760a3832096c7ba760745c255d08567bcc8d13ebac9c3ba913d0471b6bd6a5 |
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
| MD5 | be6aff72c4d6e40da56a8825749d3d5e |
| SHA1 | 511a81eb6b0d4e18417f61b1fe08d04af21e0b71 |
| SHA256 | 1a5a4e81a436fe5f646cdf472038fa85f0e575b2de702fda0ad25a193fb5eeab |
| SHA512 | 62fbe25d77d024447a57ac23b91ac4e00f806511a3d3ae58e86c13db49fbfa9043fe0c0d914493891d6a3692c9bfd36f7e8b0b7cd3277a7ae2467b2bb18bd978 |
C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
| MD5 | fd00a7b3cb181641d1167a8a7b0a14d5 |
| SHA1 | 311edc66980d4d6cac31bb3f9c220e8cc764222f |
| SHA256 | e0037f841624762468fed56cb21cd1fa43779dc8f884e94d6757759cbfc0b9bf |
| SHA512 | d5a41d5f8a8af0138ea445e4819569eee5f0f662d36bcef5b5c4e324cda07a1948b77f2dd50c15ea6c4838cc5a5e8456e866e222deb70dfccfcf696bd2fa4197 |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | 5cf89e7442d8b62aba2f9df653a1c3b8 |
| SHA1 | 34f5470689ad89911b1c0c7507ef64252751fefa |
| SHA256 | 498179e417816b2326aca3f4d0177f83aa0504a9d5cbee5214496dc6ba281c27 |
| SHA512 | 9e8124687dbf637e2c7254ac70f4e7c49b2bedbadced8d71f6846e1191a1a23f162cb788707da14de5ef9316c0da3b61be3ea7e0bfa130fa111bfd240610b27c |
C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
| MD5 | afef438e7e1b511ae1a5601e65ab3cf2 |
| SHA1 | 1c62c366e1dc8d89ddd4f773bbd80a6a6389566d |
| SHA256 | 7820cc2b787275804f3bc1ca236bad9780a3dec239943b97a9277f89b0610868 |
| SHA512 | ae483047d4657a2060842d8f1d034685fa6899efe77ca635568504f92b38539d36eae18020da03c732fd2cc1bf95ebab73c8699a19c18709c3fab0ad0a829c52 |
memory/2876-55-0x0000000000CE0000-0x00000000011C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 3ef515bb081e3a8546a39219bf1310a4 |
| SHA1 | 65b19bc8100f6b67368c46b33d39ef441aaeaeb0 |
| SHA256 | 9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394 |
| SHA512 | 22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1 |
memory/2192-77-0x0000000000340000-0x000000000043A000-memory.dmp
memory/2192-78-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/2192-79-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/2192-80-0x0000000004DE0000-0x0000000004EDC000-memory.dmp
memory/2192-81-0x0000000004EE0000-0x0000000004FDC000-memory.dmp
memory/2192-82-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-85-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-98-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | af50004ae65fe333d0cafeeec2918b01 |
| SHA1 | 60486580aab90009096d9d83cbab73fd8768896b |
| SHA256 | 6f56adb3dab62c255bddc8a421de929e803d3cd5ebad17faf41a2161f5893765 |
| SHA512 | 31fc762bcd29b37d8b49bffbef42198c911544d2f8141873f5afba0e425d8e55d5dc084d03301da489709e23fb74fc991b99de304cdd0b9084b617873cfaccd9 |
memory/2192-102-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-113-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-104-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-116-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1820-121-0x0000000000C70000-0x0000000001078000-memory.dmp
memory/2192-122-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-124-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-126-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-128-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-130-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-132-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/4356-134-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/2192-135-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2192-145-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-150-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 3cfc8006c299da8de8d9062d3a11774f |
| SHA1 | e4f531c044beccf7fb5e9c54de841702f0170d25 |
| SHA256 | f35e2d01a8798985c0f02ece4b383b0bc2c7871cc9b1d2405f449514bde5115f |
| SHA512 | f886238adc102f4f1e437bb3c0105ce74afaa0ade43aaa71b18f5ba4b8b45e93d9e4b1ad6c6ef8ac82821fc7b96e4072280d96967a787b82e6d9ff419e25c41d |
memory/4356-146-0x00000000051D0000-0x00000000051E0000-memory.dmp
memory/1868-161-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2192-162-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/4356-120-0x0000000000760000-0x00000000007C4000-memory.dmp
memory/2192-172-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/4356-177-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/4356-179-0x00000000029F0000-0x00000000049F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
memory/4964-184-0x00000000008E0000-0x0000000000936000-memory.dmp
memory/2192-185-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/1868-188-0x0000000004F30000-0x0000000004F3A000-memory.dmp
memory/2192-189-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/4964-191-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/2192-194-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 0225dfa7020bbcd311422debeff72a2a |
| SHA1 | 16579ad191cbfad21cbcebf029a5edb3cfbbaf2d |
| SHA256 | a6dfa73b2d16c008fe053f3166a4710f03d495008512f03ccb2e56b6f7ee2718 |
| SHA512 | bda6d6d4637262c2c8ae2ccaa1854d9c3cf54b3563b19e875ede7ed697a465bbf24c92f3567536774c9b39252ed6eac91cadd96079a7eb26bd8abd59d00e1419 |
memory/1868-195-0x0000000004FA0000-0x0000000004FB0000-memory.dmp
memory/1868-208-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/4308-207-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2192-211-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 82d7daf4811e43359671b17a339e43a8 |
| SHA1 | 5fbe2bf87fdd024e2a0f487b7196148944c0d20d |
| SHA256 | 95f48b2679ad1b49345c9dd8dcbe950327823b384e208029d78c57c6a91b8845 |
| SHA512 | f2e15a1131d6e457f45febd7b9e2a5bd3e6521a9cc375279cf6a7eb86254c4747924f26ecf7f2bcd4fbe059040c662fbfd6a1b3fff40a12e64643501dc9309f8 |
memory/2192-221-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/1868-226-0x0000000006220000-0x0000000006838000-memory.dmp
memory/4308-225-0x00000000728F0000-0x00000000730A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
| MD5 | 3a7caa98a29e368213038b05dbbc3316 |
| SHA1 | f634f19f3b18ae1ee29ed03cd432a6e0fb7c3f66 |
| SHA256 | 9ca8491e681026dd742011704c54f30c207c6a4793032b9e9181cbe8b3727b22 |
| SHA512 | 30ddfb8d5c0b7205664e88a7290ea5dd01a3b4c89894c96df0fdd9ffed6bfaab4ddbba1c5c00760c4db09adc5a50c9e26cce93e6066ea75cd96d1577ed613b4e |
memory/2192-206-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/1820-186-0x0000000000C70000-0x0000000001078000-memory.dmp
memory/2192-181-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/1868-178-0x0000000004E80000-0x0000000004F12000-memory.dmp
memory/1868-175-0x0000000005390000-0x0000000005934000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 4dc62aa51086843a31d87236c87f21e4 |
| SHA1 | c7cdc373668dd8f7373a433ed0f3703843b67c10 |
| SHA256 | 5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27 |
| SHA512 | a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658 |
memory/2192-100-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-87-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-83-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-228-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/2192-234-0x0000000004EE0000-0x0000000004FD7000-memory.dmp
memory/1820-231-0x0000000000C70000-0x0000000001078000-memory.dmp
memory/4964-229-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/1868-233-0x0000000007CC0000-0x0000000007DCA000-memory.dmp
memory/4848-232-0x0000000000C00000-0x0000000000C54000-memory.dmp
memory/1868-235-0x0000000007BF0000-0x0000000007C02000-memory.dmp
memory/4848-236-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/4308-238-0x0000000005050000-0x0000000005060000-memory.dmp
memory/1868-241-0x0000000007C50000-0x0000000007C8C000-memory.dmp
memory/4848-240-0x00000000054C0000-0x00000000054D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 819806d0b5540779a935d3fa45698f4a |
| SHA1 | 99a2bf758df8e9e7df20a9c31e0dfb2f80f35e5c |
| SHA256 | 70e05342b724c0bce02bb6b6251c4ad2e2f571e05a46f42b78769c87ff8158e1 |
| SHA512 | e8c5a06b9fc9681532eb740c0fbcf3e1811c9aaaf208d15e58e5d225cf891ad91896871a187d9d8034e03a223dccb89cc6488b9cb06efd4c862096dbd298a096 |
memory/1868-245-0x0000000005BA0000-0x0000000005BEC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | d8337d7ca38eddace5472f7a274b3943 |
| SHA1 | 273fc254a6051aaf13d74b6f426fd9f1a58dee19 |
| SHA256 | 3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202 |
| SHA512 | c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589 |
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | dd1b934ada9b4482d700b7cdeb176388 |
| SHA1 | 63a135054c20160836c4c05dd540247594e24e23 |
| SHA256 | 1059587479ceb4a0480d56e00b849ddbf4760c763c30369cef28f48683807413 |
| SHA512 | ecdcf9ddd32b54ab8ff861edc0cb2a453d87a3be8578b0b17e9b111e8f1723e093263778544e88906b5a5da3cfedb489da79d5ae9c49ffc0c8a30f50b6258622 |
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 8b5cea8c7ed46163ce80a3cb96ed7ffa |
| SHA1 | 271aadf243294720b762fa1a2b49c419d42d094a |
| SHA256 | d3dfe15279af2bfe0d1fc3eb288fcbf97de0194c53b5265646c673381da2ec9f |
| SHA512 | 92d334c62b32042cd5af9bb43d6adf89b97e490ce9e13548c5140b88b234dc131e780bbf7f7a667365f6b23c97eed01677af18eb771f7f905c703d5d646e42cb |
memory/3712-317-0x0000000000F60000-0x0000000000FCC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
| MD5 | 55e7a3c68123b83de9efdc2ba0c1513c |
| SHA1 | 3c1caa2bc4a25869286a293ca6da2d58a2cd909e |
| SHA256 | 31cb786d695e6b995b0a3faf26aefbd3d4324dccc3a65f70a6de96ed81d9745f |
| SHA512 | 44df000559f611b51988d8fa835742e8de5ed131b0eeecb003d0dbc7b418766d14e750de88f818a408b0d18cc495fcb16387d8a1bea485ffbd8fb26e5b4e3dad |
memory/5116-320-0x0000000001420000-0x000000000147A000-memory.dmp
memory/3712-327-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/5116-331-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/3712-333-0x00000000058C0000-0x00000000058D0000-memory.dmp
memory/5116-336-0x0000000005A80000-0x0000000005A90000-memory.dmp
memory/3316-339-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2876-340-0x0000000000CE0000-0x00000000011C3000-memory.dmp
memory/3712-346-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/3712-349-0x00000000031A0000-0x00000000051A0000-memory.dmp
memory/3316-352-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/3316-357-0x00000000055D0000-0x00000000055E0000-memory.dmp
memory/2192-360-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/5116-362-0x0000000005E00000-0x0000000005E66000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | dbf9e2f7bc328d2d34c9ea07f0799d75 |
| SHA1 | 5d32e0b2e0a3d01bcf52a0d44830c463fba8fa15 |
| SHA256 | bb300384eaa97f49783e25a8eab68b98ffe4263ffc5bb2f463d6141c306fc4c7 |
| SHA512 | 8ccbb0332b8f2b24d1cac7e6f6866abf54c77883e124fcb2331dad8290917625d0c3d5d3c1f0e90ecdfd29ae107b6571f5d0ada8a933a5f64abe99ae7092f66e |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e782c2b0123efa714944115f0778bf7c |
| SHA1 | 406ac9362164d2081c39ad4e6676447cf36cf989 |
| SHA256 | 7139d3d88aa7df1d53afa7fe238852d7d39084f14f68ef1a90a8c50c1d762931 |
| SHA512 | 85c8cf9d14c816d7491ed31232ad5213bb715f2a3580c1c0a9329bd05d196a68d6fa4901611bd637ed891550a57bb66ab6650cd179bb39b6becb962eec69e7b6 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 13d0884c9089d2118f3aeaa368a2c135 |
| SHA1 | 68052e28c79ceda019076eb28601696da430cca0 |
| SHA256 | e2fad8befcd09cbd6acd298e9ac424bb7fe2fe6715fc9f9daaac3031921752ef |
| SHA512 | 2ecb2d96d66b87d5315ecc7b01148b6332658dc177306e021a4d8c81410f39c4d166ef56b1fef7532bd27bb162ce91ee6a70647dc36215a11eb0e08dd939441f |
memory/5116-403-0x0000000006A40000-0x0000000006AB6000-memory.dmp
memory/1868-407-0x0000000008860000-0x00000000088B0000-memory.dmp
memory/5116-411-0x0000000006BE0000-0x0000000006BFE000-memory.dmp
memory/4308-413-0x0000000008930000-0x0000000008AF2000-memory.dmp
memory/4308-417-0x0000000009030000-0x000000000955C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | a9b05118ecedd420f4b1f2ce59190c73 |
| SHA1 | f5e4591ded9aa25459d6d285c3edc71253c0e686 |
| SHA256 | 9587ed1a4e7fa46194fb88cfd538b5afd2d314b9b9e65e14b7e0cc9f50f1f5fb |
| SHA512 | 5eb0f05c1ff1c6822e959f67492747b77ae66f305fedfe480461ef515c51a3269d59046e84a74a1e49e1b0591bdaafa0e133aaf321eb9b4271e0b84fdcd1ae1e |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 8072fad06b6e3631682aef7b992aef1e |
| SHA1 | 38fb90281b0adadac85b5bcfdfd49fe92159ff62 |
| SHA256 | 14145a9d9dfaa84ba1146c47520ae3f5c42d7ddfdb15fd4ae002cff76280f7e2 |
| SHA512 | 8ca6d8ca1a0b8dfff44c541aa758b76007257c84cab960fc608d29cf61e11232b4de2a1c5e5ccd56e3f8d85fc0c73676fc3fa42dcbcedb45f9173e0737dbee60 |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | a58313158dd2992115db9c1558096245 |
| SHA1 | 8e6541f675605935e91c056ac6657210feec7913 |
| SHA256 | fb67b3067f4358a36fdbbef28f170de634acf89c6f7a64c59047242d682440fe |
| SHA512 | ea8206a430f50304dcfab067b3a47c5f3a89b814fde152303b7772f088c298a6906342afa030751b3b7165611af84186972a42a7340581e63c43d1f350b422e3 |
memory/4828-517-0x0000000000150000-0x0000000000770000-memory.dmp
memory/2192-518-0x0000000004D60000-0x0000000004D70000-memory.dmp
memory/4828-523-0x00000000728F0000-0x00000000730A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/4580-538-0x00000000008F0000-0x00000000008F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/4828-539-0x0000000005090000-0x000000000512C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe
| MD5 | 486f4ed0ce0a0f6bd0b91c1a7a64ba4d |
| SHA1 | 6683edafd06175ff0ba79503a4e83158640c40da |
| SHA256 | 19edfed1458afe0206d76d6ff89a00cbb5f7453d75fdf20c38e8d6c3c4a44b69 |
| SHA512 | a17617eb07728c4203d6eb7ac51377a9633b5b5354b1b464997b842e1bf3a55936a5f763a0e1c05e2a8d6984a555812e78a0ffc8c7db866bf08fd8768838cfc5 |
memory/3316-570-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/4580-572-0x00007FFC8E620000-0x00007FFC8F0E1000-memory.dmp
memory/3888-574-0x0000000004920000-0x0000000004962000-memory.dmp
memory/3888-578-0x00000000728F0000-0x00000000730A0000-memory.dmp
memory/3888-580-0x0000000004FC0000-0x0000000004FFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 8373a7138e4be05be5ca90f367f88b53 |
| SHA1 | 4a63bd53462d189ca225ccb40aa37848b25c735b |
| SHA256 | 75a0a6052267e0567774d6151f3c3673316070676c644bfac02238e48dfa7495 |
| SHA512 | fdb6bfacb69d393b12cda6a06af2193ee41a4bfbc04e4411b38c5102b6a5b5da56b0d22a927f153855360d4dbaa68f034c0dde7c2d50d2ee578f92d8744e8e1f |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | bb5f1ec262a41e5fad6a3b65ab7cf33b |
| SHA1 | e5c6d105815580b67b75ac9455e885d7217edb4c |
| SHA256 | 85b674ef2f948b1323ca8db8006e65f69b664900dfeff9dabc72121e68249d0f |
| SHA512 | 06d6055ee0d43ecb1b38e99eb3e3bd2ca06a46021c66f07e37a569866edc7592af97d3b0a0e6a51488c4f945287f5f2f82d852d5d7a587978860d1f9547632ca |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 5ade1c438514dced57eedb017ae91f2e |
| SHA1 | 48c69e19d74f8eca5663214a7fe5d217639e458f |
| SHA256 | 0237e44f395fea7f7ccb5ffad108aab247b40f059611ab87a0fa9929e89a549a |
| SHA512 | 91e071fd19b12662045913f43d1d3cc88887c24f42c8e2b5b1d911204c7a72b9412f2b3c44584d5a4b8054ca53df845f5556e5dee9e691c759db4f00c65b9480 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1305705ab4eb7a8ff5a73874670d91f4 |
| SHA1 | a118cf0ba2d4ac47473b9140c0aa7745efc6aac7 |
| SHA256 | d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b |
| SHA512 | 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | cd64261f1fcf115d55b9631daa818fa3 |
| SHA1 | e83ed6694f678ff8f47a5227ee7aadc15debea63 |
| SHA256 | 7788463e620d46ac2cfeb824b5ccc2f2e15f7a3c27443f80cd67dd28936fdca6 |
| SHA512 | 41f7165675b599d09a232be8bbd87104fb44a4a8bec37cbd019c995087672368900bf795b7eba3d9499936ea2272ef67a933b9e60fe3fe02dbc7abaf8d4283c4 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | b0556b40294ded239c61bcfcfc70cfc6 |
| SHA1 | fe5ce0c2f2cd479ae127a1ae94646722a7bcdc67 |
| SHA256 | 2d440edcad1dbaa319cf8911e9cfda89f281bf2eb5a3501c4a5b4b0d8bc3c172 |
| SHA512 | 1786ed69165649e450563249c8625650661e512daacab39eb3eed51e5620e4f593cb7d67fd2047130c13274e7acf3717885deefea3217f26e04d2ef9f14c6c16 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 60588ddf9545ed1717a115d23bbe2650 |
| SHA1 | a55850f51bb29b2284d335daae764751472d3997 |
| SHA256 | 24af6e5f2466044746b8ef96b1a98fb12f5f1d9d9158475819f6704518a7a5e7 |
| SHA512 | 7d4f16ad0266a13f38a67cbf8b295c41526a27f9f1cf8babb375aafe980c6e2ee3cd67d506151d998138f856aad9b4d47fdf163b77527e5363365262d97e10d9 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 6b67693b95e9596922a9c9cfc7424dea |
| SHA1 | 64bfaa0c589f03f68b309661cdebfd8c37128123 |
| SHA256 | f8e0dae140a0100a701961110d95545a6b79ac35db719a0165b36141d0472ac6 |
| SHA512 | 8278302da64c8b40786bf850766af9446559c10627acc09d0ce76f856b69b0f0bd70ad2553c71e1441121059c6072d017d54b5d30ab6df760b1e25b2c9c6faad |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 219e7425b61f8b9f627e1a4659901f2d |
| SHA1 | 651ef7d25f58ddcc3d71d2d43078a9112929cde9 |
| SHA256 | 137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9 |
| SHA512 | 70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 8a4f07228fe7b7662cd3325c922c8cec |
| SHA1 | 7e2c31e479e26184c7614f15788dd9e3bd2842d2 |
| SHA256 | 7697be742aaa8573573a1ea890088ed498929c84616fec321ca2ab28c22e3d00 |
| SHA512 | 20b8ab6f0fc589a2dc6926f96435c9468b88df66f318a7408808163b8eba09e64a570a2d1bcf1f0d25529b461f4348dda9e5c945a60e48bdbca9303344cdb91d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6eb72baef8a4a31b19a0f629e9724b74 |
| SHA1 | 302e4684912ab1bd17b7b6adc459c552e90694c9 |
| SHA256 | 04fa418ce7e0dbf4af460d6d294beb2a5ecca848373b1612935b1743a3716039 |
| SHA512 | 1e0867ac2df038017b0d316dd5289f0273173268367b1c65b92ca0f14e1b6116a31f8ca15d1582e20f9bf9e068595a8bea7f04b0b6ba952b5e941738e0507488 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 83ab0a86c2372cb57009cc424fd0edab |
| SHA1 | 0bd6af44999cfff3b18fdde7bf1ee25577b0e479 |
| SHA256 | 4bc736d38978b1e4622b439d2117c609e2e758dd789698599ff94dc5d94a6910 |
| SHA512 | 76f45babc7eb8085db89489ad9931aabcf8ae4ef5ab7672b60ce7faa7e545e86bd0aeb6c3a76bc74b2bd3ca7104a4923a69c4af3a1baed78945eddafb824e09d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 8438f44d191f05972657edd323b9c29e |
| SHA1 | 6efd1e211acd50972f453e25b308fdd02219f625 |
| SHA256 | 29b922e391edf51228149267bc06abdded6061cec0b33406525879d5299cabd0 |
| SHA512 | 4a2c1759dafbc36c2983de7f5bddb08efd3f7d2a406c97cb5e7f94e62747090855b73ae6650517b2a0649ada3fd3d2dc7141929b388e41a857e96e938c6b1d15 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | be5dd8b7ee665c298c372c4883c3c15e |
| SHA1 | f996f23d5a9d9702e564b94a658dddba4e185660 |
| SHA256 | ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098 |
| SHA512 | 6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930 |
C:\Users\Admin\AppData\Local\Temp\nsn1829.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 36f3f687b8decdb8c10bb8e37269c045 |
| SHA1 | d00aa71aa8afe08ac2043d2c7bf1148ded8efb3c |
| SHA256 | 72fa1f3b9d3e6a3f0b1ea7d71082e2cc627059869ba90b0ae01d95decb14e665 |
| SHA512 | 7002cc5be0a2c489491bbb79c15069569709704030b6b191f28fbb7abd29d5213f37b9ed09f1f1c1a4e26c0b0db281e7e8e0d84dc75f6754b85332ee69910fff |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 20b354fdd28d6b4fe49525b70a5ec430 |
| SHA1 | 4b7078c023746e7951b1f24babcafc6d46974ac3 |
| SHA256 | 8616ee6f0b24187371e7672086fc8b07689b23ef57406fc4f97cc6f5dc1702ee |
| SHA512 | 3931e9a0393084741c9847522f5b26f9d3beb176fe03e868137791cb2b2b3388b3c1bccfcb398a7151ad052190a11e70cf747a0fb6da219fc2865afae6a4ba2e |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | 60508131840ddd4fa6f54a02e5d6b403 |
| SHA1 | 583d449d7aa76e48cc40e6c9a24427a85c78bff2 |
| SHA256 | b010b034d81991ff1a7eb83e2ef0c4df87c247c17a118397042ffa63322d4695 |
| SHA512 | 73bf32de014d6ddc50fb52e840c8c10c9f94cd28d2f36618c666fa38546d35dd2e7ac9341655257aef2079f5536a53435e755ee5ec51cf7b79ba440ee8b4c893 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | 860e0617f44c84cc971030baa3a39314 |
| SHA1 | 8c8a5c31cce66d3b97625f86145cc3eaa100b845 |
| SHA256 | 82682f993d396f5db3b38569c11f862aeb7dc237e24a2ca65168fcf020a46827 |
| SHA512 | dc9b1b4f8aee53990c562c1f78b2b8e4e724a4ed57cde3d2b39302ac2d6d4a2bd2cc043d3c582b6db1618a421a666e70a1c63f193593fee0bdd6dcd1ebb9d400 |
C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe
| MD5 | b99871f8949c4850247bc9730368e8b6 |
| SHA1 | efc88adc7f5e95d4dc7532b2f1b42f49ff4d0a2d |
| SHA256 | 59f76f9c8e32899754ffe63f346b4e5273a27687f177b97c484a8b17119cec95 |
| SHA512 | cf389934d838df529989682ee06fc9f95a3294a813bd47ba3a6dcd881302c2c8a54ad788390040c7fb9cb084b31ebcb6b269689ba4a384f86ac71746c368d679 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log
| MD5 | cad4caba9aaab897691a633527fd5cc8 |
| SHA1 | b3e4fc90c296f60de8a70dd1ca52c88b22311fb9 |
| SHA256 | 38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e |
| SHA512 | 57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746 |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | a71a5168dbac0876c7974546a814dd8b |
| SHA1 | 060a85bdbd71cc1ad3bbc01d6ae43e32b8b1a9da |
| SHA256 | ebe19a0d75c70bd55e895c2dd9fa3d95f45e79ed42316e4ea4aaf7563eb99e6b |
| SHA512 | 98a06bccdd14af80fbfa372dfb771f8e2f04aef95f5b4d26fdb5cc2bdd3b7f1caf42d598bbe9a444ad516beae107a611675a7116709eeb4a853b6fce3e098e5e |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 4ce056331aa0e38bb9feccba177aa153 |
| SHA1 | 0f3c6db67f9f9eaa03acdf2d77eab1b3f4d2092a |
| SHA256 | 2a46e83770df302a8dac7bf8f6dd2d523632b69e078d733a31b9bb0ec49e23ed |
| SHA512 | fb8b26a3fcc87fabc4dbce91c19be44d718776dc7cd2ca4ead9c3ede09324587e67c1ef99dce40acc1ef3d58e8b820be1c95042a7633dd7d1ab5d65ef6cfa1a4 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | b34325f9f7c18f4134272c5fe59f30b0 |
| SHA1 | 14a446b3d4899ce9b501533cde3edc855ea09d37 |
| SHA256 | 702793f0b9028105b299e0e40b7cc5be00c96963794b76f1754b7a8d6f5579c7 |
| SHA512 | 5663be2cda4de18d6126a755e24d6768622cd318628678c6e4234163a1abedcdf2379d1ad9b362363113b903ed2a340caad32c7aed0996853c1913d5552d4dd7 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 17e957ecc72c22c8442da2dd008991a8 |
| SHA1 | 967e6a0fe9e28267a38cb52c6ddeb895ad1d38cc |
| SHA256 | 56e29da6687f6ad5df129ee0bcc83035bc4e59459196837bcda44188dc8dc680 |
| SHA512 | ba3d6d11bd5e95ee2bc50571b1364644b33992f575ab6d6d1a09cc56e476c43bcd799818975d9a7921ce5ee49dc4bf1c6044fa87ec6cd69a77daea523900f3e4 |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 245f02e28fe1574906720615d4883e0d |
| SHA1 | 38e9057fcc598fde3e470b1ab0eeb69f3229f053 |
| SHA256 | 03bde54164dced4d3815d628ce99185a8e58fd03c141678b068925fdb9d44c80 |
| SHA512 | 39127e76ad2882f47bbc0563dd361748c124183355694a66e00976ffa47f62e50dea251cc8643811e589a78d04e2dc86ad1a9ce4a43fce92038372909152d771 |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 3c4aebbf12cc57418ae88794215458fd |
| SHA1 | 34ec1331ed610007877925e0675e7c057382f92a |
| SHA256 | 7fd366bd22c1ea1839e307a5839c8542454272ff1641c605f8fc7a0266cd5d5e |
| SHA512 | 19cd71cea3701e460c338b1e45acaabc6408ed87353545c8e44acbc5ce8431e41f45426c8312347efdf7429eed692dfa429df10d3fcc0b62cc1977065a19572d |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 6e55770eba7500da3e894de3d8234d14 |
| SHA1 | 0f430fe67aea46eda508fd569323fda7cf1863f8 |
| SHA256 | 5a4fc4d3a965c48a47f7270dc3cc45aa2cefe4cea7ba3d68ff92cca730e3bcea |
| SHA512 | 5de6858cd607b1c27d40e7167a44668ad541b162be967a53a8f996e729d850e6cd661cdab08b15e7bceb98f53a1cef1008e33fc2467f66128a7c9b4e1aed9da4 |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 8d6f07d1f9f872483b362df85a5ead02 |
| SHA1 | dad79a9a6937fed780d8e47c97e6dc727766613f |
| SHA256 | 5a6df6e680bf9f1067b8179bba840628b140577e94d5e5d6f296c31e3f013329 |
| SHA512 | 10b9eb71f39719340614bf4a47cb54c73c9ea7cdf3f78c5884dd9024732bb7bd18e90cb479159e398aa9e586c5e746c663b94eff4cafd0646f9d03bb97b4becd |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acr5rrbs.2w0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 6a4c27466c637b060e1fe38bf9adfbbc |
| SHA1 | 26b2e0f36eabd28073db839efa970877931310e6 |
| SHA256 | 2047a7d09a6efdb25fe5e1adb0b1f4757b7d6ebc15f9efa2cc7e389f111ffae9 |
| SHA512 | 20b8e6cb139eefa3a0a7e77ab5145870c4ffa5f43763580f6ac17c8ada16971cce05025e7234067de7a8543c35d0eae86f8d4351fb4eb31e16dad0ee5114b677 |
C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
| MD5 | 379fbc100c50379dae4dd1a7ea5782af |
| SHA1 | a2079a19b40e117dbc115936fb37eeb0759a0074 |
| SHA256 | c8e870c9649b4dcd70e73cd9ecadce2f5f247b37f240a3eca9564048c56d2b36 |
| SHA512 | ded939694aee266fe260d185fb113ef581cda6d7a8e28bd8575a80c48028a5a226ce0f71b99bc20bef8da284dfae47acc5d43c8f2d50b826fdc1d1b91c196a7b |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 92241d60ce7c8710cb8f4e515f663d94 |
| SHA1 | d23ee0ab7e5370b575cf641d20b31de0af53a49d |
| SHA256 | 68ae63987fbf3a8efbfd4ad5e29117702329e478eed245374b26f2c3a7ee4cff |
| SHA512 | 0648435c7a09649729480c492344bcf1da0226ac2ae7e58f969f239f86b337f59ed7dd63ae2bd57a78a0399bb9c773df47ed00503a63fae3fee31b1235b451b4 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |