Malware Analysis Report

2025-01-22 10:25

Sample ID 240123-tvvaqscgc5
Target b06437ffb6c87f69539842cd536e78d3.exe
SHA256 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
Tags
amadey trojan redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic discovery evasion infostealer persistence rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf

Threat Level: Known bad

The file b06437ffb6c87f69539842cd536e78d3.exe was found to be: Known bad.

Malicious Activity Summary

amadey trojan redline risepro zgrat @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic discovery evasion infostealer persistence rat spyware stealer

RisePro

Detect ZGRat V1

RedLine

ZGRat

RedLine payload

Amadey

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Blocklisted process makes network request

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 16:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 16:23

Reported

2024-01-23 16:25

Platform

win7-20231215-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

Signatures

Amadey

trojan amadey

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1744 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1744 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1744 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2776 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2776 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 684 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2856 wrote to memory of 2124 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\system32\taskeng.exe

taskeng.exe {A37A31EC-5266-46B5-A5F8-5BA07FCEC621} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
RU 185.215.113.68:80 185.215.113.68 tcp

Files

memory/1744-0-0x0000000001010000-0x0000000001418000-memory.dmp

memory/1744-2-0x0000000001010000-0x0000000001418000-memory.dmp

memory/1744-3-0x0000000000520000-0x0000000000521000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b06437ffb6c87f69539842cd536e78d3
SHA1 6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512 b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

memory/2776-13-0x0000000000300000-0x0000000000708000-memory.dmp

memory/1744-11-0x0000000001010000-0x0000000001418000-memory.dmp

memory/2776-14-0x0000000000300000-0x0000000000708000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2776-26-0x0000000000300000-0x0000000000708000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2776-41-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-42-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-43-0x0000000000300000-0x0000000000708000-memory.dmp

memory/684-46-0x0000000000300000-0x0000000000708000-memory.dmp

memory/684-49-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-50-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-51-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-52-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-53-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-54-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-55-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2124-57-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2124-61-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-62-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-63-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-64-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-65-0x0000000000300000-0x0000000000708000-memory.dmp

memory/2776-66-0x0000000000300000-0x0000000000708000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 16:23

Reported

2024-01-23 16:26

Platform

win10v2004-20231215-en

Max time kernel

29s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000540001\\rback.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2920 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1820 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1820 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
PID 1820 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 1820 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe
PID 1820 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 1820 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 1820 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 1820 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 1820 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 1820 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 4356 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp
PID 1820 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 1820 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 1820 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4964 wrote to memory of 4308 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1820 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 1820 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 1820 wrote to memory of 4848 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe
PID 1820 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 1820 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 1820 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
PID 1820 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
PID 1820 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
PID 1820 wrote to memory of 3712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3712 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1820 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 3764 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 1820 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 1820 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 1820 wrote to memory of 4828 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe

"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

"C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe"

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe"

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

"C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000558001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1064 -ip 1064

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1064 -s 348

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp

C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 2372

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 5.179.17.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 87.251.77.166:80 87.251.77.166 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 166.77.251.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
DE 20.113.35.45:38357 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
US 8.8.8.8:53 45.35.113.20.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
DE 185.172.128.19:80 tcp
IE 40.127.169.103:443 tcp
US 8.8.8.8:53 udp
IE 20.166.126.56:443 tcp
IE 40.127.169.103:443 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
DE 185.172.128.90:80 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
HK 154.92.15.189:443 tcp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 consciouosoepewmausj.site udp
US 172.67.141.68:443 consciouosoepewmausj.site tcp
NL 94.156.67.176:13781 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 68.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 176.67.156.94.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 braidfadefriendklypk.site udp
US 188.114.96.2:443 braidfadefriendklypk.site tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 racerecessionrestrai.site udp
US 172.67.206.188:443 racerecessionrestrai.site tcp
US 8.8.8.8:53 188.206.67.172.in-addr.arpa udp
US 8.8.8.8:53 cooperatecliqueobstac.site udp
US 188.114.97.2:443 cooperatecliqueobstac.site tcp
US 8.8.8.8:53 vesselspeedcrosswakew.site udp
US 172.67.222.78:443 vesselspeedcrosswakew.site tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 carvewomanflavourwop.site udp
US 172.67.129.86:443 carvewomanflavourwop.site tcp
US 8.8.8.8:53 78.222.67.172.in-addr.arpa udp
US 8.8.8.8:53 86.129.67.172.in-addr.arpa udp
US 8.8.8.8:53 communicationinchoicer.site udp
US 172.67.216.203:443 communicationinchoicer.site tcp
US 8.8.8.8:53 203.216.67.172.in-addr.arpa udp
US 8.8.8.8:53 retainfactorypunishjkw.site udp
US 188.114.97.2:443 retainfactorypunishjkw.site tcp
DE 185.172.128.53:80 tcp
US 8.8.8.8:53 brickabsorptiondullyi.site udp
US 188.114.96.2:443 brickabsorptiondullyi.site tcp
DE 185.172.128.109:80 185.172.128.109 tcp
US 8.8.8.8:53 109.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 172.67.177.31:443 paperambiguonusphoterew.site tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 31.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 36.179.17.96.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 bf3bc7e6-13bf-4449-9c30-4ab9c2e57ad9.uuid.datadumpcloud.org udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 187.175.67.172.in-addr.arpa udp
US 8.8.8.8:53 154.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 172.67.137.14:443 combinethemepiggerygoj.site tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 188.114.96.2:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 14.137.67.172.in-addr.arpa udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server15.datadumpcloud.org udp
US 8.8.8.8:53 stun2.l.google.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp
IT 142.251.27.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.2:443 walkinglate.com tcp
US 8.8.8.8:53 233.129.159.162.in-addr.arpa udp
US 8.8.8.8:53 127.27.251.142.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
BG 185.82.216.104:443 server15.datadumpcloud.org tcp
GB 2.18.110.57:80 tcp
US 8.8.8.8:53 udp
NL 94.156.66.203:13781 tcp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 172.67.133.222:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 222.133.67.172.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp
GB 173.222.13.40:80 tcp

Files

memory/2920-0-0x0000000000450000-0x0000000000858000-memory.dmp

memory/2920-1-0x0000000000450000-0x0000000000858000-memory.dmp

memory/2920-2-0x0000000000450000-0x0000000000858000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b06437ffb6c87f69539842cd536e78d3
SHA1 6799f24d5ff74fe1a045ea9845704bbbd1c818f6
SHA256 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
SHA512 b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fa86f1d460a7f863325f062dda8a36bf
SHA1 5d307df15449c65842855566453da12126402813
SHA256 f312a712b312ce575f26579cf82e732fc84e5e5e683fa8d4a00e380656454fa3
SHA512 2779d42f04ca6f78ccc9333157058db22f4bc1c233a615a496430c9df721e9ce8f62429bb9957ae69db46e0dbd23f2c1ae60c0c7521a45a30c7751bd11ca10cc

memory/2920-14-0x0000000000450000-0x0000000000858000-memory.dmp

memory/1820-16-0x0000000000C70000-0x0000000001078000-memory.dmp

memory/1820-15-0x0000000000C70000-0x0000000001078000-memory.dmp

memory/1820-17-0x0000000000C70000-0x0000000001078000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 85adfc825e1e654524565fa313b7ddbd
SHA1 f92418c2f842c6441dc00eea517edae7a3989aef
SHA256 980cc8b7b2402208923282d976861c9a1ff309fdb9bbc2c5074ca114650f7089
SHA512 e67977e0dc8f06efe1e3656d5e0002ffe225c8ea9f089d2a79bef4ec77c1f1495f68c791a27cac8ff49c7567b97df4f309d037063b9839f636f62933f5a7a2b0

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

MD5 5efd94a0f19897373dac6a00810944f4
SHA1 5a9217ae14a408687e07ef128a50262a261e5364
SHA256 ec0ecfc997c11743bb181f82256b53d771bc6d06d17a485db722d997f44b0335
SHA512 ad9ca024b9b844fd3aadb5ab4f258d58cb68c15cf820540be61fddbd9e3d85c8fa760a3832096c7ba760745c255d08567bcc8d13ebac9c3ba913d0471b6bd6a5

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

MD5 be6aff72c4d6e40da56a8825749d3d5e
SHA1 511a81eb6b0d4e18417f61b1fe08d04af21e0b71
SHA256 1a5a4e81a436fe5f646cdf472038fa85f0e575b2de702fda0ad25a193fb5eeab
SHA512 62fbe25d77d024447a57ac23b91ac4e00f806511a3d3ae58e86c13db49fbfa9043fe0c0d914493891d6a3692c9bfd36f7e8b0b7cd3277a7ae2467b2bb18bd978

C:\Users\Admin\AppData\Local\Temp\1000495001\SetupPowerGREPDemo.exe

MD5 fd00a7b3cb181641d1167a8a7b0a14d5
SHA1 311edc66980d4d6cac31bb3f9c220e8cc764222f
SHA256 e0037f841624762468fed56cb21cd1fa43779dc8f884e94d6757759cbfc0b9bf
SHA512 d5a41d5f8a8af0138ea445e4819569eee5f0f662d36bcef5b5c4e324cda07a1948b77f2dd50c15ea6c4838cc5a5e8456e866e222deb70dfccfcf696bd2fa4197

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 5cf89e7442d8b62aba2f9df653a1c3b8
SHA1 34f5470689ad89911b1c0c7507ef64252751fefa
SHA256 498179e417816b2326aca3f4d0177f83aa0504a9d5cbee5214496dc6ba281c27
SHA512 9e8124687dbf637e2c7254ac70f4e7c49b2bedbadced8d71f6846e1191a1a23f162cb788707da14de5ef9316c0da3b61be3ea7e0bfa130fa111bfd240610b27c

C:\Users\Admin\AppData\Local\Temp\1000540001\rback.exe

MD5 afef438e7e1b511ae1a5601e65ab3cf2
SHA1 1c62c366e1dc8d89ddd4f773bbd80a6a6389566d
SHA256 7820cc2b787275804f3bc1ca236bad9780a3dec239943b97a9277f89b0610868
SHA512 ae483047d4657a2060842d8f1d034685fa6899efe77ca635568504f92b38539d36eae18020da03c732fd2cc1bf95ebab73c8699a19c18709c3fab0ad0a829c52

memory/2876-55-0x0000000000CE0000-0x00000000011C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 3ef515bb081e3a8546a39219bf1310a4
SHA1 65b19bc8100f6b67368c46b33d39ef441aaeaeb0
SHA256 9ae50d0f38c49c5e2a1e90d5bfa9972e551f8274f83fcf7182ab3ed38b2fd394
SHA512 22dcac861796e40936f536c3eb908d16fb33b209dcfe5ebd39318bca9134bcdf1504d01ace87b348d6fcfa3cb92f7366d47df1de6f07a64f8b9eaaecf1c2fbd1

memory/2192-77-0x0000000000340000-0x000000000043A000-memory.dmp

memory/2192-78-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/2192-79-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/2192-80-0x0000000004DE0000-0x0000000004EDC000-memory.dmp

memory/2192-81-0x0000000004EE0000-0x0000000004FDC000-memory.dmp

memory/2192-82-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-85-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-98-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 af50004ae65fe333d0cafeeec2918b01
SHA1 60486580aab90009096d9d83cbab73fd8768896b
SHA256 6f56adb3dab62c255bddc8a421de929e803d3cd5ebad17faf41a2161f5893765
SHA512 31fc762bcd29b37d8b49bffbef42198c911544d2f8141873f5afba0e425d8e55d5dc084d03301da489709e23fb74fc991b99de304cdd0b9084b617873cfaccd9

memory/2192-102-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-113-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-104-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-116-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1820-121-0x0000000000C70000-0x0000000001078000-memory.dmp

memory/2192-122-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-124-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-126-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-128-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-130-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-132-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/4356-134-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/2192-135-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2192-145-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-150-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 3cfc8006c299da8de8d9062d3a11774f
SHA1 e4f531c044beccf7fb5e9c54de841702f0170d25
SHA256 f35e2d01a8798985c0f02ece4b383b0bc2c7871cc9b1d2405f449514bde5115f
SHA512 f886238adc102f4f1e437bb3c0105ce74afaa0ade43aaa71b18f5ba4b8b45e93d9e4b1ad6c6ef8ac82821fc7b96e4072280d96967a787b82e6d9ff419e25c41d

memory/4356-146-0x00000000051D0000-0x00000000051E0000-memory.dmp

memory/1868-161-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2192-162-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/4356-120-0x0000000000760000-0x00000000007C4000-memory.dmp

memory/2192-172-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/4356-177-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/4356-179-0x00000000029F0000-0x00000000049F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/4964-184-0x00000000008E0000-0x0000000000936000-memory.dmp

memory/2192-185-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/1868-188-0x0000000004F30000-0x0000000004F3A000-memory.dmp

memory/2192-189-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/4964-191-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/2192-194-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 0225dfa7020bbcd311422debeff72a2a
SHA1 16579ad191cbfad21cbcebf029a5edb3cfbbaf2d
SHA256 a6dfa73b2d16c008fe053f3166a4710f03d495008512f03ccb2e56b6f7ee2718
SHA512 bda6d6d4637262c2c8ae2ccaa1854d9c3cf54b3563b19e875ede7ed697a465bbf24c92f3567536774c9b39252ed6eac91cadd96079a7eb26bd8abd59d00e1419

memory/1868-195-0x0000000004FA0000-0x0000000004FB0000-memory.dmp

memory/1868-208-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/4308-207-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2192-211-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 82d7daf4811e43359671b17a339e43a8
SHA1 5fbe2bf87fdd024e2a0f487b7196148944c0d20d
SHA256 95f48b2679ad1b49345c9dd8dcbe950327823b384e208029d78c57c6a91b8845
SHA512 f2e15a1131d6e457f45febd7b9e2a5bd3e6521a9cc375279cf6a7eb86254c4747924f26ecf7f2bcd4fbe059040c662fbfd6a1b3fff40a12e64643501dc9309f8

memory/2192-221-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/1868-226-0x0000000006220000-0x0000000006838000-memory.dmp

memory/4308-225-0x00000000728F0000-0x00000000730A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000547001\pixelcloudnew2.exe

MD5 3a7caa98a29e368213038b05dbbc3316
SHA1 f634f19f3b18ae1ee29ed03cd432a6e0fb7c3f66
SHA256 9ca8491e681026dd742011704c54f30c207c6a4793032b9e9181cbe8b3727b22
SHA512 30ddfb8d5c0b7205664e88a7290ea5dd01a3b4c89894c96df0fdd9ffed6bfaab4ddbba1c5c00760c4db09adc5a50c9e26cce93e6066ea75cd96d1577ed613b4e

memory/2192-206-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/1820-186-0x0000000000C70000-0x0000000001078000-memory.dmp

memory/2192-181-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/1868-178-0x0000000004E80000-0x0000000004F12000-memory.dmp

memory/1868-175-0x0000000005390000-0x0000000005934000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 4dc62aa51086843a31d87236c87f21e4
SHA1 c7cdc373668dd8f7373a433ed0f3703843b67c10
SHA256 5a1a04657de632f044fcf0f4b089686de18840fa979a8265d8f9978f4feb5d27
SHA512 a876f4404d3be84ff8c36bd1005d844b0c22630cafb34631db7b07009c95f6564864a6811bb1b45ac415a64000748cb1626aa367d3deb8b616b6633bfde06658

memory/2192-100-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-87-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-83-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-228-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/2192-234-0x0000000004EE0000-0x0000000004FD7000-memory.dmp

memory/1820-231-0x0000000000C70000-0x0000000001078000-memory.dmp

memory/4964-229-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/1868-233-0x0000000007CC0000-0x0000000007DCA000-memory.dmp

memory/4848-232-0x0000000000C00000-0x0000000000C54000-memory.dmp

memory/1868-235-0x0000000007BF0000-0x0000000007C02000-memory.dmp

memory/4848-236-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/4308-238-0x0000000005050000-0x0000000005060000-memory.dmp

memory/1868-241-0x0000000007C50000-0x0000000007C8C000-memory.dmp

memory/4848-240-0x00000000054C0000-0x00000000054D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 819806d0b5540779a935d3fa45698f4a
SHA1 99a2bf758df8e9e7df20a9c31e0dfb2f80f35e5c
SHA256 70e05342b724c0bce02bb6b6251c4ad2e2f571e05a46f42b78769c87ff8158e1
SHA512 e8c5a06b9fc9681532eb740c0fbcf3e1811c9aaaf208d15e58e5d225cf891ad91896871a187d9d8034e03a223dccb89cc6488b9cb06efd4c862096dbd298a096

memory/1868-245-0x0000000005BA0000-0x0000000005BEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 d8337d7ca38eddace5472f7a274b3943
SHA1 273fc254a6051aaf13d74b6f426fd9f1a58dee19
SHA256 3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202
SHA512 c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 dd1b934ada9b4482d700b7cdeb176388
SHA1 63a135054c20160836c4c05dd540247594e24e23
SHA256 1059587479ceb4a0480d56e00b849ddbf4760c763c30369cef28f48683807413
SHA512 ecdcf9ddd32b54ab8ff861edc0cb2a453d87a3be8578b0b17e9b111e8f1723e093263778544e88906b5a5da3cfedb489da79d5ae9c49ffc0c8a30f50b6258622

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 8b5cea8c7ed46163ce80a3cb96ed7ffa
SHA1 271aadf243294720b762fa1a2b49c419d42d094a
SHA256 d3dfe15279af2bfe0d1fc3eb288fcbf97de0194c53b5265646c673381da2ec9f
SHA512 92d334c62b32042cd5af9bb43d6adf89b97e490ce9e13548c5140b88b234dc131e780bbf7f7a667365f6b23c97eed01677af18eb771f7f905c703d5d646e42cb

memory/3712-317-0x0000000000F60000-0x0000000000FCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000551001\crypted.exe

MD5 55e7a3c68123b83de9efdc2ba0c1513c
SHA1 3c1caa2bc4a25869286a293ca6da2d58a2cd909e
SHA256 31cb786d695e6b995b0a3faf26aefbd3d4324dccc3a65f70a6de96ed81d9745f
SHA512 44df000559f611b51988d8fa835742e8de5ed131b0eeecb003d0dbc7b418766d14e750de88f818a408b0d18cc495fcb16387d8a1bea485ffbd8fb26e5b4e3dad

memory/5116-320-0x0000000001420000-0x000000000147A000-memory.dmp

memory/3712-327-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/5116-331-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/3712-333-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/5116-336-0x0000000005A80000-0x0000000005A90000-memory.dmp

memory/3316-339-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2876-340-0x0000000000CE0000-0x00000000011C3000-memory.dmp

memory/3712-346-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/3712-349-0x00000000031A0000-0x00000000051A0000-memory.dmp

memory/3316-352-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/3316-357-0x00000000055D0000-0x00000000055E0000-memory.dmp

memory/2192-360-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/5116-362-0x0000000005E00000-0x0000000005E66000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 dbf9e2f7bc328d2d34c9ea07f0799d75
SHA1 5d32e0b2e0a3d01bcf52a0d44830c463fba8fa15
SHA256 bb300384eaa97f49783e25a8eab68b98ffe4263ffc5bb2f463d6141c306fc4c7
SHA512 8ccbb0332b8f2b24d1cac7e6f6866abf54c77883e124fcb2331dad8290917625d0c3d5d3c1f0e90ecdfd29ae107b6571f5d0ada8a933a5f64abe99ae7092f66e

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e782c2b0123efa714944115f0778bf7c
SHA1 406ac9362164d2081c39ad4e6676447cf36cf989
SHA256 7139d3d88aa7df1d53afa7fe238852d7d39084f14f68ef1a90a8c50c1d762931
SHA512 85c8cf9d14c816d7491ed31232ad5213bb715f2a3580c1c0a9329bd05d196a68d6fa4901611bd637ed891550a57bb66ab6650cd179bb39b6becb962eec69e7b6

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 13d0884c9089d2118f3aeaa368a2c135
SHA1 68052e28c79ceda019076eb28601696da430cca0
SHA256 e2fad8befcd09cbd6acd298e9ac424bb7fe2fe6715fc9f9daaac3031921752ef
SHA512 2ecb2d96d66b87d5315ecc7b01148b6332658dc177306e021a4d8c81410f39c4d166ef56b1fef7532bd27bb162ce91ee6a70647dc36215a11eb0e08dd939441f

memory/5116-403-0x0000000006A40000-0x0000000006AB6000-memory.dmp

memory/1868-407-0x0000000008860000-0x00000000088B0000-memory.dmp

memory/5116-411-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

memory/4308-413-0x0000000008930000-0x0000000008AF2000-memory.dmp

memory/4308-417-0x0000000009030000-0x000000000955C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 a9b05118ecedd420f4b1f2ce59190c73
SHA1 f5e4591ded9aa25459d6d285c3edc71253c0e686
SHA256 9587ed1a4e7fa46194fb88cfd538b5afd2d314b9b9e65e14b7e0cc9f50f1f5fb
SHA512 5eb0f05c1ff1c6822e959f67492747b77ae66f305fedfe480461ef515c51a3269d59046e84a74a1e49e1b0591bdaafa0e133aaf321eb9b4271e0b84fdcd1ae1e

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 8072fad06b6e3631682aef7b992aef1e
SHA1 38fb90281b0adadac85b5bcfdfd49fe92159ff62
SHA256 14145a9d9dfaa84ba1146c47520ae3f5c42d7ddfdb15fd4ae002cff76280f7e2
SHA512 8ca6d8ca1a0b8dfff44c541aa758b76007257c84cab960fc608d29cf61e11232b4de2a1c5e5ccd56e3f8d85fc0c73676fc3fa42dcbcedb45f9173e0737dbee60

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 a58313158dd2992115db9c1558096245
SHA1 8e6541f675605935e91c056ac6657210feec7913
SHA256 fb67b3067f4358a36fdbbef28f170de634acf89c6f7a64c59047242d682440fe
SHA512 ea8206a430f50304dcfab067b3a47c5f3a89b814fde152303b7772f088c298a6906342afa030751b3b7165611af84186972a42a7340581e63c43d1f350b422e3

memory/4828-517-0x0000000000150000-0x0000000000770000-memory.dmp

memory/2192-518-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/4828-523-0x00000000728F0000-0x00000000730A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4580-538-0x00000000008F0000-0x00000000008F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/4828-539-0x0000000005090000-0x000000000512C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000553001\leg221.exe

MD5 486f4ed0ce0a0f6bd0b91c1a7a64ba4d
SHA1 6683edafd06175ff0ba79503a4e83158640c40da
SHA256 19edfed1458afe0206d76d6ff89a00cbb5f7453d75fdf20c38e8d6c3c4a44b69
SHA512 a17617eb07728c4203d6eb7ac51377a9633b5b5354b1b464997b842e1bf3a55936a5f763a0e1c05e2a8d6984a555812e78a0ffc8c7db866bf08fd8768838cfc5

memory/3316-570-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/4580-572-0x00007FFC8E620000-0x00007FFC8F0E1000-memory.dmp

memory/3888-574-0x0000000004920000-0x0000000004962000-memory.dmp

memory/3888-578-0x00000000728F0000-0x00000000730A0000-memory.dmp

memory/3888-580-0x0000000004FC0000-0x0000000004FFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 8373a7138e4be05be5ca90f367f88b53
SHA1 4a63bd53462d189ca225ccb40aa37848b25c735b
SHA256 75a0a6052267e0567774d6151f3c3673316070676c644bfac02238e48dfa7495
SHA512 fdb6bfacb69d393b12cda6a06af2193ee41a4bfbc04e4411b38c5102b6a5b5da56b0d22a927f153855360d4dbaa68f034c0dde7c2d50d2ee578f92d8744e8e1f

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 bb5f1ec262a41e5fad6a3b65ab7cf33b
SHA1 e5c6d105815580b67b75ac9455e885d7217edb4c
SHA256 85b674ef2f948b1323ca8db8006e65f69b664900dfeff9dabc72121e68249d0f
SHA512 06d6055ee0d43ecb1b38e99eb3e3bd2ca06a46021c66f07e37a569866edc7592af97d3b0a0e6a51488c4f945287f5f2f82d852d5d7a587978860d1f9547632ca

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 5ade1c438514dced57eedb017ae91f2e
SHA1 48c69e19d74f8eca5663214a7fe5d217639e458f
SHA256 0237e44f395fea7f7ccb5ffad108aab247b40f059611ab87a0fa9929e89a549a
SHA512 91e071fd19b12662045913f43d1d3cc88887c24f42c8e2b5b1d911204c7a72b9412f2b3c44584d5a4b8054ca53df845f5556e5dee9e691c759db4f00c65b9480

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 cd64261f1fcf115d55b9631daa818fa3
SHA1 e83ed6694f678ff8f47a5227ee7aadc15debea63
SHA256 7788463e620d46ac2cfeb824b5ccc2f2e15f7a3c27443f80cd67dd28936fdca6
SHA512 41f7165675b599d09a232be8bbd87104fb44a4a8bec37cbd019c995087672368900bf795b7eba3d9499936ea2272ef67a933b9e60fe3fe02dbc7abaf8d4283c4

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 b0556b40294ded239c61bcfcfc70cfc6
SHA1 fe5ce0c2f2cd479ae127a1ae94646722a7bcdc67
SHA256 2d440edcad1dbaa319cf8911e9cfda89f281bf2eb5a3501c4a5b4b0d8bc3c172
SHA512 1786ed69165649e450563249c8625650661e512daacab39eb3eed51e5620e4f593cb7d67fd2047130c13274e7acf3717885deefea3217f26e04d2ef9f14c6c16

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 60588ddf9545ed1717a115d23bbe2650
SHA1 a55850f51bb29b2284d335daae764751472d3997
SHA256 24af6e5f2466044746b8ef96b1a98fb12f5f1d9d9158475819f6704518a7a5e7
SHA512 7d4f16ad0266a13f38a67cbf8b295c41526a27f9f1cf8babb375aafe980c6e2ee3cd67d506151d998138f856aad9b4d47fdf163b77527e5363365262d97e10d9

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 6b67693b95e9596922a9c9cfc7424dea
SHA1 64bfaa0c589f03f68b309661cdebfd8c37128123
SHA256 f8e0dae140a0100a701961110d95545a6b79ac35db719a0165b36141d0472ac6
SHA512 8278302da64c8b40786bf850766af9446559c10627acc09d0ce76f856b69b0f0bd70ad2553c71e1441121059c6072d017d54b5d30ab6df760b1e25b2c9c6faad

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 219e7425b61f8b9f627e1a4659901f2d
SHA1 651ef7d25f58ddcc3d71d2d43078a9112929cde9
SHA256 137aaf991507d90ad86343ea960b798f349504fcbdc3b004ffd9a50366b6c1b9
SHA512 70c20cad836330c262939882b31456c17e19c7fb120f64642910f69cdb68a4bf9a97b9fc46e337f3715b73ba7e7415ac7454b38d97124d98c626a6b6a4243694

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8a4f07228fe7b7662cd3325c922c8cec
SHA1 7e2c31e479e26184c7614f15788dd9e3bd2842d2
SHA256 7697be742aaa8573573a1ea890088ed498929c84616fec321ca2ab28c22e3d00
SHA512 20b8ab6f0fc589a2dc6926f96435c9468b88df66f318a7408808163b8eba09e64a570a2d1bcf1f0d25529b461f4348dda9e5c945a60e48bdbca9303344cdb91d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6eb72baef8a4a31b19a0f629e9724b74
SHA1 302e4684912ab1bd17b7b6adc459c552e90694c9
SHA256 04fa418ce7e0dbf4af460d6d294beb2a5ecca848373b1612935b1743a3716039
SHA512 1e0867ac2df038017b0d316dd5289f0273173268367b1c65b92ca0f14e1b6116a31f8ca15d1582e20f9bf9e068595a8bea7f04b0b6ba952b5e941738e0507488

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 83ab0a86c2372cb57009cc424fd0edab
SHA1 0bd6af44999cfff3b18fdde7bf1ee25577b0e479
SHA256 4bc736d38978b1e4622b439d2117c609e2e758dd789698599ff94dc5d94a6910
SHA512 76f45babc7eb8085db89489ad9931aabcf8ae4ef5ab7672b60ce7faa7e545e86bd0aeb6c3a76bc74b2bd3ca7104a4923a69c4af3a1baed78945eddafb824e09d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8438f44d191f05972657edd323b9c29e
SHA1 6efd1e211acd50972f453e25b308fdd02219f625
SHA256 29b922e391edf51228149267bc06abdded6061cec0b33406525879d5299cabd0
SHA512 4a2c1759dafbc36c2983de7f5bddb08efd3f7d2a406c97cb5e7f94e62747090855b73ae6650517b2a0649ada3fd3d2dc7141929b388e41a857e96e938c6b1d15

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 be5dd8b7ee665c298c372c4883c3c15e
SHA1 f996f23d5a9d9702e564b94a658dddba4e185660
SHA256 ecc729d531520e7efb7fc1f228032466412c913df6bba13bdab252813dd01098
SHA512 6cf239a6c29ce95def999c786d5b3836e7355f56fe7fc3210f6e1123e83d97a3badc5a5e1afe7b1718195bfd4d0a7223f2fa9af6214e2af5a0922532d5078930

C:\Users\Admin\AppData\Local\Temp\nsn1829.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 36f3f687b8decdb8c10bb8e37269c045
SHA1 d00aa71aa8afe08ac2043d2c7bf1148ded8efb3c
SHA256 72fa1f3b9d3e6a3f0b1ea7d71082e2cc627059869ba90b0ae01d95decb14e665
SHA512 7002cc5be0a2c489491bbb79c15069569709704030b6b191f28fbb7abd29d5213f37b9ed09f1f1c1a4e26c0b0db281e7e8e0d84dc75f6754b85332ee69910fff

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 20b354fdd28d6b4fe49525b70a5ec430
SHA1 4b7078c023746e7951b1f24babcafc6d46974ac3
SHA256 8616ee6f0b24187371e7672086fc8b07689b23ef57406fc4f97cc6f5dc1702ee
SHA512 3931e9a0393084741c9847522f5b26f9d3beb176fe03e868137791cb2b2b3388b3c1bccfcb398a7151ad052190a11e70cf747a0fb6da219fc2865afae6a4ba2e

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 60508131840ddd4fa6f54a02e5d6b403
SHA1 583d449d7aa76e48cc40e6c9a24427a85c78bff2
SHA256 b010b034d81991ff1a7eb83e2ef0c4df87c247c17a118397042ffa63322d4695
SHA512 73bf32de014d6ddc50fb52e840c8c10c9f94cd28d2f36618c666fa38546d35dd2e7ac9341655257aef2079f5536a53435e755ee5ec51cf7b79ba440ee8b4c893

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 860e0617f44c84cc971030baa3a39314
SHA1 8c8a5c31cce66d3b97625f86145cc3eaa100b845
SHA256 82682f993d396f5db3b38569c11f862aeb7dc237e24a2ca65168fcf020a46827
SHA512 dc9b1b4f8aee53990c562c1f78b2b8e4e724a4ed57cde3d2b39302ac2d6d4a2bd2cc043d3c582b6db1618a421a666e70a1c63f193593fee0bdd6dcd1ebb9d400

C:\Users\Admin\AppData\Local\Temp\1000559001\moto.exe

MD5 b99871f8949c4850247bc9730368e8b6
SHA1 efc88adc7f5e95d4dc7532b2f1b42f49ff4d0a2d
SHA256 59f76f9c8e32899754ffe63f346b4e5273a27687f177b97c484a8b17119cec95
SHA512 cf389934d838df529989682ee06fc9f95a3294a813bd47ba3a6dcd881302c2c8a54ad788390040c7fb9cb084b31ebcb6b269689ba4a384f86ac71746c368d679

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log

MD5 cad4caba9aaab897691a633527fd5cc8
SHA1 b3e4fc90c296f60de8a70dd1ca52c88b22311fb9
SHA256 38b0058c079ea95bcee72a59f4d1d2bc11320e2a088939960c9b9b78ca4a9f1e
SHA512 57ed5bd94d12472b5d9792061a4c5c399ee0e46eef7aa2e39fdfc220f434bfedfa344f1a4a63fd72fa3bf3e0c3553ffb97e8f9f16d11f0fd207202a6304ab746

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 a71a5168dbac0876c7974546a814dd8b
SHA1 060a85bdbd71cc1ad3bbc01d6ae43e32b8b1a9da
SHA256 ebe19a0d75c70bd55e895c2dd9fa3d95f45e79ed42316e4ea4aaf7563eb99e6b
SHA512 98a06bccdd14af80fbfa372dfb771f8e2f04aef95f5b4d26fdb5cc2bdd3b7f1caf42d598bbe9a444ad516beae107a611675a7116709eeb4a853b6fce3e098e5e

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 4ce056331aa0e38bb9feccba177aa153
SHA1 0f3c6db67f9f9eaa03acdf2d77eab1b3f4d2092a
SHA256 2a46e83770df302a8dac7bf8f6dd2d523632b69e078d733a31b9bb0ec49e23ed
SHA512 fb8b26a3fcc87fabc4dbce91c19be44d718776dc7cd2ca4ead9c3ede09324587e67c1ef99dce40acc1ef3d58e8b820be1c95042a7633dd7d1ab5d65ef6cfa1a4

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 b34325f9f7c18f4134272c5fe59f30b0
SHA1 14a446b3d4899ce9b501533cde3edc855ea09d37
SHA256 702793f0b9028105b299e0e40b7cc5be00c96963794b76f1754b7a8d6f5579c7
SHA512 5663be2cda4de18d6126a755e24d6768622cd318628678c6e4234163a1abedcdf2379d1ad9b362363113b903ed2a340caad32c7aed0996853c1913d5552d4dd7

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 17e957ecc72c22c8442da2dd008991a8
SHA1 967e6a0fe9e28267a38cb52c6ddeb895ad1d38cc
SHA256 56e29da6687f6ad5df129ee0bcc83035bc4e59459196837bcda44188dc8dc680
SHA512 ba3d6d11bd5e95ee2bc50571b1364644b33992f575ab6d6d1a09cc56e476c43bcd799818975d9a7921ce5ee49dc4bf1c6044fa87ec6cd69a77daea523900f3e4

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 245f02e28fe1574906720615d4883e0d
SHA1 38e9057fcc598fde3e470b1ab0eeb69f3229f053
SHA256 03bde54164dced4d3815d628ce99185a8e58fd03c141678b068925fdb9d44c80
SHA512 39127e76ad2882f47bbc0563dd361748c124183355694a66e00976ffa47f62e50dea251cc8643811e589a78d04e2dc86ad1a9ce4a43fce92038372909152d771

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 3c4aebbf12cc57418ae88794215458fd
SHA1 34ec1331ed610007877925e0675e7c057382f92a
SHA256 7fd366bd22c1ea1839e307a5839c8542454272ff1641c605f8fc7a0266cd5d5e
SHA512 19cd71cea3701e460c338b1e45acaabc6408ed87353545c8e44acbc5ce8431e41f45426c8312347efdf7429eed692dfa429df10d3fcc0b62cc1977065a19572d

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 6e55770eba7500da3e894de3d8234d14
SHA1 0f430fe67aea46eda508fd569323fda7cf1863f8
SHA256 5a4fc4d3a965c48a47f7270dc3cc45aa2cefe4cea7ba3d68ff92cca730e3bcea
SHA512 5de6858cd607b1c27d40e7167a44668ad541b162be967a53a8f996e729d850e6cd661cdab08b15e7bceb98f53a1cef1008e33fc2467f66128a7c9b4e1aed9da4

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 8d6f07d1f9f872483b362df85a5ead02
SHA1 dad79a9a6937fed780d8e47c97e6dc727766613f
SHA256 5a6df6e680bf9f1067b8179bba840628b140577e94d5e5d6f296c31e3f013329
SHA512 10b9eb71f39719340614bf4a47cb54c73c9ea7cdf3f78c5884dd9024732bb7bd18e90cb479159e398aa9e586c5e746c663b94eff4cafd0646f9d03bb97b4becd

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_acr5rrbs.2w0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 6a4c27466c637b060e1fe38bf9adfbbc
SHA1 26b2e0f36eabd28073db839efa970877931310e6
SHA256 2047a7d09a6efdb25fe5e1adb0b1f4757b7d6ebc15f9efa2cc7e389f111ffae9
SHA512 20b8e6cb139eefa3a0a7e77ab5145870c4ffa5f43763580f6ac17c8ada16971cce05025e7234067de7a8543c35d0eae86f8d4351fb4eb31e16dad0ee5114b677

C:\Users\Admin\AppData\Local\Temp\nsv1F9C.tmp

MD5 379fbc100c50379dae4dd1a7ea5782af
SHA1 a2079a19b40e117dbc115936fb37eeb0759a0074
SHA256 c8e870c9649b4dcd70e73cd9ecadce2f5f247b37f240a3eca9564048c56d2b36
SHA512 ded939694aee266fe260d185fb113ef581cda6d7a8e28bd8575a80c48028a5a226ce0f71b99bc20bef8da284dfae47acc5d43c8f2d50b826fdc1d1b91c196a7b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 92241d60ce7c8710cb8f4e515f663d94
SHA1 d23ee0ab7e5370b575cf641d20b31de0af53a49d
SHA256 68ae63987fbf3a8efbfd4ad5e29117702329e478eed245374b26f2c3a7ee4cff
SHA512 0648435c7a09649729480c492344bcf1da0226ac2ae7e58f969f239f86b337f59ed7dd63ae2bd57a78a0399bb9c773df47ed00503a63fae3fee31b1235b451b4

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b