Analysis Overview
SHA256
38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf
Threat Level: Known bad
The file b06437ffb6c87f69539842cd536e78d3.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
Glupteba
ZGRat
Formbook
xmrig
Stealc
SmokeLoader
RedLine payload
Detect ZGRat V1
RedLine
Formbook payload
XMRig Miner payload
Modifies Windows Firewall
Stops running service(s)
Blocklisted process makes network request
Downloads MZ/PE file
Creates new service(s)
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Reads data files stored by FTP clients
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Program crash
Unsigned PE
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Gathers network information
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-24 18:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 18:01
Reported
2024-01-24 18:04
Platform
win11-20231215-en
Max time kernel
78s
Max time network
148s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Formbook
Glupteba
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
ZGRat
xmrig
Formbook payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Windows\System32\Conhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\System32\Conhost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3620 set thread context of 4704 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 3620 set thread context of 1236 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 2424 set thread context of 4504 | N/A | C:\Windows\System32\Conhost.exe | C:\Windows\system32\wusa.exe |
| PID 2224 set thread context of 2912 | N/A | C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 572 set thread context of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\1000595001\rdx1122.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 4076 set thread context of 4368 | N/A | C:\Windows\System32\Conhost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-191 = "Mountain Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\Conhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-232 = "Hawaiian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1721 = "Libya Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\Conhost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1972 = "Belarus Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-121 = "SA Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\Conhost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-211 = "Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe
"C:\Users\Admin\AppData\Local\Temp\b06437ffb6c87f69539842cd536e78d3.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe
"C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
"C:\Users\Admin\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe"
C:\Users\Admin\AppData\Local\Temp\1000588001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000588001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000589001\kskskfsf.exe
"C:\Users\Admin\AppData\Local\Temp\1000589001\kskskfsf.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000590001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000590001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2224 -ip 2224
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 380
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 776
C:\Users\Admin\AppData\Local\Temp\1000591001\gold1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000591001\gold1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 940
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 956
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 948
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 896
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 980
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 984
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 988
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 944
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3544 -ip 3544
C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3544 -ip 3544
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3544 -ip 3544
C:\Users\Admin\AppData\Local\Temp\1000594001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000594001\leg221.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3544 -ip 3544
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp
C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3544 -ip 3544
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 412
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"
C:\Users\Admin\AppData\Local\Temp\1000595001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000595001\rdx1122.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 768
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1936 -ip 1936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1936 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1936 -ip 1936
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\1000596001\flesh.exe
"C:\Users\Admin\AppData\Local\Temp\1000596001\flesh.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 408
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 412
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 808
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4740 -ip 4740
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4740 -ip 4740
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4740 -ip 4740
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4740 -ip 4740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 996
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 952
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1664 -ip 1664
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 2472
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 4740 -ip 4740
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\explorer.exe
explorer.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 932
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 4740 -ip 4740
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe"
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe"
C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| GB | 184.28.176.43:443 | tcp | |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 92.123.128.181:443 | r.bing.com | tcp |
| GB | 51.104.15.252:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 8.8.8.8:53 | 252.15.104.51.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 172.67.141.68:443 | consciouosoepewmausj.site | tcp |
| DE | 185.172.128.90:80 | tcp | |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 104.21.17.48:443 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 104.21.2.152:443 | carvewomanflavourwop.site | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| DE | 20.113.35.45:38357 | tcp | |
| US | 8.8.8.8:53 | 138.83.21.104.in-addr.arpa | udp |
| RU | 5.42.65.31:48396 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| HK | 154.92.15.189:80 | i.alie3ksgaa.com | tcp |
| BG | 185.82.216.96:443 | tcp | |
| US | 188.114.97.2:443 | weedpairfolkloredheryw.site | tcp |
| BG | 185.82.216.96:443 | tcp | |
| US | 104.21.83.138:443 | tcp | |
| US | 104.21.35.143:443 | qualifiedbehaviorrykej.site | tcp |
| US | 172.67.137.14:443 | combinethemepiggerygoj.site | tcp |
| US | 188.114.96.2:443 | weedpairfolkloredheryw.site | tcp |
| N/A | 204.79.197.222:443 | tcp | |
| N/A | 20.190.159.68:443 | tcp | |
| GB | 96.17.178.175:80 | tcp | |
| DE | 185.172.128.19:80 | tcp | |
| US | 188.114.97.2:443 | tcp | |
| N/A | 104.21.61.62:443 | tcp | |
| N/A | 104.21.9.132:443 | tcp | |
| N/A | 104.21.38.11:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 173.222.13.40:80 | tcp | |
| US | 188.114.97.2:443 | tcp | |
| N/A | 96.17.179.193:80 | tcp | |
| US | 188.114.96.2:443 | tcp | |
| FR | 163.172.171.111:10943 | tcp | |
| GB | 184.28.176.43:443 | tcp | |
| US | 162.159.135.233:443 | tcp | |
| GB | 51.104.15.252:443 | browser.pipe.aria.microsoft.com | tcp |
| US | 104.21.5.215:443 | expenditureddisumilarwo.site | tcp |
| N/A | 96.17.178.198:80 | tcp |
Files
memory/4624-0-0x0000000000EC0000-0x00000000012C8000-memory.dmp
memory/4624-1-0x0000000000EC0000-0x00000000012C8000-memory.dmp
memory/4624-2-0x0000000000EC0000-0x00000000012C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b06437ffb6c87f69539842cd536e78d3 |
| SHA1 | 6799f24d5ff74fe1a045ea9845704bbbd1c818f6 |
| SHA256 | 38ef6e6e48f23addf853c7635c9444a3278f4875c10acc146457668deacbaedf |
| SHA512 | b5df91d66098ebb0a31d07941c6acdfefacf055838fad81efd91efefa0e4aea632e57d144c43478f7fc3571feb158184a10b7a9e42a9f2dff27880ff5fec9b10 |
memory/4624-13-0x0000000000EC0000-0x00000000012C8000-memory.dmp
memory/3332-16-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 147af1168142ecc3596e936a8d1784e2 |
| SHA1 | 7450df4de0a0eb04dc6fad03674ca6e1e81db79c |
| SHA256 | 5882cd553b82b7807be0fd65b34811dcc0507034b4b0d71abe9101105cfb487f |
| SHA512 | d6d5a021f994b0546ba04da9fd19d853d3ccf772d56390bfd79af7a3fd556ff405e2682c1a9ac1172445101ac80ec3bdb0b17aa1319ce8f96788e5819783fac0 |
memory/3332-14-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/3332-17-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 094b0eac37fdbf27844927a3fbaeb5a8 |
| SHA1 | eaae615a7d0fddc0084aed173f0752ea0302e745 |
| SHA256 | 1a74ad6cf7b3e7e56c36717728fdf4c7c843569513973c9d256f7c3f05785eb2 |
| SHA512 | e1dca9e79d8c75e0127bc711dcaed4edaf86b1c54a104e02f6fe9f176884cdb5d443e59b411244d301dfb28541d2a2e97f841ed15037dd2e4b9d9b7cf4e9f16c |
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 5cac70fbe2fc9869397bf1989e592841 |
| SHA1 | cc522bec3c1772269465799d35268630248e801b |
| SHA256 | 17e571023337ad513deb4d436c17573b6ab3c9ebf2a3e30425c3f5fa9a638806 |
| SHA512 | f56d8d7a996401404b850b6503960ea17d68fe56acbc06de8fa9c39b20dd7f01d24837283f459655ac4efb3da10a8864623cbb041ca9ad81bc9afd1ecf9b5fb9 |
C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe
| MD5 | cc3c94744f130df29df6b1246e044437 |
| SHA1 | 89c3d30085e499b36190676659df748e5a0c190d |
| SHA256 | db340722f2eba016b75867530419ea9edc7b58ea95f5b95f862f547d42a8205f |
| SHA512 | 876428bba39562d207b491d47f4714f08151ed9f87e683e7943208c594045fe9a3643ca81efdc5db94e5c2eae9aae4c7b745fd04844d4a5020565fca358d4bc7 |
C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe
| MD5 | f693118d35022f48a92b629d26b0d7ab |
| SHA1 | 342bcbacbdf8f7b89411bf142f7fcc845927c8a6 |
| SHA256 | 9d532d05ae4bd069328e2f41174de31e75d09e4139eab0832543c69f0853381b |
| SHA512 | 2ed2a6fdec52853b7a07f3cc99b34222a65ab355a71eef377ae173680b2a60287f2f6891c91bf12632c967ff099823ded7799bb4e633396f6c6083f94e26060e |
C:\Users\Admin\AppData\Local\Temp\1000582001\moto.exe
| MD5 | 8d0db8d67b75737b0b69812094d67781 |
| SHA1 | 4cdbc6f56af54070abac84139cf3337a2734f4b2 |
| SHA256 | 6dad79f0110e280e3f5d1952aca3757a8154777d47cb48c216bc1b09eb5d254e |
| SHA512 | cfb2f3d8db07b7d0cf19a88a75b86bc384a331e050102af24cfd745d1c9a80bc2e67f48022139070db89ef0dbb88246662177f459f8a2e0873d6aaef8eddb03f |
memory/1000-39-0x00007FF6BFFB0000-0x00007FF6C09ED000-memory.dmp
memory/1000-41-0x00007FF6BFFB0000-0x00007FF6C09ED000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 8c5fe0965c61bc2ca3d28d04da838bdf |
| SHA1 | 8942cb313e3a0c4b2f36c179a5de223b6b12870e |
| SHA256 | 59a88120f141a55683ca2fa55baed854638d80c5a95972f3e245671c462e2a1a |
| SHA512 | 09dfbcbbdca40e55e6dfc8244105199fee2d8a8a025a476a9d7398c8c4fade2bc4d40b8775ee890025e0e57477d6836e43530b0b989eab279d7d81490405ce58 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 550f8492edda850f0d6b9402f27f1e89 |
| SHA1 | 11d5ed3d83be5b1ab240d0818ab1a86487ccd6d6 |
| SHA256 | a5e13d047ac1c44d883c58655e67285846fb6e7f445481412ce7fb7a39cf3d28 |
| SHA512 | b406740613b9223e6c0ef1a05bbb6e836490034cde9bd3a731294d80293712e78bdf705d648559a230a2b9e14138c0af3d9c06b4e86f2535e84dbff223a3238b |
memory/3620-44-0x00007FF671DE0000-0x00007FF67281D000-memory.dmp
memory/4704-46-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4704-47-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4704-52-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1236-53-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-55-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-54-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4704-49-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1236-57-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-56-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-58-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-59-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-60-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4704-48-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1236-61-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4704-45-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1236-63-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-65-0x00000172615F0000-0x0000017261610000-memory.dmp
memory/3620-64-0x00007FF671DE0000-0x00007FF67281D000-memory.dmp
memory/1236-66-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-70-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-68-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/1236-69-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-67-0x0000000140000000-0x0000000140840000-memory.dmp
memory/3332-79-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/1236-80-0x0000017261CC0000-0x0000017261CE0000-memory.dmp
memory/3332-82-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/3332-81-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | bdffbf5d5c40a62a771addbd9ba2e950 |
| SHA1 | f96a74dd1c2b0926075b4ece3ced101ca7a9f5dd |
| SHA256 | 464bc2861721b8749cbd5b7cf21e318f5b76e6311fe415c0b56c7ed077b4b1e7 |
| SHA512 | 26f4a1d8a3fe9083a28f4ae2b97370f151965b614e1837a47cfdda87bacf4438bbde1c252ea4d7da5bffb46c015ab2cbbf2e11a4ce67f41b8f0397a84be97490 |
memory/3332-95-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/1100-99-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe
| MD5 | a99f00ebd19ca2ac8160a73ad96fd652 |
| SHA1 | b719eb85f5388ccc19918cf0ab5af15be2afb9f2 |
| SHA256 | 18411fff244c74bb813f2b103c10bd6d2fb879f7e08d02fb0edc556880550175 |
| SHA512 | 186d80dabe354699fb82eaf9b4e1519a06ba782ce4b50cf4d62b141815a0e5a318bd83b2d635d4d6eebf508a7a0ed5479f39eb43c49c17b1eddaa86d8421a23e |
C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe
| MD5 | 2fb2c7fc956458f869c9c748efd971e7 |
| SHA1 | 702d724f41bcfb53e191f201d8c37c5fa9a580da |
| SHA256 | f9158c8146960b941fb179029a7a1b5a00211abb3a1e8452153d93eb0b9eae06 |
| SHA512 | 77398943f77976bf8f5e513797fd196cc7c5ef8878bd25df4ae64664a09adbe908d84ae108b33464434cbbf10f88b22aae27bdcbe84beec5ae9a5d4c623edf20 |
C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe
| MD5 | 0158187ece93faee790b1c1dcef59ee7 |
| SHA1 | 966f47265eba7fa2f27fa1730942247c750726ed |
| SHA256 | fbd2e19ca54328b1ca14b0946d9037541f39a9a6a6c425e3612566fc6477470a |
| SHA512 | 4758be1ebb39a2a2600f8f010479747cef3fd24e59198b74ae0381cf17456afa004016a78ab2e5570c278dafe0af0d781b9f620c181b809d6f44af5266c68ddf |
memory/4076-119-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/4076-120-0x0000000000990000-0x0000000000FB0000-memory.dmp
memory/4076-121-0x0000000005A10000-0x0000000005AAC000-memory.dmp
memory/3332-122-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
| MD5 | 6f3b1eaf2b726b48388d70066b79ae9b |
| SHA1 | d7c97952e847244d2453ca7cc8137e58694f28a9 |
| SHA256 | 8b078fd292acb4f9eaf58e1b2e32669b15e2d03db9c4a177c7966ef0b2a1591f |
| SHA512 | 9e165c9046c93b3323c1d7025beedd77b2045a154a039317d8ecf69ff99f854b805091a5dd6e49e7d0748063c903cf9f44ed28689a2cbfdfe2ccea29d4850365 |
C:\Users\Admin\AppData\Local\Temp\1000586001\TrueCrypt_NKwtUN.exe
| MD5 | 3b511ed340a31b6820cbe1de11c3fa4a |
| SHA1 | 80769f6070a8c0c7aa389b02564688a6b390bc60 |
| SHA256 | e41fa927d79ba42794f5267514e7c55991ab7ca98a2ca11ce3e2927c8190aa93 |
| SHA512 | 5935fbb2dcf7ccefc2e1575f61aeeceb4259bc192b4b38b5b0378f8743e5ee47ecf4d7da2db65cecb16ab051a10030840ccbba162cb717cb1e2fd92da3de79ae |
C:\Users\Admin\AppData\Local\Temp\1000588001\leg221.exe
| MD5 | 7de56748f178f5d9c097e6621dc00e2b |
| SHA1 | 4abdedf5f5fbaa953170f273e78b0af8eacb85e8 |
| SHA256 | ab3783b273cee6af30531d7f74d730ddc3a7346d04e4ec082cdbc3c3f67f63f2 |
| SHA512 | 49322c7287bddb4a746206b6bbcf487a73db7eca707cd069df1efbeca2d86fe952c36f9e4a670b664a9c972e823eff7301e889ac4bf29f51cb1e1036b426a16c |
memory/4084-162-0x0000000004A50000-0x0000000004A92000-memory.dmp
memory/4084-164-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/4084-165-0x0000000004A90000-0x0000000005036000-memory.dmp
memory/4084-168-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/4084-167-0x0000000005080000-0x00000000050BE000-memory.dmp
memory/4084-166-0x0000000004A40000-0x0000000004A50000-memory.dmp
memory/4084-163-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/4084-169-0x00000000056E0000-0x0000000005CF8000-memory.dmp
memory/4084-170-0x0000000005130000-0x0000000005142000-memory.dmp
memory/4084-171-0x0000000005150000-0x000000000525A000-memory.dmp
memory/4084-172-0x0000000005260000-0x000000000529C000-memory.dmp
memory/4084-173-0x00000000053E0000-0x000000000542C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000588001\leg221.exe
| MD5 | d8a21530e69c47df59894fb8d5cf5688 |
| SHA1 | 94f156026ee4f222a71adc541c996986c6b68523 |
| SHA256 | 7ea91bbf9d0787cb4e66f98eaed9a164617abf9217312931b54df2defd998f3d |
| SHA512 | 0c2d456381c3b7ff42b35d44e56736d91dc39b871962c99b57001e11636ceb71f88c453a8d10a073a124bfdaa4d96ffe692019838ac468615e6eb227a067e3fb |
C:\Users\Admin\AppData\Local\Temp\1000588001\leg221.exe
| MD5 | 34427e4bfbc68e6c6c1f087086b69731 |
| SHA1 | 8804ffbeebfaba8c5517c032927760c3e62d8faf |
| SHA256 | 66165c040061d99451970ae5c6f4581c1d16e9a56122bd2f7970167349933dc0 |
| SHA512 | aad5234ab1a36a000a6e191f7dd3a2a6b2df480ba33a10e3c45c67be249d74852e91de8c470d0199a6a1640ee1f8d97b21438f355732915b848dcc202f7a55a4 |
memory/1236-174-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-175-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1236-176-0x0000017261CE0000-0x0000017261D00000-memory.dmp
memory/4084-177-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/4084-179-0x00000000062F0000-0x0000000006366000-memory.dmp
memory/4084-178-0x0000000006250000-0x00000000062E2000-memory.dmp
memory/4084-180-0x0000000006530000-0x000000000654E000-memory.dmp
memory/4084-181-0x00000000076F0000-0x0000000007740000-memory.dmp
memory/4084-182-0x0000000006D80000-0x0000000006F42000-memory.dmp
memory/4084-183-0x0000000007870000-0x0000000007D9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000589001\kskskfsf.exe
| MD5 | c3a20214e3c6cfd1b63f084646ef2495 |
| SHA1 | cad36d94fd412e2da1aeb709ef458add05793f98 |
| SHA256 | 9d9432ca0829e066301bec2715ddddf3c8953db135112e3012b48c018aaa8654 |
| SHA512 | 23f46eadfb9e0ad27921a10f434d48ab3ce1594502f81b5f220fb76c057354c18fe082513c72607d4392188863dfe6fc5c98ab65e1368bfdbc5c59f1c517f95a |
C:\Users\Admin\AppData\Local\Temp\1000589001\kskskfsf.exe
| MD5 | ccea0aeb10565f7985e72ac0ea428a3e |
| SHA1 | 752cdb68dd6286707e034e7835a42088538bdb2c |
| SHA256 | 63b53654a79e96a15b56a30cabe6105b86bb4aafb45bc793af45e6b5031b9e04 |
| SHA512 | b62b12de37f4de9725ec542783d0e4c464f0c8d183a26d378f2b4dfc0a5e2e988691f8b4e545d4a4a39c98e21db50b8a870fa77d8fda4138d20b42ac5f137c84 |
memory/1116-202-0x0000000002350000-0x00000000023D8000-memory.dmp
memory/1116-207-0x0000000002320000-0x0000000002321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000589001\kskskfsf.exe
| MD5 | b52b10e5117515ba1af66b67b5618fe5 |
| SHA1 | 8768fe7602abce19868fb3461a3aa86f45ed4beb |
| SHA256 | 8d8314b0a142bb4155fd174dd6c34c1aa15ecd96c1aa247371c2dd896ec81213 |
| SHA512 | 8df4a77993531dd205306e122656203d98815e027c430218c38984090f80bec0c2349e35deea55b06a89f0b6302396a831c730c5399a317549b831e363efbaa7 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/4268-221-0x0000000000AA0000-0x0000000000AA8000-memory.dmp
memory/4076-223-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/4268-224-0x00007FFCDAC60000-0x00007FFCDB722000-memory.dmp
memory/4084-222-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/3332-220-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000590001\latestrocki.exe
| MD5 | ddba142326272d01dc66be7a7b898d99 |
| SHA1 | a86689c4240cba671d0d8a140fa6b5165793bc26 |
| SHA256 | c33b41bd2a6e794c4a1ae130c28b8b8357f86fc56a8f60f85a30b5681ff1a933 |
| SHA512 | b7522019ab1996430f44c9185836f74b9d40fa908a2610608061dc5f7ec9b9e82ae2dcd9d8544e12805b341418d329407ab954ff71f844fc8a65ec2a5a619136 |
C:\Users\Admin\AppData\Local\Temp\1000590001\latestrocki.exe
| MD5 | 401c2104b98422061936d4c9851c3e10 |
| SHA1 | bc03b27e3ca713a8adb7fb1e5a362b8ac14e70a8 |
| SHA256 | 15d938f6ca6ec4d3c17ad576181815720407b8accaf4f9a5ba7d57fa3d5574af |
| SHA512 | c9ebca276fa6e29c5295948cdfc4afdcd32def73cf96b051c4b7aad401f692bbe73147058039a2d402bbe8c16ccce03eda38284fa9ebae77fe79277853806201 |
C:\Users\Admin\AppData\Local\Temp\1000590001\latestrocki.exe
| MD5 | add4debd2b0f09bea1eb5d7bf3c80831 |
| SHA1 | a80820663b7e6b19c5660519a5867d72636dfd8d |
| SHA256 | 366e86cf0982632302317bf2888488ab7a7fc55d7525f801ccbfd5caae5a072d |
| SHA512 | be6e4c8c3fdd0e3a02786e5c255d178f0e4de4ad0b487b3a986dfcdcf4aa495c90663e0c55a5dfd55846807a3a3a7a9812d2261017d3f8b917d3e5ead5fa4f08 |
memory/4552-245-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/4552-244-0x00000000005E0000-0x0000000000F28000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | c9f86b9523f78ec3571f97a7d46803d5 |
| SHA1 | 282acb9ca6c5bf5278fb3ca8567aeb72de2069c5 |
| SHA256 | b0ae8d50a06d9bf1d127379ce7ef8b29b69ea69fa1d176d00c0c720f9983de9c |
| SHA512 | af4562e9340bccc5d1123f394a34a499cc6951399fa79436a1c57ded7dd63fb3d7f9194bf5d85722bec904556044705ca811e9d5c0d77aae36d7d0df81b1c612 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b2e551512a1fed05631c05b633a6a053 |
| SHA1 | 572f0bf726d14f1c5e85fd31a5a32a6f5d10bac3 |
| SHA256 | 8842c3ec735af1f7bc795586f563b6de253d9aa03cba18a725a78f52ba604cb7 |
| SHA512 | f9fbf10c99120d6456f806378c2c201ab1c772692feeb6c324ea4bdc0f063e2817f88c9478f2543a138dd07b880e1ec9953a41cd9320badbfb5e4c3882e0be42 |
memory/2224-273-0x0000000000860000-0x000000000086B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | f96c05757f62baf18b8e3be1da737dd3 |
| SHA1 | 2cc417a577018b965ee5dc2978c3de2e9b75f6c9 |
| SHA256 | 972ad68233629a43e8553dfed097f64c3258dec07beaf90626c70fd1d72fa966 |
| SHA512 | dc636aea06f89bb1e221fbef008cbc1f8246d35aca2fdcdd9476343babbdc9e27b98da352496cb599268dd0dec3d4fe7fb37a651d470b32ce83e7fe30229709d |
memory/5096-305-0x00007FF637A60000-0x00007FF637AB6000-memory.dmp
memory/3544-307-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4720-308-0x00000000026B0000-0x00000000026B1000-memory.dmp
memory/4552-306-0x0000000072D70000-0x0000000073521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nse2A67.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp
| MD5 | 90bc1c6e85ba256fded6f7a14ed680a8 |
| SHA1 | 18235f3b6f26fde29cd72ada67a94c0fcf28edcd |
| SHA256 | 392c875855aff6710a1a41a963e2c8cbe255621d987b9d94f246fa826cec3ac4 |
| SHA512 | 399504cb5258e7f69515f38dc69f17e6713ff5b353cea7ecc4b060b7c08ae2a4b425e0da71507621dba8cb2f28856b9fab413527b01eda9a866b2b32acaecad1 |
memory/1664-322-0x0000000002CC0000-0x0000000002DC0000-memory.dmp
memory/1664-332-0x0000000003090000-0x00000000030AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000591001\gold1234.exe
| MD5 | 1c3282fe83de6aeb5873c95cf74975a7 |
| SHA1 | 380d077dab95db657a999f6cafe324c05de83347 |
| SHA256 | bfbe19f04333ea385a78bc145e79ec13fd9ba2fdf63125edf6b759b90c52c42a |
| SHA512 | cb13984302b26a87cad7cdf02aa650b03beaf8741b54018d9cbcc4f2e5ad9c30801aa095ad8ea37214f3a33fbf75513236ba6e4f58d81d8f30f65430d1c289fc |
memory/1664-344-0x0000000000400000-0x0000000002B13000-memory.dmp
memory/1236-345-0x0000017261CE0000-0x0000017261D00000-memory.dmp
memory/2424-343-0x00000000003D0000-0x0000000000434000-memory.dmp
memory/4504-352-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-359-0x0000000005480000-0x0000000005490000-memory.dmp
memory/4268-362-0x00007FFCDAC60000-0x00007FFCDB722000-memory.dmp
memory/4504-363-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/2424-360-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/4504-364-0x0000000006500000-0x000000000654C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3448-369-0x0000000002B50000-0x0000000002B86000-memory.dmp
memory/3448-370-0x0000000072D70000-0x0000000073521000-memory.dmp
memory/3448-371-0x00000000052F0000-0x000000000591A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe
| MD5 | 9b46b57dc0adf3e119c5130c87fd26c2 |
| SHA1 | f4a9f1709f7f451d758347d88c9768574f1dd2c6 |
| SHA256 | a1dea3c9f77702dfc94f848528840d4ef97eafbd72b6687f897f6808c831a46b |
| SHA512 | 788d22d1e02d0a60c86d1fe21bf877d4185bc27a7a6d3dfe39d47d330e5d861cd32bed79f60968556d177c8c4ae5a0673ff7ef62bd52a2f5eded45d352b1c86a |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pgxukngx.prn.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe
| MD5 | 101340caee5a25abf5e326fd8e56993a |
| SHA1 | a6b0da6bcc34321f3f72e29f875651bd2ce24ff9 |
| SHA256 | 0d8bbd929db02b2b8f489cfe56869ac1fd2cbec1b5a20a77ee111301201ce131 |
| SHA512 | af1c13e32e150be8aec1e0d90e07b2bbd0114d2478cb1513964363b020cb1b08583d88b56a354206d1f11b857d076275ef5fc1ca2d511a98663bc4420b390e9f |
C:\Users\Admin\AppData\Local\Temp\1000592001\crypted.exe
| MD5 | a0283ef802b278fb385eff269fe96661 |
| SHA1 | c06cbdfbc71647d27873e2101a08fdb250a03dcf |
| SHA256 | 714b4ded69733b064608e2299acbfd887115cc2faa95799e7ede894e5898117b |
| SHA512 | 8fc0bd880d3eebe7f12cb4afc2dbe22a689304f2b53eaf77193080f3ecb4411034913abc507fb0ce8852f798d4ff066a1a730d7eee52e7c3ccdac86b9ca7098e |
memory/1116-412-0x0000000002350000-0x00000000023D8000-memory.dmp
memory/2912-413-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\leg221.exe.log
| MD5 | 7edba3ff9c22c09c3871662b3bed4340 |
| SHA1 | 66c0372c879689986cbf051230a95cc220c7986c |
| SHA256 | c225611368024d4f8536bab4732e064419323f74f8b0aa5ea2b479ae61923dac |
| SHA512 | 24e07617493290bdb25b7ffaf31f092567a7ab8c00a28913ce6c069479f0e34475b9d3cba65d2d49ef713a002735d4b5c63f89d45473271bcd06a05716f262e0 |
C:\Users\Admin\AppData\Local\Temp\1000594001\leg221.exe
| MD5 | 567c8f8d4bef7272cf1d4a5a8616b362 |
| SHA1 | 30e9986bdd6a809e96368400add8c5ddf3f6b98b |
| SHA256 | 2378548747efdca9aa74b194d684720e17ca721dbb925659a5efc1c31277f634 |
| SHA512 | 3219521053ce7900eda4d8ecaa33bece4a3a303e46531de6a083265917d8d20dac711009573f133377724f4900af4efa1d979fe6ac42bcc7224a6e7c01c33d9d |
C:\Users\Admin\AppData\Local\Temp\1000594001\leg221.exe
| MD5 | eba0947c5b1946452a630f62c2e89072 |
| SHA1 | b3f0693eb721063f47abeee16c2ec3f7537177d6 |
| SHA256 | 60bbd4c31c29c16d706208151801921edbcc6aa6ad5919d3f1cabe7e36c9664c |
| SHA512 | 923e83d24a6a413353da3fe464354b27a9374e4e6e66e095b2ee6883d52bc909f39087855ef7bf585fee2a06b4555fc99fe72514e24d30eec62940072d69bbf4 |
memory/4504-357-0x0000000005100000-0x000000000510A000-memory.dmp
memory/2424-356-0x0000000002880000-0x0000000004880000-memory.dmp
memory/2424-348-0x0000000004EB0000-0x0000000004EC0000-memory.dmp
memory/1664-449-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/2424-346-0x0000000072D70000-0x0000000073521000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000591001\gold1234.exe
| MD5 | d4d341b559876e2445b58d0bb7e70960 |
| SHA1 | d56ac2e0017726e818481a871fe6bb9c7ccbc157 |
| SHA256 | 02dc6dbb581b430368292dca6112a20c4e19d8d93fd7a9546cdfe5930d8a5124 |
| SHA512 | 5dad1ee082a671fece90100471fcefaf1888ec9b874e1f1078f408ac36db489445b7e09c2ca0b65b99bc465eaf17d87e4fe314e624f5ecfc6bd68379e1e03266 |
C:\Users\Admin\AppData\Local\Temp\1000591001\gold1234.exe
| MD5 | 5aa37a6845f500f6fbfbb0a3d50a0195 |
| SHA1 | 6ee34c202355b1b86109c424cad1158e996f5472 |
| SHA256 | 7496cca85d08f8d37b3a296919dbc9e4886630da07b1d3b2db18e4044ca7bcfc |
| SHA512 | df7d7c68f39b57db29edabfe4b05712657205349da1f5ba534699a9425a3e1557acb5ce40ef28e0e2170817724c67607dcc963c325d4e9efb6b0501fc8b02186 |
C:\Users\Admin\AppData\Local\Temp\nsg2E60.tmp
| MD5 | 8520a91e8c23d1f30b95512008d30c6e |
| SHA1 | ca055b12e1afd7917e64843b92821a6d502003b4 |
| SHA256 | 4e987fde286567374cf6710ea622a0c5f62dcec25ed4c96cb792f77b9b574427 |
| SHA512 | b817181bc863c5926b059a563aec097115c30efe94a953838284b35b1c1cf4c73b11a51b907bd098039667fd372f6a74f474744cdcbbb0b0001ae235dc40c06c |
memory/3544-304-0x0000000002E40000-0x000000000372B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | c40cd63d57fde50aaa7791cefa3a2332 |
| SHA1 | b26103dd27c18b98d23ec317d9ee0fdb9631a7ba |
| SHA256 | 27cd028d82d66dfdf42a60c1412f79629aa951ad3403605681b40ed0b6daa654 |
| SHA512 | b46ef942dc4de3812db29757f3bd515f8878202e54c13a62ed58d3e77c82ec74e08e5efe3e631335a648e28d2edd0b051562a1f972c053f4d9b96ba23843a5d8 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 23ad99afb82759682bef378fa42c4cf0 |
| SHA1 | 231df644a6547af0dd2639998e605cb25af2a404 |
| SHA256 | 46da4dd39d49b20cd5f925132776e46531fba3ffa1c4aaac4455884cd0e064c0 |
| SHA512 | f4ef0189e752c5f63c0c1dea55fe8ccdb61f3222536392ed6467c781d58b3bf96eef15753fd16f8b4ef42256d702c7464e7983f14392c06bcc04d6020fd42c90 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 3ee75babd9921fe65f98ee8f4af48426 |
| SHA1 | e5f709b6ab826a2c7ed2c102947fbe8ba1d9042d |
| SHA256 | 9a49fa192241db8c231de43e7934f7656af98f56aafc846b74e568aafba372d9 |
| SHA512 | 1d0d6dc2dcfa6f33ef1056287412e3488fe7a659aa752d558e79070efdb7a6a0d43caad3daaa6d500c2cde7d9a49b1984e5e04c069494a8d943dc0008edead11 |
memory/3544-294-0x0000000001090000-0x0000000001495000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 43778f5a894b11545ffe8c1690ae8c9e |
| SHA1 | 062e01b0f00bec0605a33cee2e7d59ba13a9efb2 |
| SHA256 | cdebc567cc71fb3e2b24f332a7439bc167ef18fd20917838a30f3977fc44cf03 |
| SHA512 | 90965d58ec9076891cc875b6a04f93a035d314bc8e379f3bb58929eae1b0629ffce6365bbca4cc4d31c30d7cdc9174c21e76b00eb0095ce2487194366b650cff |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | e93f21ec7fc9e0a6052be5a7929a0480 |
| SHA1 | 0f99f79018749f9694122ca2c2f2f9fd189ae637 |
| SHA256 | d5232b2cec981dc4833aae041e91cc60c3e85e9f3aaabb44d8e61a6244b8411a |
| SHA512 | e8c539d6d4e855becf46707d9e8acfec32182a034fa20e231f34452b79813de9044b831dbb0051c84ce0444a7bb3ca26675b754bea4874e574448e718d92c904 |
memory/3136-287-0x00007FF638710000-0x00007FF638A9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | a6fef0562abecca0d7b3567825ae5b99 |
| SHA1 | 2fa30153197cf09fd9bc36a26c062ee69644be2d |
| SHA256 | dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b |
| SHA512 | 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8 |
memory/2224-286-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000595001\rdx1122.exe
| MD5 | fdb4a71e5c5a8d04c3c35d72158bf93f |
| SHA1 | 9270eaa75f3fa719f4df999db4a0139a1340c98e |
| SHA256 | ed28f0c013da760bd8acf5cd687063d6195d8b6e53e8958f8f84a4377f0118a1 |
| SHA512 | bc86f9e0df54483b88c9e8106527ad295d42781e9c126348a930e09e57c6950525d2c0023539dd7c5534009346c5a7d4d38bb925bf4295cd84849b495d9ae73c |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | e2ded737aa3b0b2d085980de63377adf |
| SHA1 | 3331ccfd1b0958c370f8410cae35d3905baefac4 |
| SHA256 | 5d2b00f43253b4271c15ffb7ea8c01a2571e724c46ae2b98ff22fb6dfe2c8726 |
| SHA512 | 26f9ed8ae16457f0ffcf66011c1f2511f7b069f4784745aaa7f2a6c64f868110fefacd3a3759be4107523934cf85b9f0e8767deb00872bafc3d32919bd15dd25 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d34706692def151c54159b0ff5e0c4a2 |
| SHA1 | 663e6da6c147dfd97041ed588e37fc1104c79b05 |
| SHA256 | 0263fcaea3da7a5216a87ea4036122a2115fe8fd95bb8bee572cf3a32ce99883 |
| SHA512 | b8b2bc31ee0bacee021429f36221b9f685511f5c1a1fff3e3c1f72286232e04631f8079970e628b749f88df9674ae1628725bdf4b99deb46211f5db50d01362f |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 08abb7117c3b221a34c61228706c879c |
| SHA1 | a1fdefbe8f7acb8b272ba5d8aeae26464bd88728 |
| SHA256 | ab09b44ceffa5c636b3f741766000277c2384dc13e7d299dc1c769de276cf18c |
| SHA512 | c5ebd3de4cab47a68a41284894b587c40e5a7bf5cd66a577dbe8986449aaa9032727501c7d648aa484c06478a3cff8dec860cc016b9c3833921816343c48cca2 |
C:\Users\Admin\AppData\Local\Temp\1000595001\rdx1122.exe
| MD5 | af8c0e4182f50205ecd4cd2fa619a976 |
| SHA1 | e01f30b6f907e7b1d87a560e88b48cb166fe78f4 |
| SHA256 | 30baedab23858443dfab67e3094c32216d9dcb66fe0545690b3a9b9983cd18e5 |
| SHA512 | ba11a78db3d7537b60bed980ea2a1575fd9f25c8b6061ee1f3d29a94a3616c87360a4744750b4f6fd12dd518feffbb8499d0ddc27a2ab525b96e902389540fcc |
C:\Users\Admin\AppData\Local\Temp\1000595001\rdx1122.exe
| MD5 | 44180603c7fd5cabab96c70258467dea |
| SHA1 | 47d72eb50ac7311e7721ce0183c4246511e800cf |
| SHA256 | cafb82da8e9bf8ccdcf7a63f098c06d0f7f32fdb90c5a66beb4c6f02adfb88b2 |
| SHA512 | 5871691dd8be3085bcfec2c8ac276385d5b60776568ddd36ee9e14b769601d399bd5d7a6fd3b139c298cfae9392b30cc8b6d7776249590eaf29094d33eb46755 |
memory/2224-268-0x00000000004C0000-0x00000000005C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 64115033e69c9c6a2908c9acb1bcfe35 |
| SHA1 | 75e26037afecaf578f932040b44dafe55798373c |
| SHA256 | 0d2e1ba641c84ed7a45a91a92f95b7c43a1a1322634a56b856c3ced6e7a531fa |
| SHA512 | e1ca8dee87c482678bf9a4716862a156b5fdd0717807e20be7d91ccf1c690bb5e7015a947009f45fbc1053b27253fa04e6b0e269ed4cea905bdb14f2bb681f97 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | db16330b0133e7933fd4c7ffa5a96e90 |
| SHA1 | 03012d746f21e17783d2eaac1ed3f084994d6176 |
| SHA256 | a1a308299784f5e12ef9349b2a5bab0ce486e01516585bc4df357f76fdd4e979 |
| SHA512 | a07e5e8d91d7fa1538881e25e402118123c62b9218684aafe2a611f261421103f4b1f0639debf15bf273a6cbb141d08f2f68c6b2ba63133fa1ed5947308b0fcf |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | f6746dd007d3e70201ab9f35b2646275 |
| SHA1 | 37f1ec47f8b3f79a87e1cff916d93c0b1de5b336 |
| SHA256 | d30a01b907a2925c3ea8d5c28983ec2f8f5353271f9ccc21ee087804f85f5927 |
| SHA512 | 14838e44f655078de5fc58f74823f2697dde912b6a270e241969144158a281dcc54640fc19477148d5f00655e17b927ac0623ad931eb203fe8e2a63f2d2b0c41 |
C:\Users\Admin\AppData\Local\Temp\1000596001\flesh.exe
| MD5 | a3c2b3d8f15e9eaf820fc9dce7e0f180 |
| SHA1 | 0149932c9250acb5709f05c1d5d47f4d4adc25d9 |
| SHA256 | d3d0f6eeb4d3a9b221a7ded937d4159559c184259ed9ee68c6697aa182efab65 |
| SHA512 | 281f0f5b045c28604c5496e999ab6f01df8fa937d101b5286985cd7f5fbc4c5a9a62171b0b7eed066f8a5b08a6cea41cbcd72b31df79514d92a3fb559120ce63 |
C:\Users\Admin\AppData\Local\Temp\1000596001\flesh.exe
| MD5 | 145f094cae23ca42b02d5a422fc0c770 |
| SHA1 | 7f2d5efde38e63ea5277944c4627bfe5ae8c8035 |
| SHA256 | 72980bc886555090a309d7093bbb55184e066b1623540fc659f0b2678bf01a20 |
| SHA512 | e09f7902b902ca15644af693831ab3a04119eee2c79b6542bec762f9fa997b2af9368e19b55668bde4e32b7a969e95003ae682f363a41bbdec6656fba946f7eb |
C:\Users\Admin\AppData\Local\Temp\1000596001\flesh.exe
| MD5 | aa9b122f1f565da2a4044e1e66414c75 |
| SHA1 | 85dfc3c33ed8f7bade7e64ecf8e3209fd8fac96e |
| SHA256 | 6fcc0f852346c06580c530836fc6ed06d8dd1042cac43d0c7b5184dc957b5dee |
| SHA512 | d10c5d50666b3ebdc820f1bddb25be99340ee0b232a9526f78633b50afdfd78f3faa7c3bd6fa5d2b7f9b17485a9d158952305392bbda41d16c49e5fdcd5114de |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 5d3fc5ebec42792eec42678b8d3d0c18 |
| SHA1 | cec0f4a78e9d075f843d7f6da2f545a1c8209085 |
| SHA256 | b2e44646d0bcdbb670bc0602d02b012034aee769b58126330a804b8e7b4d2ba4 |
| SHA512 | 6ae3edae16107beb9bdcf5b965693e828d93497e2b13a00fb68759e5bff851ca48df8b3a068f68b3012ad7c3c4c2399a1da5488de1d14a5c2368ff2d138a20ff |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | ac4917a885cf6050b1a483e4bc4d2ea5 |
| SHA1 | b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f |
| SHA256 | e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9 |
| SHA512 | 092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 37ae00b73cc0f2feb72b26c707631057 |
| SHA1 | a681550963e47a936ccb265294f4efc748bcf742 |
| SHA256 | 897149d505bad5d63406270d5fec86e8f471da0f68235176db91b45c4e78c05c |
| SHA512 | f14f0919ebcd7508da8ff7f49fc9e5b25a96d97a9ca2e35ed27a8583dda0e3969ff1c04c10fda121ccc22aede2e15674fde35a2b95582ca160ee637f4a61bb8c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 028eba1b710f525b65a008fb08f43601 |
| SHA1 | ecdd1ba370c72d5690c75b350ae85ece00b678f0 |
| SHA256 | d6d70b83587427a09e3d1985173a583ae6452614344be93d3fc2758637eeadda |
| SHA512 | d0393e78d84f1fa0ec38836aa4090a892cc9c6ccb4ad041d47341ddd2ff49f377bdd48416dfa9fe77c0244a254ebaa0c493b6fc88ec270b2f84d72707f8273f7 |
C:\Windows\rss\csrss.exe
| MD5 | ad42e3a9b53c733c6a8d73ad0bee1ff8 |
| SHA1 | 46eb858dc1a17a9dd58f06e8d9a69c8a9070f369 |
| SHA256 | 6fd63f74b31a3a69e4cfa89a95986cd7d3ea77c6d6e4a08395ab3e85607ae9b5 |
| SHA512 | e987a7d433da9986f3fc45c288674ff6a63d6a8bb49ca195be0c690a51e58bac38dced1beb5a881e6c466bd101e01cf3fdcbb42208c08e908ea147240af73563 |
C:\Windows\rss\csrss.exe
| MD5 | e9095c98da367cdf49903dc419ca4a48 |
| SHA1 | 19837a605c1f15cfdd11ced62cde17f0018cf19f |
| SHA256 | 70841d73770ae160e7a09b97e407b101252a9ab20ddbc27984af180afdf7d82c |
| SHA512 | 3a17efd1ec0697a00f7d91ae25cc501646163251f65f14545c06aeba7e02c30200fa3a21b70f60b610566a5fbd805dc58efd09171304dca611fa4dbea27fcfc9 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 67beb54e7948f609cceb862b5c88e9d2 |
| SHA1 | 0e9e02174be03e6a146ff983c3570307c1c8fd82 |
| SHA256 | 9f92a78e31b64ad587eba82cba96787fc2ac06cb54644b4287f7f8a479dc623d |
| SHA512 | e2649cc676baf732c0d736311e4c8592692d9b79db6f170ba4853cad79275499c985473be1ef3406518bcfe86cfde2926da8a76122e7153120bc2c1d37b10673 |
C:\ProgramData\mozglue.dll
| MD5 | e7d32944b2afe2d427f0c2f82576c889 |
| SHA1 | d238e52fad3cc674dfdd4f4892e7de99ff253a26 |
| SHA256 | 12f19713b8ed50e57eb8063651eb0dd8f3bc19cc22ba08b159ca8d9de8c374bb |
| SHA512 | 29183b155bd3ce788229edf01df2b651807876cc32665cba69b52b3031edacd93afc5761cde2432ae97342c894165afd3eb9738cd0e1e40e08aef24499946c0f |
C:\ProgramData\mozglue.dll
| MD5 | 3cdfaec7385b7b5ada10dbc9cb32963f |
| SHA1 | 01f3f5e1176759a2bacd90ae13b2b28a87509f5b |
| SHA256 | 997fb794fd79121b2279515e2b29e43a8e40c1e1f6290e3245519ca9c6e41a52 |
| SHA512 | d6e04a4e0ae2b87bf23a48b68c8fc5e535eef0f0f28da1f7a687df686b5363a319c8560b6aa02a88f91906f61f383f9e43a76883c5ab01f5c454042dcc43dc4a |
C:\ProgramData\nss3.dll
| MD5 | 8650e508b5c94af27b396c576e8807e5 |
| SHA1 | d2c16a032f2186cef0c5997b6c4f3dbaaf877b9a |
| SHA256 | dfb36244f2309789515ac8570a07ecd033c28634295ac260fdf6eafaad9227cb |
| SHA512 | 323dbd9895e0672948f058f78a9b4da1e144e517783a4f105a94348df415afd53aec4971bbc1fdae122cb7aa9c3e29c7ddd637b5f89abe2e2a92f1c647e49205 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 654d1ebf10960da225819c9b0bfe14fb |
| SHA1 | 10df9535c923c4f387d53af1f140702c22f5ca18 |
| SHA256 | 23ac409ff871c2ce872586105c4b1103ca075130d5180b54aa3138a63b7682dd |
| SHA512 | 8c3ec2c2aa809700ae85ba7c95b86c0ff15198ac3fc91b3a50a5179140fc7182a452c8f1720bfb1e902ead6e1ebeb1ff9ca0ff4634e49c2374d0c5e850ed6b0c |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | e60127b3e8b4ce88960ef1c651a9dd6b |
| SHA1 | 13e0ea7b290fe2e3279680363ad0c9c7bc57441f |
| SHA256 | 4d915b692e3122f38834b65684122e99d2f2eb909d5a856806a45466e83ecc54 |
| SHA512 | b7b05d55f71183c34529a69f3689dbdbe7996dee216bb6be8a9e74010580c95c3f2eba763eeb1e7999a83e22e78019d55588f2c511d986b24903415742a81160 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | b578df09b30fdf7da585c1a23a5450b2 |
| SHA1 | 02421ca07ccfc304601a95240622f65c027c94af |
| SHA256 | 48146f6eabf8a3e1692f40240587a58b520b9fffb2ca3d2346f57ab88a7188a1 |
| SHA512 | a69109cab74af9533e4e3508a02a3572e9f024b443df4d0a71b0f59d565d03aa95579d80f7f4561f16dde96c8744ff213a4808f0269d0c874d8ad73b95ee4454 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 22076bca9d4bf58568332aa9ab316a87 |
| SHA1 | 018f93b87b49c9fa228dd1082c118c4a0ef35484 |
| SHA256 | 36ae4feb7ec9ee7252b0b86888174886b433f2a596b6d5fdc3ec621a3cdafae3 |
| SHA512 | 094a70f5dd91d6628c3d3497f5bef8b1c9310262e037af7b05badbbc57009e4ce7eaff109f989326f00d644062d58fd48c1b765fb544898729451bab90f4e450 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | 05f4c05dd47112810704d1b798c91380 |
| SHA1 | dd8df0563a2d969360422d0e92f4be3eef390cb0 |
| SHA256 | 588782a4d9f92b223a664319848cc14e37df14421bab17189e542c3c296db35f |
| SHA512 | a32294a8aea03b04d1ce6e41f6c51828fffeec9db4b4e73af90728a0d795ac8fcfc589f63d4ce24bf241e58eb0ef87d99e1ba8172adfd751c398ffedab8c9ebe |
C:\Users\Admin\AcLNEOqcZExWYNI.pdf
| MD5 | 88de5843d1989b605b68154572ae531c |
| SHA1 | c04515e86f654026bbc217844bb8ad69d86d1c86 |
| SHA256 | 00331d153fb58e21baaa916a5db3490eca304bcb9404ac6be9b192002132a141 |
| SHA512 | 42657bda1d04df00e763fde8ca15c7eef231838f48ba87570e9445f29e423bd9cd3136d180a520ff21456ccbc533467e93f8b1e91caf37fba87a0b3ecfc114bd |