Malware Analysis Report

2025-01-22 10:26

Sample ID 240126-gxledsghhm
Target 5c1e965d21ddfb6972824827a6ad3ed5.exe
SHA256 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
Tags
amadey redline risepro xmrig zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic discovery evasion infostealer miner persistence rat stealer trojan glupteba @oleh_ps dropper loader rootkit spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f

Threat Level: Known bad

The file 5c1e965d21ddfb6972824827a6ad3ed5.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro xmrig zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic discovery evasion infostealer miner persistence rat stealer trojan glupteba @oleh_ps dropper loader rootkit spyware

Amadey

ZGRat

RisePro

Glupteba

xmrig

Detect ZGRat V1

RedLine payload

RedLine

XMRig Miner payload

Downloads MZ/PE file

Stops running service(s)

Blocklisted process makes network request

Modifies Windows Firewall

Creates new service(s)

Modifies file permissions

Executes dropped EXE

Checks computer location settings

.NET Reactor proctector

Loads dropped DLL

Checks BIOS information in registry

Reads user/profile data of web browsers

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Manipulates WinMonFS driver.

Drops file in System32 directory

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Creates scheduled task(s)

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 06:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 06:11

Reported

2024-01-26 06:14

Platform

win7-20231215-en

Max time kernel

167s

Max time network

183s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2424 set thread context of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 set thread context of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2752 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2752 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2752 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2748 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2748 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2748 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2748 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2748 wrote to memory of 392 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
PID 2748 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2748 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2748 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2748 wrote to memory of 544 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 2748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2748 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 2748 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2748 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2748 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2748 wrote to memory of 1384 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 1904 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\system32\choice.exe
PID 1904 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\system32\choice.exe
PID 1904 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\system32\choice.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 1048 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2748 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2748 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2748 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2748 wrote to memory of 1776 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2424 wrote to memory of 912 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 2748 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2748 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2748 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2748 wrote to memory of 1744 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 2748 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 1576 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\WerFault.exe
PID 1576 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\WerFault.exe
PID 1576 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\WerFault.exe
PID 1576 wrote to memory of 2896 N/A C:\Windows\system32\taskeng.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {B66B5301-23A4-494E-8CAC-0434A042401B} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 604

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 264

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 604

C:\Users\Admin\AppData\Local\Temp\nst789B.tmp

C:\Users\Admin\AppData\Local\Temp\nst789B.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 88

C:\Users\Admin\AppData\Local\Temp\BE7F.exe

C:\Users\Admin\AppData\Local\Temp\BE7F.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\DDE2.exe

C:\Users\Admin\AppData\Local\Temp\DDE2.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\DDE2.exe

C:\Users\Admin\AppData\Local\Temp\DDE2.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\e6aba1ea-de9e-4a06-878f-429825eb2e30" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Users\Admin\AppData\Local\Temp\7861.exe

C:\Users\Admin\AppData\Local\Temp\7861.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Users\Admin\AppData\Local\Temp\DDE2.exe

"C:\Users\Admin\AppData\Local\Temp\DDE2.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 45.76.89.70:80 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 144.76.1.85:25894 tcp
NL 80.79.4.61:18236 tcp
HK 154.92.15.189:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 20.79.30.95:33223 tcp
NL 94.156.67.230:13781 tcp
NL 195.20.16.103:20440 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 brusuax.com udp
MX 189.232.10.46:80 brusuax.com tcp
DE 146.0.41.68:80 tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 ftsolutions.com.pk udp
US 64.31.22.34:80 ftsolutions.com.pk tcp

Files

memory/2752-0-0x0000000001050000-0x0000000001458000-memory.dmp

memory/2752-1-0x0000000001050000-0x0000000001458000-memory.dmp

memory/2752-2-0x0000000001050000-0x0000000001458000-memory.dmp

memory/2752-4-0x0000000000620000-0x0000000000621000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 5c1e965d21ddfb6972824827a6ad3ed5
SHA1 3267ccd4de8c23ab99433235d5529937409162e7
SHA256 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
SHA512 2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

memory/2752-15-0x0000000001050000-0x0000000001458000-memory.dmp

memory/2748-18-0x0000000000D90000-0x0000000001198000-memory.dmp

memory/2752-14-0x0000000004BD0000-0x0000000004FD8000-memory.dmp

memory/2748-13-0x0000000000D90000-0x0000000001198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

MD5 f8f73b867727ba2da6db30a8951282bf
SHA1 77a9013dc3956723e24d571ed32719050c788c91
SHA256 d053de48d37ac29071fbc230adb897b80160a88d381322ec2b00f9177d1ba0cf
SHA512 3bf166d8706aecc7fec785848f465b0c5d6d2f9b9a9f1be0c73eefe2c2dbaae6f7c7ba8231b9f90ebcbb56ec18dcc1229c4381e0ef36c58a1ca6aa4d11d1052e

memory/2748-33-0x0000000004880000-0x0000000004D63000-memory.dmp

memory/392-35-0x0000000000E60000-0x0000000001343000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2748-46-0x0000000000D90000-0x0000000001198000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 d09b17634c4c041cd155b573db9407e1
SHA1 559e08af74dc0dbf4320da35b3be6c7da3693546
SHA256 fc933130eab350154d0939ef56ed5944ddcd0b909e1283b9b33fa884fbcd2750
SHA512 8d7a77718dc977b559a589ebde2c08073a92e22b16d5ff309801c396d2e41db4e639d24155bd39d73de5b5f7569e189ba781229fddbf606fe8604b49808a6352

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 2660aeb7a3b635dc3b1b2f9a920d75e3
SHA1 7c8cf8fa75447c55b9c09b2c06623f6b11d3d533
SHA256 ddf3d083c24276901c4663da43bf3c51ed20875c3e5cfe33cf402e8a92c8f1a6
SHA512 7316edbfa44790b3b02f6e84c1750d14f3b8e8193b9a518f7240326c83c611e3dfd196e1c1b76a69268f16acc663a49404973df331ca3e5935d04f700df14871

\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 8677f564a90c3fce16f04f115aac94cf
SHA1 d8a837dd45f998a2d94349caa11db71503920ba6
SHA256 b84b9e7cc4910b6316bc9799cb3663a2856aecfc2caa2d37bd4da40d97a96a73
SHA512 afa5587c4e41122b025675f520eda201d5f4198e50b3848f6d0933fed6c71d219fdf3f79cf0ea89a1600086d669eb4a71aded900d3f0cd27e6752d0baccfbcbd

memory/2748-63-0x0000000004880000-0x00000000052BD000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 3590c8c90e84dd350e0558f1fa93d192
SHA1 2f4bc18c0030d10f93cb9b259bacb1cf18b5991a
SHA256 a7c05eb9170e76fda3d76e283ec4226ba8d32be41e173e78bfaa5b779a4f7203
SHA512 f9f7ecdaf789302b584c3a491778ee26b940fb47d77871a3753315aca3ff8fca115c0d88ebba66e1c61ed7e042a9fc9948e85ebd40a1298c2b1dbcd512f8bd6a

memory/2748-64-0x0000000004880000-0x00000000052BD000-memory.dmp

memory/544-65-0x000000013FF50000-0x000000014098D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 94a874bece82ea6cf8c7f94e1d83e513
SHA1 d0a6f872a8984139a546e2ee1c27f3886747c2ae
SHA256 878c8859220f4cc7cc90df5629c2f3d38a0a0da0b658a7231c35184ccd2c0e23
SHA512 7de6ae3bc94e0112eb27acc39e97671bd3b4fd9bb63d1f12c30d06be610ee74e266be0f435892e398a7ec50b9b0012f4e2b7b62358ad95dfef2ea4129a69bd3b

memory/544-98-0x000000013FF50000-0x000000014098D000-memory.dmp

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 8a8da349580e781a1bd80b74baf61b98
SHA1 1868d8425881d334b6b6ac1e754cb788025f237f
SHA256 9b04c797292ee092ea8d6d35981552e189e3f067e8144ef186a91340a9b63cad
SHA512 863f95d34647e2576c5a97b510506fd1e94ad2bcd97d439ef4486b998a08ec0d932236d1b198a2a988bb1b2878fc2bd021e9a85376b6f9fc70ba51a381d8c710

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 07ca98b8a7f68122e4a2619882d9957c
SHA1 fa949b30ad5ea4f7f3c85f4a9a97694326bf5369
SHA256 09f169f6581338ec15bfc896736426cec166b5ec1c6f1c240b8c748b04275533
SHA512 1dbd9df53a7bc137ae892813bce772cfe864c7d15fd789e95d85c8b0bb513373a68e05eb59041b1d236ab23e26b2e4fe8790fd64ba4bfc8840de4d016b3ac2c6

\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 9f0e16fa099aa8c28e38f73c4be95d4a
SHA1 ae9d30236420c0941d73b9eaa064abbd4ed11da5
SHA256 9224454094f913f297602730b57de65db7041f9ddb4530cd37434fe02ac7538f
SHA512 a27aa80ea96a6d852a0aed9fe9a70bcffdb560786f789be418252b0bf1dc00881e8413e5781fd92bdd924997d7f8ad0cc7886df925a0e18540aac9ecfef72b9e

memory/2748-102-0x0000000000D90000-0x0000000001198000-memory.dmp

memory/2424-103-0x000000013F5D0000-0x000000014000D000-memory.dmp

memory/2748-104-0x0000000000D90000-0x0000000001198000-memory.dmp

memory/1048-109-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1048-108-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1048-107-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1048-106-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1048-105-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1048-112-0x0000000140000000-0x000000014000D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 e32e9cb01f0f50e7a6fd396fcd01cca8
SHA1 3488f9c0589ec7a355cf05035cee635092c37a6b
SHA256 0b1a8954d754df59dd7ebf80d58398c458d4883e1fefb2549eb05a600da0fb28
SHA512 7a8f83f83c8f0d52cb18070a6a6a7b624e511171d59e28c1d816dbf931f83bf96905c5890ed6f60ad1ee8ee2ba8f04d6803078aeb8a63faae3fdd0489977e9f9

memory/912-115-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-113-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 7422f7694ddc4096a916d8cc21f8500a
SHA1 6fe68d845edf90817792317a8ae50cc63c253fe0
SHA256 89281abfb1056eaacface8a016d278643a3efc09c1ede9a3170f27356d7b8e21
SHA512 51b01bc49c75c093176e2926fcae8f8f7075fb49bc11f8621eedfcf99f261c73de5f1cfbacf7e9668e059a123c892d58c9e773fee36335be05f2db5cfeb4eb5e

memory/912-127-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-126-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-128-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-116-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-130-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-131-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-135-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 9c50787afcfe05bccbc677939420a8ab
SHA1 302839ef6920772afc05a381bead457402a51341
SHA256 95da1f5821a2ec20854bb54e2af47e2d546f498bc4f0d0ae49dc1a66409280a4
SHA512 749c9f5e1e4f40efe95f9748988adad4445d9e8972f6f8dfc668bf22efb6d05ea4935bb7d55592d4fde6a39d33e60918ee0a68632e52e23050e768c9d0ec16c1

\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 6573abee7390dd46100ac8d6baac09bb
SHA1 0c454f4f7cce4b4c1def4c494a89da7a9bfca140
SHA256 0a42c733489f9dba2a8c88633d4d72767ccaac8ab6d0bdb38c34c871c32cd45b
SHA512 da5b48a652be203a36cba82e3c763595ae7d761152f4cd02d142fad7e5200ae823d9fe7a026d17e92ed0ba05066be773e93f4d3b820907655a503db0d4b716f7

memory/2424-138-0x000000013F5D0000-0x000000014000D000-memory.dmp

memory/912-141-0x00000000000B0000-0x00000000000D0000-memory.dmp

memory/912-142-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 a26ea4e6d5270125e955a738d0bf341c
SHA1 564548dcfc28c79ff48ef36bf21678947873dc95
SHA256 770e32af61475604ed9ad342909c2a9f9e697e625ea7754fbb9547b951814db8
SHA512 6fa2fed42bd4219f5df85e1e9ea82c9d256576173cb995760667cbe5db4ed2debf7b6d2091e7989e5dd86be6d26848cc4b8c141f3be7798fa5dde01c8e3c6913

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 7f5536c3ea81a377293ffddd50129bf9
SHA1 a209c2c31876693ee8eaa144c40e4e8c6612e06d
SHA256 4434216d1c512a7229c769deeaffc1490a82f956fc83fec1ce21ffa090f429be
SHA512 c29b3b818653ca36cd2350be2a9ce3fbcfec17ba0f8844fd819c5d4938bd1a1bd30c74c673cd918565f20308457d24081e6dc40a05d477f5afe40d458749edbb

\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 a4d054446836e383eb0c7be8cae227cd
SHA1 01af82b28457a41cebba0592114970e62d2c3f97
SHA256 c36c6381b7a4e649fd5cc2eb50a5ce1479f1104d27679a35a660ed9c7bbbda90
SHA512 d4608db4a2b92395601f217510ebcbf1a05c06ca28bc15724c5fa68fbbda455ae65651f6204bb9b36f688d819806b669f60ce9b11dc237c53b5fa5b5689cf6f9

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 90978afe7bedf36de2f51584c31e0e78
SHA1 69e1aa356fdccbec0578937356ce1a3a1a4b7654
SHA256 ae52881f5b6bbbd3f6d577285b9db5f02675f8a5b06eb64a8afb1f2716844d5f
SHA512 391eb21269b99867dcefaad8ffc70d96520eaafb30749ca4b3a6266847a288c3c921e65fe6cc5b020f21e0a23bfc5e190ed95a746521d49dfbd68c7c43ff737e

memory/912-157-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-139-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-158-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-159-0x0000000140000000-0x0000000140840000-memory.dmp

memory/912-160-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1744-163-0x00000000011D0000-0x0000000001226000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 c3efa951c7a7701d71d7409d3f90de43
SHA1 aa3901104e19c0617aaad428e39035a8e28a6f68
SHA256 b10b275bf6b973546780a206d862d31d7da94ad054e95ccc03f4fba11995c4cd
SHA512 2efd9428a110daec0b9ca24680275dabdc7f6dc1413165642c2d56b5042f36cd502d71571e2db0da5140e849fe86f861e2e646051d6d128fe542fb0d591f4b4d

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 135e456d4a7fcd688a685e6551d675ae
SHA1 4962ca2c529c11977f7c7bdfdd8273839fd8782c
SHA256 961f4f8c93d9bf713365b6e88e791a5f02a423a818cccd168e7d86804f6e5d00
SHA512 bdfde9c92e64cde62d07525b2407aa85d668a9d69ac170913d01ba2066af1abb7c00f994a043bfafffdc51463107c6cb71f61042767ec7dcd56d095387478104

memory/1776-179-0x0000000004E20000-0x0000000004FCC000-memory.dmp

memory/2840-178-0x0000000004660000-0x00000000046A2000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 abba23d716f61ade1c2e9d25928f0fc9
SHA1 c71905206a937011627ac76dbe72c3cb2a0f9c0d
SHA256 1c57c168405c9324a906f1fd3b40a36814c815899150e64dad9e24e7414eb33b
SHA512 11363c783d9ff8ede1b5b8fbee5cf1d465a8cd8421d496c881ba15f55d2e8fd2bedbd84ded544239648abf75df53fe23abb0d228eb32466583ebbd5970e390a8

memory/1384-162-0x0000000000DE0000-0x0000000000E32000-memory.dmp

memory/3016-161-0x00000000010B0000-0x000000000111C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 eb4da02fa30cef5e8ab727042a3b9335
SHA1 21a2f60db4bd3403e24640dc4dcdb68333839d85
SHA256 b83eef2f58a52b710eab281fccbae316d9dadf84508b3ce85bd72cdef3dbac96
SHA512 8eb9610af9d6ecc778e761dbb112524012c8c460756e33a7b01e86d69e4e68560328059a4172eae79f070d73ced0713c207b6d86b9dc402671cb402da881282f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2896-195-0x0000000000D90000-0x0000000001198000-memory.dmp

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 4f79f277a8354bc0fc18ffeb9174a841
SHA1 4f2c6ae642bf8f1a6bc07ce65e0cc9ed9c7597ec
SHA256 2758f4d595530bf8ae579b2a055e98e703923d084fd70f306d29a2622a0b4c1d
SHA512 5e5e08706575060de5cfba6098ad089f56f4225f65a8d851eeefae1a578a2f42843c96491d375079e41c33c137bf64cd98513ca11670f6599a10af72b6179124

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 57847c4c8c1136617f2426d2554ecbee
SHA1 3a6d89d9bc79aa5b85ac268735ff332371c69a25
SHA256 4d8f042e6b26ee2bd3e76616f7a5909c98d0f99cc568b2be5214baa2aa78290e
SHA512 a6219df1acf27020ff96acd39a4c92e1c6db4a3cd52ba1c4c0d7116268267f4ecb66ffb91d1ebf0ed051131d707749474e6783dd81ad228cd1338bf9497d057c

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 433036891e15f403d1da1c060d582c03
SHA1 945d9271cdeb31fbaa3a520a6390af46b3aa50c9
SHA256 0fcd33b2dd821dfd0110edbe56b6cfb13cbb28dadb4a94400affc6077240d531
SHA512 c663b5a010d082dab50498bbfd4b615825dde2a6f4f168d056d15a8c4afdf119c63d662a39583512ee71051df0fe5bb917de79aeb350a637f5450ab38876320c

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 93e30adb2df1a19448c3af78eeede794
SHA1 1aa5f21e6bd658039a0a5c55abdfad97dff3079a
SHA256 17593f7fe2190c3f96bac0880b7d2b43f7c1391a9c4742e6b4c9d87a5ae0c5a8
SHA512 f4e6d3af4382ad46ae20f31303871e3ef488f6dd6fe7ab2f5cad164bb6c9e7c986f282a92d04f4c7495ac9134340a572ab6b4bfae9db530241c08cb362e47fce

memory/2600-204-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2600-205-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2840-202-0x00000000046A0000-0x00000000046DE000-memory.dmp

memory/2600-206-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1776-201-0x0000000004C70000-0x0000000004E1C000-memory.dmp

memory/2600-207-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2600-210-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3016-209-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/596-213-0x0000000000400000-0x000000000045A000-memory.dmp

memory/596-221-0x0000000000400000-0x000000000045A000-memory.dmp

memory/596-222-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 b42b486e8e55035076114f5b8da97c63
SHA1 98aecc3c7bfc55dff0f718769310eac122ae35e5
SHA256 48701fb4c814e8f3e50efb83ad11bf30d8bf09dce0b990a5aa36f7b6603130c6
SHA512 422de2a874389a44b1c92a07b7b5b8d8b1a7006ff919e4b513d5def827966a9ff698d9655315caa9eee1fc59d39fd69d799092c578ec7b06ec4228435879d77c

memory/596-235-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1384-226-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/3016-243-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/1776-244-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/1744-246-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/1776-249-0x0000000004C70000-0x0000000004E15000-memory.dmp

memory/2840-248-0x0000000004730000-0x0000000004770000-memory.dmp

memory/1776-250-0x0000000004C70000-0x0000000004E15000-memory.dmp

memory/2840-247-0x0000000004730000-0x0000000004770000-memory.dmp

memory/1776-254-0x0000000004C70000-0x0000000004E15000-memory.dmp

memory/2840-266-0x0000000004730000-0x0000000004770000-memory.dmp

memory/1776-268-0x0000000004C70000-0x0000000004E15000-memory.dmp

memory/1776-265-0x0000000004C70000-0x0000000004E15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 9cfd3a72e354922513c723854e5728ee
SHA1 1f0ed12732d7adeb0a23d51052514c76ba8b3656
SHA256 dd187c9b62db78b37be02b33d43205624484707052a04829e59b18cffd9d9cd6
SHA512 0a9b4d9a426d7d3c4e5702e1674e7129faa9d51020622ec813d72b62a26cddedf4a1d4e616e3c0ddc3cdd58c20d8e3d26d530d8b4989d7625c1ce8c8be9913c2

memory/1776-272-0x0000000073FD0000-0x00000000746BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 dc6872eacec5a6787f12e39e8e04ae2a
SHA1 1ec7528a1b051f434f521ef831b83545254c6f16
SHA256 bf91ec9080d52af7d3ccdec1e859f04308b7e3db3948f89ecd5695cf591149cd
SHA512 238c3119061593848be30ba8e0fdfcad93073831de4fc72bab31b35617e634c4f56a088cda46c04d1e2a15f7f86accacf58d8c0d9193cdd8af3cff2b5bb209e5

memory/1764-288-0x0000000073FD0000-0x00000000746BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 21eec361934eef3f509df55eccfc684a
SHA1 4ea2ae1cae9366f1d4f6cde7b8fc791eeb2dde31
SHA256 ab8a86f0064ad9a4b6c5315e5723a4857b8c57f0d0126a907cc50d7ea8ac8b6b
SHA512 bc9e4b7e23b03e02c88b2dbbae2ae9c233cdff7488f08fe779242653db0545605f8d271e454824d91966fc62252c846bac2b9f3b4eef73396fce050a741bc7c5

\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1620-292-0x0000000004890000-0x0000000004936000-memory.dmp

memory/2748-294-0x0000000004880000-0x0000000004D63000-memory.dmp

memory/1620-300-0x00000000049A0000-0x00000000049E0000-memory.dmp

memory/1620-298-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/1384-275-0x0000000004DC0000-0x0000000004E00000-memory.dmp

memory/1776-256-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/1776-252-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2840-245-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/596-242-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1744-241-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/596-238-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 4a216adeea2835984a59e69609ea40ed
SHA1 4e851650de9fa9ef64a03f4df29cba58dd8684a1
SHA256 239bd98dbbf2f8f3fb4fc2f2adc5618873cb9d9cc3907691328f3dcecc0c70cb
SHA512 cc4b296be8be82fdccac885629be9ab397bbac84ccbb9d6d2475e30864839805569a05f5dea7433b1b7a97e402640c8cee68538793d7d9cc482ef4b027f9bdb4

memory/2600-219-0x0000000000400000-0x0000000000452000-memory.dmp

memory/596-216-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 f9485be2fa41f3182adc887ebe8d58c2
SHA1 2da0ddc3dd609e714b8f73145294103ae455bc18
SHA256 e5abeb781f3ebfde7ca4ed6dad2cdba9bf5574c7b103fd679c83affd7562a527
SHA512 ac72b0794def32d3fdca378525f380d8828878d8a217dc70371e8486e72afc926d32eeef33c7798693609a567c2c6e7ac69173c667aa12098f2afd9bbea4be00

memory/912-312-0x0000000000110000-0x0000000000130000-memory.dmp

memory/2600-215-0x0000000000400000-0x0000000000452000-memory.dmp

memory/392-214-0x0000000000E60000-0x0000000001343000-memory.dmp

memory/2748-211-0x0000000000D90000-0x0000000001198000-memory.dmp

memory/1620-326-0x00000000047E0000-0x0000000004886000-memory.dmp

memory/392-336-0x0000000000E60000-0x0000000001343000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 0e9b7cb9d45b4d226b6f44a327f8b6a0
SHA1 71ba48ee79d0363ab538978cf67b2446491bffdb
SHA256 95db0356e78e71d4b3943d0bffc00ed8cc3677d7272dfef5ac563cf7b4b5e8cf
SHA512 518e6379846bb72e51990aa95e167085ee873d9f7b52bdbf44e960d2c60d2397bf51af2d7b15e968bb58e3d627fb8a974baea8ec918ea57b783b49222b9b409f

memory/1620-339-0x00000000049A0000-0x00000000049E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 ca482e935995aa63660830599b18a68a
SHA1 252533e8c6fe18827c1cff2ae8ff3065d946116b
SHA256 9165784cf9e175b0332826a529480b6b2da8ee1ec6d63743f93bcca43d484032
SHA512 8c5bf4c5f7c00dc74148cc71bed9db33271b2e5b3f8ebb520d5669c96787d9d4d5e27b8e72d6b4cbca28092b2868570c0310672d06b0744d4d9529cec0a23d8e

memory/1620-346-0x00000000049A0000-0x00000000049E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 73f3287cb09bf53075444168b088fca1
SHA1 338aebe637c42c735293fb388b33f06829397728
SHA256 36e6507cc94ce946039f61e23b18e47cc669a657d2d31d5a1661de94397071a0
SHA512 924984b5203777347470eaa80589118ca262fa7970139f0ea71545098d86ab3ba227b1ca583ad9c21e2aa22105177ee4eb72b32af3dae069b5ef244d0cfc6042

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 b6cf95b07589996c70c5dea5480c6585
SHA1 d33fd1e123a6afe4d232d7b86e8f895b2ca488f3
SHA256 8fc0af6225ca2e6799e44492060ce2538867fa0adb46f3badfe0e1e9762a1041
SHA512 962d51698f0958d097f8828c205fde292ef6f77d3c819daa4de42abe113362486d4c5a77f14f54f044e28a8f7efc5b17380a6a741601767ad5c06d03544f5ac6

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 11d0bb2b4f010e393d4a3810c5dc8cb8
SHA1 a40409267c956549d880027da115a622fc052b03
SHA256 8df1f6700e78b8fd80b42caa223d5d8bc00af29d66f5d3b2b214da1032031ae3
SHA512 2877043eaa849d6905c3c606aa1f5b69c3b3aaf36ccdfa55aeec8b80289f9de72bad5a8ac5b76594b63bee51c665066d737211db4e3b54648b62aa9577f105a0

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 52d55fef169d2b85e0e0ef82722ad4fc
SHA1 22ed12168ca609151c629a9b5141bdccef11aebe
SHA256 1f7861dd15de882cdbf57e99e16fd1d4d171e931c70526944968f543c86b279b
SHA512 047062f653cd1fdc4710996fc7924313221733997a4c05f6fcae6d5b6018bb76253d9958791e54ad6a20d34f9b1e3432527224873dad1ea8d4acdc6f7d618176

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 bc8bed0c4f00b83ccd37642be24b8c9a
SHA1 2353a7523214745ba9f57d5382d12fa5d19e5e83
SHA256 31d6b481cca4ddbe409e0440ff7f59e9eb5b283841887056929460f0349342c7
SHA512 9d0a4a63710f558c048762191275c5abf881f2dd864b17a5be67e5841f5e2fba221a8aa65aeec4eeb58945bfa8f37e14cbf5c30c697dbdae3deacf0e5df85dd4

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 340b1683c7f31eade2383e5e67c84817
SHA1 9d73425c3db2295a0e58b41ff425041807089123
SHA256 0a3cdce66c251198465c36986e82ca335b8e362bbbfed3007617dc752fed0d9e
SHA512 cc936fa1a5b7fd12702dac490bc71fc68a25decfa73331b6c90f65d11b48c0675b560b6d45b4054fcab412b6ba6e5ff87476fc86b3da03a8cc8e26c160cf3470

memory/1620-342-0x00000000049A0000-0x00000000049E0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 be1fcc275f61be8ea04caa98a17b1e7e
SHA1 7161e51c8682824698ccfb1f3eefcb36a7a357ac
SHA256 ad93fc5863097cee62aa9f5a69d7145795e3a8b6ffb5405de51352b9458d95cf
SHA512 633d3558f17828babf864f55b890de4fd06c4f2a2375af52fd63c4285b1bd41f58852befb3596d62e3967a6ce20391941dd3a22a1ffe5d3438bce7e4e0cafc46

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 5f6b41ea62d3ca3d583b189f2f645258
SHA1 905ae63bfe9f71c55b8421cf4e042f0d812b463b
SHA256 a9ca06c53f4bdb9f154e1b16fbdb739a52badffa727c278dae94d7f1d62ae3c7
SHA512 2bb4c091648a3af6ae689071d27ff4f99a1ca9202c3dc136a6fd9896795c12b58a818042cb8023fc39b88c528ad95ac4b9ef44b10c5f0ea43d0fc852cd14e5a4

memory/2656-384-0x0000000000FD0000-0x0000000001052000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 a39626f94e78d5a1b029fcb1f8c0034e
SHA1 e86c4e1cfc5c2f7fcee9ecc690407c4b1187b99a
SHA256 3c08d233aa2c310363c9e0ef37f73f0a84812f44507e2afec5a3b5cb6c084a37
SHA512 b806cc78a243e7f982b8fddadb938b9beabd833143b8a7eeb8a1bfba3120e789153ffce8b40ad786cfb51cdcc99b5e539b1569c27224cd562afe8dd1477d532a

memory/1776-387-0x00000000027C0000-0x00000000047C0000-memory.dmp

memory/2656-392-0x0000000004D40000-0x0000000004D80000-memory.dmp

memory/2656-399-0x0000000073FD0000-0x00000000746BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 5e10772d9861a717acf0c55f161d125e
SHA1 a78a6336adc2935ef4519282521abdf53c3cd2c9
SHA256 9e923396a1c67ffe7873a08750046420e974b93165990aa271fc045f569f99ce
SHA512 81a3d915d87c3df00411b3ae88d6bb5e3b699abd8dfdc8085eb6999c4a9ee70c9f91996a6e975f9a0478328d6b3d913039006bcfc2fe7e29ff7cf84769c1ffea

\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 fb919fc450d53e699b5065c8231f5866
SHA1 0c471aad9ab853f53c64d9954b62bf62c908ef1d
SHA256 1534a18f5d7ade6c54d92f172adb7293eebc997eafc33d1a6ad8de6223a55c86
SHA512 f1c5b9cd256c2360bbdf0c03dda7db6c1642a390e4b53ba9b743433b9b3f49c9d1e19a371f30a43053a9d9e2a4e685cd724d25eb22bc10636c0818d9116dd70d

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 1fe9d507e5c798f8798cb0999a40ff20
SHA1 2723e4f7e5be8fafcfd8988d7de101ceb4407fef
SHA256 a3b91ea932a3464fc5bdc236ab8661037682632d9e6fb0e4221aae95423b4f17
SHA512 1d7546f40a3f7f769bb315dbd957dc41d917cd204432c6914109f53ef541ad96e57bfc908d2cd24403f4a11dedf66720c2af7be163f87a6d65638efa3962ee3a

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8fa01123e7f54d7780b1a10884bfd7ab
SHA1 361eccb16da00aabf214ac0779de44ec2dfde23b
SHA256 5c8f20e7496ddf0fe4fb2d2d3dde58577f7d65bf49e1d1bfafd9535f1bba039d
SHA512 d7f119149f3f41051dc82215386605d76371f4c773b801363c228282e6264fb2bb9773c27c50d45f7528b546b00ebe3acda61a4fbe9a1f6b46fcad56b6f46547

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 9930d8d84ab1368c2ac32f4fb2dbbc1e
SHA1 a641380fb0bc4ad187d0dffb7b6c7ce274fce1fd
SHA256 72fe222762a6c032cec53d4f9d0cf955e2bd4cc8e93beb68603d5c45210a2785
SHA512 aca59a9e9bdaf2ad6affe5273bd6f4cad69dcd116a8cce7b5fe9507825a8becbf2c6ee18b13b5a5acaa98fea113dfc359c174d7c30828a129a3b6abe27e5de4e

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 685a67e41c1ff3ba47a218b898480fb6
SHA1 65d5cbabec7b6d933c5df9d861e6de8eeb9df905
SHA256 21d3a5b479561231067c4e3ea4088f069039c9615e228dd714f6e2420b8abc82
SHA512 5e638148afbcbb52dd2c3c7b171a912d67b67c2e824305f247488a340ab77e7c4706ab9984fa125ea2f82f3a713e9ea1fde745e94a9fe8cd6f50d4723e1d97df

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d8e9ef307600f52ad2cfca1616f9e183
SHA1 71078c6fb2384640148f8dbb3fac9ed0dd28b84a
SHA256 d44928d3074ffce4b37446a949d8e0a2e2d56e639de2801409b2c2be239b299a
SHA512 fcf085526e17d635f217de934b5e5df723f2291e4f9e241cbaf0b606d291d486d8f8a9af1cd776e1e02744c307aa1507ce16fe619c1ba7dc25c6500faa6fecd4

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2c8ddf7d0c4f1f3b58c1c9775b754a87
SHA1 a31aae10f4fc33410165ab954e61177448dc722f
SHA256 53cc18619e01650460ea20d7d00040b1b4b480d6bffd0e48b2bfba7a7719fe95
SHA512 5f855b9a370e73e613c59f249504737b87042d2eca537ce4de280841feba6c9e32c717081eae6871426ebc083df1284f6ab201c3c952f5cb7a5bdafecca8ee9b

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5bf0b5cd02e23c85e043cc9e705b15a8
SHA1 bb1cdd136eb101ce9bca069dbd0b6dbb2465c2ed
SHA256 9ab7b9bad6da333efdc334ab71001d26227bb41a1c5f52698ff0f469a7dafb3c
SHA512 111f2a4f76f210a63e4ddb9cbb33e33c974b707d079324a7950a53d732f0ae5366ef1cc32f94219d39c8f36c6282c782f8de7320306ffd6b9e354ccd1911eb45

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 82b1fa57bd1d7a09df0d3e3961565400
SHA1 8d8abd1b2a3813dde18e2736e9ef20d6221b0176
SHA256 89c73b5ad1c1fe267e2a386cff43928d0ac0095fc2d3143d9ef9842b66590824
SHA512 3e1d378c54d6aa09972af9764fbabaaa9a2d4e467f7837066d3288a3a0c0a10861eb1d5e007e1970e94a8e835497c420f9428006bb5585682d70d14e11654031

\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 ae6f81b1735218b73967d2db100644b9
SHA1 4700b66ca1336de26b056a918d2d8ec9fb6501cd
SHA256 e998a4e92b7a9a98f406813b3a1d974eb07f40ccd6a44c5217635a5d52f20d7b
SHA512 bec487cab2e06e8b65e30c00031d4ce8327af51480e0f91c1cd9cda5c224222ea09b660ec5eb7e446461f9568be6fec13e832ef114b4da59987a230e11599c59

\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 078a9ea200315e48618d5bec71f4eb49
SHA1 4070bc5666709b6974e686cc3f08d91f3d309b9a
SHA256 25b7ed60bac04c2b9d96691dd5ac5f47c0449380a84af06fe635272bc2cb195b
SHA512 f5fff7d601958c3c807baa30b5f9dd5d8f196fc1fbd2f33b91da887f89393594f7ae772e8a93dc3db16762e46fed377e61ccd34b4c2ab15a6bfb8e5a78e77874

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 0812359cbb97c26307d59a2c938fc9e0
SHA1 aae81dc050dfee6dfba66246087f087810c2c292
SHA256 558b7c9d913bdba52e4e049cfe4ff406a1123dea4e47ce9d2af9a2a1a55d49a2
SHA512 d721596b7e5b97c0c89053981d8d8899890dcb5d2916a1f8b29a092b1266bfb1973a45d89663729985e826b71ba61a98011254ee186f17d369ef13eb5ec6869c

\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 e352fd3c082ade70132a39c470db6e39
SHA1 8cef92158f960c35de968a58e0aa4c3268d3876f
SHA256 bd682455e8dcfc83a866bc1d86c0f45c21c2765a57086226d6fc9381de937e2b
SHA512 21ee8e0bed8b1333cafadee8f9aa9d27594714b85aeaf34f3a518feb882f91dd52f22baebf8288ff09ae2fba7c5db580de59f721b1bcbdbb965ecec7102df26b

\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 caa7d8c52ebc6e04d4d33dd8f4eceb72
SHA1 30e0e74741fd4936e3946d1b12df588a307ddfd9
SHA256 066d9bf3778573c30165f1ab3246faa7c8dc056ecb97c496f570bdebf9475925
SHA512 f8cb9fec3d7d782ec78e43bef01ac6fafd34f45ea47e182989646171d61586e4666ce668f43417a5f5c7d1f3ba54cb837d95ff61fa42ed9f02bd3c876f4def7e

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 b2f3f214e959043b7a6b623b82c95946
SHA1 4924ee55c541809f9ba20fd508f2dd98168ffdc7
SHA256 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29
SHA512 c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

memory/1764-329-0x00000000002A0000-0x0000000000BE8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 dee63473a06ba61e8c176166609f3dbc
SHA1 40d399b25974e5d969a1f97604b35e93e19b82d3
SHA256 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
SHA512 416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c

memory/2656-454-0x0000000002460000-0x0000000004460000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 d6268edb1d41560bedd57e013cc46f14
SHA1 3bf6f8d81116efe2789369a684f7d4f8f5988769
SHA256 4edf6197e809664c8f5bee7505ebcf8f7cca2e0926d6163352d0eb2e9e32c41b
SHA512 e2ac56e85456ed995ed105251f61673ea844721fc05f6e0fb2af329715adaa7dc6d012efd12f63692b1ff69db1f55021f090647ec27e233ddb6363bdf5a3c2b8

memory/1084-464-0x00000000000F0000-0x0000000000144000-memory.dmp

memory/1384-466-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/1776-469-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2840-473-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/2840-477-0x0000000004730000-0x0000000004770000-memory.dmp

memory/2656-482-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/1776-486-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2840-489-0x0000000004730000-0x0000000004770000-memory.dmp

memory/1764-496-0x0000000073FD0000-0x00000000746BE000-memory.dmp

memory/1776-488-0x0000000004C30000-0x0000000004C70000-memory.dmp

memory/2184-487-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 22cb5511adc8457985a804f1940d5a74
SHA1 201fd9c01f56930e248330b7dfa8bcf6e4239971
SHA256 9e92a7f052d01b8de0646b5d1805f22360b3a7074dbfcf62924133c0a58f1c7e
SHA512 338a17a2845ad114f8d06452e6342fb2be892062305f75e66dc7e1db3b93e7d4c66fd5cae935b64843e36a464fe805240adea1a0960e3d7f47e86a749279f668

memory/2840-481-0x0000000004730000-0x0000000004770000-memory.dmp

memory/2840-479-0x0000000004730000-0x0000000004770000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab67F9.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar6ECF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\nse4A89.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nst789B.tmp

MD5 444c5adbaacbe3b46582adbaab8848e9
SHA1 27a7eb3f93b9f210eccbf4660c280248f154a5bb
SHA256 adcfbb7fe5cd4792e4c182b580e4437c8c491416e921597e852859eb29e2e0a2
SHA512 f393042f85b2df6a4fb8ae928ee2a9099cd4c9f6a58f03c8ae45001625f140ebd9b0ec96e0c9141d6506187cae3cea63504f1b4c3f41c8d9c461d63ad5bfe05f

C:\Users\Admin\AppData\Local\Temp\BE7F.exe

MD5 f6304a26d04bb93807ce226ae4d2b0e4
SHA1 b61fa453a54b088d8bd138e004364435e00678d1
SHA256 2e22574ce65eb936693a3f0161b38470b054d7dcea5fa1df46357dc37debefd7
SHA512 6b4f1d1f8c6899ab6d948155f7de30d0138af5c486e1bcccd2cc49fb9de23059977fd5b76aef8214964434478e6eebf4d683963644dd975eeba6b556e4a2c41b

C:\Users\Admin\AppData\Local\Temp\DDE2.exe

MD5 6c49c55e6ea1e7b5fa6cb618df503d71
SHA1 3e3c766506ea031947b4f9dc95e4d2bdfc2e2faa
SHA256 0d0063de8ae9b402a51c3c91bfeac5e0455799ab8ed3721ebe13de7621ce2390
SHA512 a24e23bdeaa72c6d6012d7739e5740f8882af7e9e9fc34c542db032f30b4c44c81df14ae3160cdec47e0f00d6efc2562d3174f2fd3f731cbcce72a1fecb368cc

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 06:11

Reported

2024-01-26 06:13

Platform

win10v2004-20231215-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FirstZ.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\ProgramData\wikombernizc\reakuqnanrkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\wikombernizc\reakuqnanrkn.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\System32\Conhost.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" C:\Windows\windefender.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4468 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4468 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1948 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 1948 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
PID 1948 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 1948 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 1948 wrote to memory of 3036 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3036 wrote to memory of 4984 N/A C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1932 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1932 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1948 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 1948 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 1948 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 3552 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 2016 wrote to memory of 5032 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\system32\conhost.exe
PID 1948 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 1948 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 1948 wrote to memory of 4832 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
PID 1948 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 1948 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 1948 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3100 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1948 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 1948 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 1948 wrote to memory of 724 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
PID 4984 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4984 wrote to memory of 1228 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe

"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4068 -ip 4068

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 372

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1760 -ip 1760

C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp

C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 288

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6100 -ip 6100

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 440

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5308 -ip 5308

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 744

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5492 -ip 5492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 1208

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 768

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 784

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 624

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1760 -ip 1760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1760 -ip 1760

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3524 -ip 3524

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3524 -ip 3524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5640 -ip 5640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 788

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 672

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 372

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 636

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 912

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5640 -ip 5640

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 972

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 988

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5640 -ip 5640

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1108

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5640 -ip 5640

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1124

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
DE 185.172.128.19:80 tcp
NL 80.79.4.61:18236 tcp
HK 154.92.15.189:443 tcp
RU 185.215.113.68:80 tcp
NL 195.20.16.103:20440 tcp
DE 185.172.128.33:8924 tcp
US 172.67.129.233:443 tcp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
DE 20.79.30.95:33223 tcp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
PL 51.68.137.186:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
US 8.8.8.8:53 186.137.68.51.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 104.21.23.184:443 tcp
BG 185.82.216.96:443 tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
HK 154.92.15.189:80 tcp
BG 185.82.216.96:443 tcp
RU 185.215.113.68:80 tcp
US 162.159.130.233:443 tcp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 40.119.249.228:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 5.42.65.31:48396 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 185.172.128.90:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 5.42.64.33:80 tcp
US 8.8.8.8:53 udp
N/A 40.119.249.228:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 173.222.13.40:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 172.67.141.68:443 tcp
US 8.8.8.8:53 udp
N/A 94.156.67.230:13781 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.179.193:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 172.67.173.89:443 tcp
US 8.8.8.8:53 udp
US 172.67.129.233:443 tcp
US 8.8.8.8:53 udp
N/A 20.12.23.50:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.166.126.56:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.12.23.50:443 tcp
BG 185.82.216.96:443 tcp
N/A 20.12.23.50:443 tcp
US 8.8.8.8:53 udp
N/A 88.221.135.217:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 81.3.27.44:3478 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/4468-0-0x0000000000690000-0x0000000000A98000-memory.dmp

memory/4468-1-0x0000000000690000-0x0000000000A98000-memory.dmp

memory/4468-2-0x0000000000690000-0x0000000000A98000-memory.dmp

memory/4468-12-0x0000000000690000-0x0000000000A98000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fb69be017bf357f8211ddfa76078dc36
SHA1 45964800a8901af84850316c346989a0750fc999
SHA256 d150feabbcc4aae5491e6488b7a88be4f31041b410a07808f27f700c3be8ebf8
SHA512 f9c27cfa7734e790e80adc35fe490c4da7651a7971e6728e7f08596d43db630673cd612f3d5dffa21173e0d04d52e22a2bd2dcb060b4c37f5cc48b745db0a105

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 53412bbb102473ebadf7880a25578597
SHA1 a785805f6fb0598479b5cf827cd50ba1da3418b6
SHA256 c66143cda121f20fe1aff4faec2c0a782fc097f8e7b3f38620c5229436c5c789
SHA512 beb230c277985cc6862677c33aa8e9a6edce4b2a2e70144545ab9d85f2b5652c5507678cd5f522866c60fe0ff6c346efb0c76911a9d698608088f6ae73270041

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 55aea01f21ac2e8806639583eaeb349a
SHA1 8cde033cac24e9c978885e7156b3627d48689418
SHA256 8773febcde56930d27222f3bdd3e15d420cdb07fa03acbc9be0838d44ef73613
SHA512 23881714c79fe530f9e6e375b65610a8cbf40e22e154e49bbe8fc434dab46ffce65275df1bfa347447e84eeb2d6a1b15cd5173881a7fbd086200134acb3d5e3f

memory/1948-18-0x0000000000580000-0x0000000000988000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

memory/1948-16-0x0000000000580000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 5be010fcbca732027b1827d951ac1809
SHA1 f4f814e8d012beaa508bf66fa253320a4386fab1
SHA256 a7b9aa9c5570a94b84ef8bdb32de2de144d9ec664fcac3562fe824ea2c13a64d
SHA512 d9d62c5c4f817a63bbfbf17bdfc205b1390052ecdf931b4795fcdff18e41bb80e22a9f89d1a2f8452d7e765233597ba21d1b191fc17b33ca6903b37edfe4319f

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 0b4fe42f318029cc59f6d042b1b477c0
SHA1 6fa25e328499ff9ee6041fc8210965edf8850da2
SHA256 cc1188de2b5f2a21cf8a93367fec453d5b84aa3c609ef778949e73768c2ad18f
SHA512 0811042e16693b5d37b315376c16bfa8df60cb7f1721d3865f2912988f2e93edc80aac127a25f4c42b0f469a424947029f1c2ea4b6e3c3b5546b027c6778911f

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe

MD5 a01a91a8e82f826f8e18da57442c2c1b
SHA1 0a68fbace281435e18db380769b8884926ac7056
SHA256 d2ea0f68c1b550d503370fb280914edec7a5d190487a37d6c71dd60f784361bc
SHA512 15b696d073a9eaced5d1c7f588aa594adcdbc77043cdd8a243d573d378166397dbd121bd1b2aec4d8f3c42d7e45352db930ba9581c4650c9d854a7a2780f55cd

memory/2740-39-0x00007FF6A7610000-0x00007FF6A804D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/3036-59-0x0000000000460000-0x00000000004CC000-memory.dmp

memory/3036-61-0x00000000028A0000-0x00000000028B0000-memory.dmp

memory/3036-60-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/4984-64-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4984-67-0x0000000005C70000-0x0000000006288000-memory.dmp

memory/4984-70-0x00000000056A0000-0x00000000056B2000-memory.dmp

memory/4984-72-0x00000000057D0000-0x00000000058DA000-memory.dmp

memory/4984-73-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/4984-77-0x0000000005760000-0x00000000057AC000-memory.dmp

memory/2740-76-0x00007FF6A7610000-0x00007FF6A804D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 1e17144c5aa7340c87eb4d28a350c0d0
SHA1 cf8ea5439024864d0b0887841fc68bd0849578ba
SHA256 4a1d10b3aed949328b64f9515d3b744342de2238518d5960e3b293a2fe890edc
SHA512 dae090fb16f5e2ae7d6f1073b63f2a888f3da6c89360a68ea74d2f3a33da94183640b9e0f37653299e3e9502da152e7ff1244942de7da11d4ffbac2ff796f611

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 918da0105549aac3409ac0a601fa8c8b
SHA1 99ea14c67138d423cfc8b37f8bb145fc3df6355b
SHA256 511189e2f3f4641f07806100751b5fcdc2532e48076d32a7b2da7f6472efcb67
SHA512 2a107938329911ffc6d8efd6d0d19d462adc3ec0289b0f52b8e3f829f7ff8ab8f51a2a27399a9400f35483b5fdb46f78769189f98d00adbd697d78d0cbf23d5f

memory/3552-101-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3552-102-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1168-105-0x00000000002E0000-0x0000000000332000-memory.dmp

memory/3552-106-0x0000000140000000-0x000000014000D000-memory.dmp

memory/3552-104-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1168-103-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/1168-111-0x0000000004C40000-0x0000000004CD2000-memory.dmp

memory/4984-112-0x0000000005AD0000-0x0000000005B36000-memory.dmp

memory/5032-114-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1168-118-0x0000000004E70000-0x0000000004E80000-memory.dmp

memory/5032-117-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-119-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-121-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-122-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-123-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-124-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-120-0x0000000140000000-0x0000000140840000-memory.dmp

memory/1168-116-0x0000000004C10000-0x0000000004C1A000-memory.dmp

memory/1948-115-0x0000000000580000-0x0000000000988000-memory.dmp

memory/2016-127-0x00007FF669250000-0x00007FF669C8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 d9b18b522917365fcc3d323da23f4b66
SHA1 4b782ca675d5adbd1852eda905a654aae24df8e4
SHA256 42ecf9196def58ace41ec6afea4428515a657447da33ddd97ca51a03f17a35bc
SHA512 faa82a225756919c947b739a5021630a0cefd6ba778f6e57ee24baa2f97c7f17f61864653160694940670bf1dbf0aea111ca79de239d11f5d304526d3a8a5585

memory/5032-128-0x00000230BE710000-0x00000230BE730000-memory.dmp

memory/5032-148-0x0000000140000000-0x0000000140840000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 acf0f40ee0a3542084a6db8387eec3b3
SHA1 342c0c363fa998360cd489d3d5fcf8b7917f5ff0
SHA256 1a8379d2a05cbc4172346b51a7f5986c84cf4ea4a4ae097884cc2768dc88c7bb
SHA512 1f5e6933cb33cdaf6ce5149ed1cfb70131d52e07d752ef67d2ae304bac7d96630ddb513489cd4fb69a49288f8de7cf265d2224f8ae4b864358c5f19cfd7a150b

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe

MD5 200d35a7f6656faa9f84e1a66d503737
SHA1 f7acbe2b49704b284cfe7ffd92b8f216c9c0a8a5
SHA256 dc088fb819f3907a89a3aa305141678ab8bbb9ce3b6fbd474900fa7563d98100
SHA512 ca5c00e08a74d52afa7a01f248328e30fa98d6bcbb3b5e57e0951aff0421e21ec29f5cb1f3f9a1a13814b81134dda7f68604601e5fcfcb6936af817fa8c01352

memory/5032-151-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-146-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4832-154-0x00000000050B0000-0x000000000525C000-memory.dmp

memory/4984-155-0x00000000067B0000-0x00000000067CE000-memory.dmp

memory/4832-156-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/5032-153-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4832-159-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4832-158-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4832-160-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4832-163-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/4832-162-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/4984-165-0x0000000007300000-0x0000000007350000-memory.dmp

memory/4832-161-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4832-166-0x0000000004F00000-0x00000000050A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 0f35692594963b3364bec1b4b807fe30
SHA1 08f1fac251cb7dd77a915705efaa9423c0aeb467
SHA256 9de8418c6660cf533e354e826a7c50c0fac5cf785519431488d633665e3a1036
SHA512 a8b2dc4804bd1b7ccfbc32b7320bdace0ad2d0b125ed58072ed731178119f1ef35f90dfc33ad1ced6bb8d41a63179cff766d25ee4dc4b9bcc1582a71642f47ad

memory/4832-157-0x0000000004F00000-0x00000000050AC000-memory.dmp

memory/4984-178-0x0000000007E00000-0x0000000007FC2000-memory.dmp

memory/4984-182-0x0000000008700000-0x0000000008C2C000-memory.dmp

memory/3100-191-0x0000000000C00000-0x0000000000C56000-memory.dmp

memory/3100-193-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/4832-195-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/4832-192-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/3100-199-0x0000000005610000-0x0000000005620000-memory.dmp

memory/4832-202-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/4832-205-0x0000000004F00000-0x00000000050A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 9a3f4a2d9ff0afdeee57cbfb7998cd7f
SHA1 d3fb95ee7de62bf876f1c4ed8bc2526e15b70854
SHA256 2ea670ae2b35f9d73f264191ee71bc329ae2b7c66989c67b0c364dd1e0ac71d6
SHA512 cbb6c4e34c5e5013359b67e6065c61e026011e9ed1cb4813bf7acdef94b24c7ad01574cc8e47dda413265cda8ce2ebcb9c64f1ef019894a37676c3d2e53d54cc

memory/4832-232-0x0000000004F00000-0x00000000050A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 48690187f749909f8b8313fb08172e50
SHA1 bd9c4a7b4a68039975643d6fb7e1fa308d90dcc6
SHA256 8990a8cf9800c1ec94f8d15dda549e01cbed52dd4c33dea1ab6275ca920d226c
SHA512 1e5303f701a2c524391a8f7da58469bea182c82d2db8b3548f6cf0a88680814d7cd12606af0997c6e9c2c6623cb647ad74b27ee8e909af93eeae6666609e5124

memory/4832-236-0x0000000004F00000-0x00000000050A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/400-251-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/724-253-0x0000000004A10000-0x0000000004A4E000-memory.dmp

memory/724-257-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/724-259-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/724-272-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/724-275-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4832-274-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/4832-278-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/1228-280-0x00007FFBDE130000-0x00007FFBDEBF1000-memory.dmp

memory/4984-279-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/1228-273-0x0000000000970000-0x0000000000978000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/724-267-0x0000000004C00000-0x0000000004C10000-memory.dmp

memory/4832-261-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/1168-288-0x0000000073780000-0x0000000073F30000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1dfbfa155719f83b510b162d53402188
SHA1 5b77bb156fff78643da4c559ca920f760075906c
SHA256 b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831
SHA512 be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

memory/1844-294-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/1168-296-0x0000000004E70000-0x0000000004E80000-memory.dmp

memory/4832-295-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/1844-292-0x0000000000400000-0x0000000000592000-memory.dmp

memory/4832-291-0x00000000029B0000-0x00000000049B0000-memory.dmp

memory/4984-255-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/4832-254-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/724-250-0x00000000024D0000-0x0000000002512000-memory.dmp

memory/4832-249-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/400-247-0x00000000057C0000-0x00000000057D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 c838ad2afaf2e86044561f24879e07f6
SHA1 ee86a1456afa2cb16e389b9804b339376544acaf
SHA256 cb4f3c780e5f401be85ac2cc2f8de2816477ec85808fd3ca87159c5ab159b39c
SHA512 71c4ac326f007425f7daede5fcf9befc396fd7efe9b78a141e5dd4a5317095ee5884151774f4d21da985cc3cceddd31526cdfb5e5dc7ab307b0b31aba2b0b765

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 c9dc42a14074c1987b7c655da5ef5877
SHA1 1ce48160c039c2cddad3e3be97c07270dbf9b74d
SHA256 32d28467af9604b36e9637c67f9934ea663725bd14dae60fa102ebf2201b238a
SHA512 6c84d0d39d84a443c038ba426ba71dfbf8a27abe25cab3616a0806e56952af81f072c32bcadb19a0282bda92aa54e0ae1af379e6a81b34cfbf2669d3df9520d4

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 15d5b40e0d37d0e656c41d08f3a4d4ac
SHA1 cf97c6c5b345c415ccab37e345b62542036e6187
SHA256 465b91b4bed08f729ff3a806c0428a3efedd77f7825a341a344bef899f0423f1
SHA512 e4d835fe088bdc8d772b1f41dd8de423aed2da4634d1b6abe8971b2262eba3327eaf0bfe355633392c8659745a0b316bea6b3008a05112c031eb6477591c2da4

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 7c6158126fcaf750413a7930915b308f
SHA1 caa1e195ea7af6169a0e6ac0709223557998792b
SHA256 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3
SHA512 d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 b42b486e8e55035076114f5b8da97c63
SHA1 98aecc3c7bfc55dff0f718769310eac122ae35e5
SHA256 48701fb4c814e8f3e50efb83ad11bf30d8bf09dce0b990a5aa36f7b6603130c6
SHA512 422de2a874389a44b1c92a07b7b5b8d8b1a7006ff919e4b513d5def827966a9ff698d9655315caa9eee1fc59d39fd69d799092c578ec7b06ec4228435879d77c

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 13d4efc2a10f443673cfde54faef6ea5
SHA1 1c2ecede2b5f4440d7121193e830e7e12fba19db
SHA256 f17a369b4861f55141ba1fdcf371b931cba6586417067335772d7d44e5dd4a8d
SHA512 8aec72da71091d8136b020305db9cf6c177858cbf0ba5a86f8df1fded1e53da3796b49b769f7d8b2e8070820b899b9ec97f5c5dcc6f26c5a072077ca280da3d8

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 fcc52b464bceb4b40920b6bf05f3bb51
SHA1 919ceeaeebdb090496f049f7a1b36c80367efb63
SHA256 bb1e8b632d133d2cecc918736e8ed65caaa887d74060871881769881c7e56445
SHA512 36b2b346853e175e350aa0fd142055523e86a8a1c5f5e35ae8ccd4d80c0f9e3727e13b496d4f7cdd33d06c105be0de21024ff860f6c0a0f9507b32e70950b570

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 d992f0885cfcf317a8a85d7bfdf69a02
SHA1 99953be7642ed4423584877efde585c7e6174f69
SHA256 c38e579d81b9e841484005e6a9416fd18e9a3f57ee0a617c8f68852545da9495
SHA512 4c3157c6e9efacea942babed088b3d084b62e15c6caabfb2abd48c09b7c460b476e6fcbaec31282fa80aaa8c126463b1eb4bd43959f01849ef0324fd287161ee

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe

MD5 982ff7212a1382621e8abfa1a1918d11
SHA1 79adecfe98857bd18f7f741f2ad75d662b2264c0
SHA256 26602ed80e52e42b1050beceed4ca1cb6c296d95684640390a94502df8ec420f
SHA512 7b7b5dcb8b6523c4186e6e4f83c274700646a9613518132ad6615580dcfc890a2af386fced1f8ba604d79f3937011d53d31977631f8219915a8c5d4d38dee1f9

memory/3100-237-0x0000000002E20000-0x0000000004E20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe

MD5 e8f02798ac1ecff0e99b2264df45bf70
SHA1 7c449a68588d5fbec8e8ee5543a91e3f5aa2cf7d
SHA256 04fe1d37c58942262890171c3b6f86f392b0a939f70f64ff92cdcb4dc4a56631
SHA512 f2be59d593d896e06b2dfd3394cc93c6b20e691da6bbfef935118fdabbc5acf1b50b2eaf815009920f72ec880e2602b939e8ecfd59c068c075a4084462d2ed3b

memory/3100-230-0x0000000073780000-0x0000000073F30000-memory.dmp

memory/4984-229-0x0000000005640000-0x0000000005650000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 852e9d0a2df2716f36925c575e31c70d
SHA1 a978d7c0d9f9dc5e2f04654184f6fc421f84d7b7
SHA256 17fa9f002b4b354a1f3642ee67c1fe67b542faeb0386c1f02392f5201b7b16fa
SHA512 3c7fd38268ed40b880704daa7efa619e05dbc457d3bff79ce8768a1ea59cb9cf2ae8cd3554cca1df46d133eb4e7b72a5dfdc4c9a678637aecb9226667e13bafb

memory/1948-219-0x0000000000580000-0x0000000000988000-memory.dmp

memory/4832-218-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/3036-217-0x0000000002A80000-0x0000000004A80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 2503c8077eae621e4054820aedd46912
SHA1 09ddcf018c13a38ed475c0a1f271456f780a9620
SHA256 4abb967b84adc989c0e76142ac7b35cd8927cab0fa06ce7f94987c5ab33c9061
SHA512 3448571a237c5ec47626de1f078ee1e638ba290fc1c6525929c514393b1650a2e2c4eb938d9d159e19d215239a446255df15019d83fd4785599077ebc3059612

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe

MD5 9a93dc5a9ff1a9e2f291f17331fc5aad
SHA1 272480849bd20b1dbe5337b538d1ecd757f78ecb
SHA256 8ae2596d49090df6956daf15c5aeae122d127a3f1958f605ed4c9a4613b91707
SHA512 4449b3e8b6d9c97735ff5f5b5a8ec3a60cbbd6629eb4a26008cc439b4ab20d4dbb56e97d81151eabdd9f9e56d6aefc03087b199611506ae0232c864f54f0dc89

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 f958acf237887abd029fbeef7067c6ba
SHA1 c95c471a564be0a0eb82e4f9acc520ae6ba3dfbb
SHA256 53c4c574159a230c523e6249d02eb94b11ffa6dea28235dd0fdb34616a8a43b3
SHA512 e2a8a22556f6f636538d352423fde8bfb83950e9888f0fcbb47eb9d327125deecdf97f74136494141e6f24ed1bfba127ef4155dd75ac9cba617bfc5f4fa36ec4

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 971d8da6ad03fc455b01fc80c31f5e71
SHA1 eb594c5626f7a2c0471bec35899d33cf9383a145
SHA256 fea8637994a1da07c25e0384a789938a055cace8e1b8d6156fe01648f6ad8de4
SHA512 102214059968bfe80cecb4222b7d8e6faf300ca1c0c67ab425c6b4cb8caccd39cb98f8bc25f5f33941b3c44983f5dffe0ace03cc908235ddf9e66477751b3711

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 91b3615718af6633c9996dd1750857fc
SHA1 f6ec963be50ad020ff16caad40a532a8cac51422
SHA256 073f86ea7b76e47c3071b44095869a5f051f67ee0e7100ee5051b493e58c6021
SHA512 1306546c931bde9a453b66d38853d338db7e4dc40154623503bb7771fff6fbf08aad3d3b95a6599be99c81cdb7fc7c3bd680a93293d970c57b867784524df68d

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 fba2866d974fad9ffb1d5ade3a861958
SHA1 bd6bd25881ad9e3993912e8da7ef324d1fd9bfb2
SHA256 ad16b6cfd0271515ce784baf4cd18dd387961a366c4be0c503852489f9aa6cff
SHA512 aa551c36ad56518c74cc44b5207dc6edaef259bce328be0ccbe0eb351873995bbaca7ecc0168124cec2c8376c874dbb17aae0515fcbd1042e069a4a29d49d463

C:\Users\Admin\AppData\Local\Temp\nsj900C.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 e21cdf8762533e331940e16c5ccf0f9c
SHA1 14793d011e19af1e05b5166d7598db9fa60430ac
SHA256 3c605a382b49a8b953480c083423ed1c60b602f602665862a6d7bb4748b06870
SHA512 23f8edf6f608b56a15f42ea5f03ef194d799de262a10ab99cc5c18c096a56d840abd3f491408601c35c948b5c3ec864c5d2970b0bdaac6b9eb69be7c7e8a3ad0

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 358819c479c6210d2009cc7c9c51119c
SHA1 b1c00d0d2404dc937cace084e1e7948d180f09e1
SHA256 b371d7e1e1290b170437b32610cd219f868f8c8449d25dc14013049c99dd0eea
SHA512 a7b20e9f292c0a86cdce373e84e7b22aff9da75d9e2a84bb44dc8da7914c6a18cb7a12a126461b10405c8e5cd43347a75cd1a640baeb8ca87b6378a381ba7c71

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 b427560697c9d02c5571dd59780f3262
SHA1 5e4edab649c24105ae43571b9dc61989b0a8d2e1
SHA256 4d1d05c2b0d68e14ee49edb1d63b7b731d20dbeb14d1c365c1851d899b25f3a5
SHA512 eec2da5da9881a87bc539d5caa6cb62e4009d10551585945038a07036f4f5094473f7ae5b00f365206f8de6b80ffe8712bc303c176dc5d72fca25b18efd5b250

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 d0ab4a4863934bd7fa63eb3e9a3ef185
SHA1 4a536fc101321511ae05c6e2a68d7b202df91130
SHA256 df149017f93525b78296ee42191be6ea6d6ee8cb2f15d95cb72c1692a71b1305
SHA512 aa03ffcd60398d315f1724d81cdf2a86cae966e757b749c2022ad4755b57b19fe8b84d19abcc45bf13d08bad49801ce848153700a9bf36f196d3ab4f6e4589f8

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 3bb95d2e5ed1979fbd073f6614439f93
SHA1 6361efb464b4f9035586cde1cd065cae28e30d38
SHA256 f5419bf16ba1d11ba67715e3bc3b80533212a9686236a86494c9d12e22a358ba
SHA512 c0ee338900b0d3d92705804f03675cd4bb36b3d60827d7b72f9eb7afc34f7dad5a42f85007ce4332a0e271625a8bda1997e837b66a844a67e78ab09888ab9ba4

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 0762eb59b048af6f4c844cc7bd6c141f
SHA1 27ba3c76db77f5106bbff9bea305cd5e55493b60
SHA256 0dda68ac17ec559d74bba2fb6d7b9261bb34bba4a1b9341768892d0f09f41e5d
SHA512 368319c430d2d92a20a0891503076237bf4987c26780c06bb0ed3e309e5f8d8562783842b9cd1bb7e78e0b90d5090a7c3f3e58d5ec5e5d7885f5bac515ebc0a1

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 b2d1b5222c4bca2673b979b4db97abe9
SHA1 a2df94645c8c84bcb5b2248c6092ccae259e52b0
SHA256 aea2a90f7fdb16b6348b00b2a9a42f0f325c6d611979cd5e7d71ebb813acc2bf
SHA512 a12e3c4fc3898c32ae30ebb192519e4611b4de3f44dea000d76b16c37a753e4570ce45f3d9455f81525e86d89ff174218efe6eda9263b5259b4fdbf27946b625

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 7fcffd1b80ff3e09023b3bbfc2c553f5
SHA1 2cea15cacf42f558e73bc664e0157219eae3d8fb
SHA256 ce1886174191df78839e516e68d0f182306e7d85c65f63c0ff9be6ef3c090bc4
SHA512 223d47834ee232d59cd46295d394326873e19e31f14c1bd5a417cea73f4d01c9c2626f4ce03869642b805db82e3e556b87874cab6cb7656ddf4901c6071fb6bc

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 0f004afcc5dea0aa2307a0b52e9dc929
SHA1 dc284a126de760d8c67d034fc48a073cc91d999f
SHA256 046ffc54daa9ea2081f77546bf5d4ea8ef9b10253f672d0e48cf7097069783a1
SHA512 b771b3b58f7ac9bbccb5bd84e2bcb7936ed055acd3ee51bb62d9bf540c31003c4e43984fd9ce6bb23683ac61a38a01b05ca52d1efcf24f261ed51df01e862d18

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 53da6a223e72d07be846e3be301f1539
SHA1 3bce9eb7c2aa94c99d7d71cd029207b3d0b3c6df
SHA256 1261a6d2f249611a241140fabfc845b42887d9adcbd6bd7a7029e3f74b00f192
SHA512 1ba358478da4f63f269e724b39e991a0ed9917ba99ec8097b6b3976fee54123137adaa9b39d8b3048836e13066d584c704b17cc051a9dc313aec094f3d394b6c

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 add28c048a423ae41055610da76a3503
SHA1 08dd97d5d86565a9bfa5a591ecb5d850aa5847ac
SHA256 1114fa5879383f2be5f0837e8f95d5eb5b0e6104d646a5a09a5869531f018238
SHA512 965801db96346b75e874faf5c9c52b9d27c73b23cc2b36151715d83700d8e427202c5b96e7550fb78c0a2140df5b7ed46e87af1454b4a187b93b0bcdc04d6c3d

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 1b4677c02e09d6a51f20f1461c08b6eb
SHA1 e2be17f0191ab166f3119a4272987451d1b49286
SHA256 48caf267b73db9788c319e05325a9b107f1e45fe6d7140df91359e890a9c63a7
SHA512 b88e8fdc3f22c1be692fde1ff9e738819459889fc2a62174b0bece3f671f21b671dd468e6310304782750992636d24aa06183fd2f512b9b01f76646306f711f0

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 4038beac7ab20d77f43c72adc1526174
SHA1 162fcc586b41500b2521b4dbba2879009145a27a
SHA256 19b0946cf06f5236b05308ed4f1f79fa7fb698cf24e43196554d1e3fc42e419e
SHA512 6eed065dc49d9394a78f5a719e2a53c034b676dae3f4b116c16e580b32566447477349a8caf7377630c2295e264f2b170e0ab205d7ba9c4ade94eb6d57614e7e

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe

MD5 a90c58ac9c8c5e4e9dfc2bb860b5d08b
SHA1 a3902054b5cfd22127062a872e9e57efe5d206e0
SHA256 aa84d7d50aa7c959603414f2d18932eef7cc36f5b13583b5915c588b441052cf
SHA512 db8ffb5bd47d71eda0b18a39da936376592e9e719ae7d8ab94248b3823e1131c57e724de7e7110c6632b1954e6c1f443089a3fddb5de125b7c997096a45d6319

C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp

MD5 0a3f4465bc792921a8f384d4f252dad1
SHA1 5c72f029c0093086dd0645309df79cdee33d7942
SHA256 bccace8eb6240dc1f6f75b188bac45d304bbdde638d98214fe21e9d167018efe
SHA512 6663564c3ddab95a1754e3525f50607ac093f1753b3ae7fe04706cb3466b591d29848777f06c95cb1eebab72e6ce4bbcfa997e9d83a506d5fba591f203e89ddd

C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp

MD5 8d457a930ac3f2f1e362ecd765cdf5d4
SHA1 60f5afd859216362cf1d6735276f15da434af428
SHA256 211ba0e98e7085c759c4cfee60a65b4cf1e56234c457ff87df7395d30a84ee82
SHA512 d3c81c167992bdf808e54309bbc84a9a582bfc51baa3f92f83d24149b3a8fffbd85e3eac3e45cdcb8cb1797186781cd29c0405fd66fef2e307aaa98f1d7f59e3

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe

MD5 7f0cddd8f7952920ab647450603a7433
SHA1 f8b305a25080eddf40ac219f4d19edaaf7c7f6d1
SHA256 8e9d26d55f77559e8b21b293581be092b019a0bc7c33795d9c9e89cd7830365e
SHA512 9e0b0e759ff311ee934302926b940761c954934a00a12e001319bb2cd2e8167e4ed869e44296dc04616ddd13dd2ffd4ac2570bf926c5b6d2f49a2989a802d247

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 a6fef0562abecca0d7b3567825ae5b99
SHA1 2fa30153197cf09fd9bc36a26c062ee69644be2d
SHA256 dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b
SHA512 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 784b367f202683574645c90f3780e7b1
SHA1 e2b667b362ab32875bc2d0f4b60ce4ab6c895d47
SHA256 cf8ffb58e2bd37fd98434cfcca2c99186ebb41e7cca123f1188293634e506c4e
SHA512 e60fad49b766fd4503dbf9c6f26312aa20bfc7c6644e1b973c736dd62fb5b0192ca4446f13e888d2b5e68002bf1174e27fa9e3cceff5eac626d143f8fecac2c9

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe

MD5 254e7cd008c17a7c0db7bf999702cc04
SHA1 6816eef9ac362c94bda8873396924c70cf94fb08
SHA256 516a68e86a80ee80cb66d2ee749634d1a5b0756cc20c34416e11bd5b2664bbf0
SHA512 f8bbf00a30d48c6ee53c5d6c8f9b20b7a348f71f873037b6947a2696b56f0c3c52d5e2023340d9fb9cda315f8a5b3c7f0aa0367a075760054f8949e9cfd2303d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e500265d4a1aee36b86987f6e2760f48
SHA1 d45132b6e49ecf57f5ce11869d07445c3a219dbc
SHA256 ad899c8fef71f5e17756700c255870c351b0045323afcfee0ed139482fecd5e8
SHA512 d0264acce0ae7b39c8b992ff0a40f9fcacc6988b1871cfae762593ce06e27d0e99de1c8c9f4098586a4f2db8091b897841e570e4ebacd7657bea9e1271323ac2

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6668d29bd9a029b75a331320cd7fc4fc
SHA1 e5ebfdc6ce76e5de49603ecb763dc4351b7aefc0
SHA256 bae3d0e67b6d823cbeb20504309a0d161351ab66b2a65b9d881616c95916e47d
SHA512 d288e07384687f0d39c683b4bbc6e37c6b855ebe7ec4f09cc7ce69c1253f7a272dad65578aa6926b68429c961750d0e17dc8694ece75684ab6cad82f6e763ede

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 e46be2a8ee23841d6bb09a141a93d851
SHA1 4e5c8fc539f5b4682930a16c6e909132c4c6ba91
SHA256 90701504d97d7e24ce2a96cf4ef3b2dc9146db20cae6df79a1d5a28f9067247a
SHA512 0ea5011c967796e4213a48109cdcceee7244b4ac1506ed96da285e866698802352101b113bbfc38d5441a4fa613628532addb5a254a772ecd659f9f87b416cb1

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 573bfad48fbc019b6757bd6b1cae118b
SHA1 a8b90a3778703fe5782a8578f7fa37f6f032accf
SHA256 b813972b6a6c787a1638ee9da4f407def919b6a94f04150c2e4c70e019f26b03
SHA512 374dc1f31034e16aa2585b892cb717448a962ce17915c7fbdf05d20273e129250e801b095ce271cbc159025421ccba5f89bf7703c31294873f958cdbb271930d

memory/400-204-0x0000000000400000-0x0000000000452000-memory.dmp

memory/4832-197-0x0000000004F00000-0x00000000050A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/4832-177-0x0000000004F00000-0x00000000050A5000-memory.dmp

memory/5032-152-0x0000000140000000-0x0000000140840000-memory.dmp

memory/4984-140-0x0000000006590000-0x0000000006606000-memory.dmp

memory/5032-126-0x0000000140000000-0x0000000140840000-memory.dmp

memory/5032-113-0x0000000140000000-0x0000000140840000-memory.dmp

memory/3552-110-0x0000000140000000-0x000000014000D000-memory.dmp

memory/1168-108-0x0000000005150000-0x00000000056F4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

memory/3552-98-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2016-89-0x00007FF669250000-0x00007FF669C8D000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 d03c4906c952132f93f399169df517e3
SHA1 b0b4ae6ec0920a9e22921d0b755e84c9c26ff5f9
SHA256 6bc8dd684b86178ffe2ae02fc5ba713823b13bc61686845b95365840e0d90d7d
SHA512 cb68bdf0f18703ec9996007cad40e15f4230bc5a2af9e1253d16e5c2b244f13b52739cd40feb779a7039f6c9689f0f266ec115bb930e6df445d70bc119dfbc01

memory/4984-74-0x0000000005700000-0x000000000573C000-memory.dmp

memory/4984-71-0x0000000005640000-0x0000000005650000-memory.dmp

memory/3036-69-0x0000000002A80000-0x0000000004A80000-memory.dmp

memory/3036-68-0x0000000073780000-0x0000000073F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jb4ewra.qv4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9cf397494fb0a5cb99cb71353c3ecc67
SHA1 38e62b291f59f063f9b0c31d92eaab372977a859
SHA256 30e8b9b8c292ceff748cb1e33f5a6633fcda128bceea642ebf5f9910e20e9a08
SHA512 b861d1d1252ac9d1b57fc45578f349b03b220d9f8c17031b016636d380a0c71c4bf9b5a9baf25d307a7ddd1ac8fb51a48ce6a7bb2f702f172382b649bfb1670e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 963011512e80ac2831d48de6e4872deb
SHA1 a198993154aa3d66395e958806f3de672164cd87
SHA256 0b25653f922f467f1c19d288d5d74ab2ec77ed9803896c4bf5d92f60307f562b
SHA512 8ad5f7283bcf070d425bda0911d71dcd8c89511db1446d97de65ab2b41b7fff7f1c4c1d5f3ff4c4caf857d6c570a4b4666a27f6576253ec268da5512e5a8f6b4

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d4bacd1fd08ca6b3dd24f9182846d666
SHA1 08509a2dbff494cda8011896563b48b300527e8c
SHA256 bd663a0a55eac67011a3e5608b9b9455aa73286e8de20751100d35e2e3a05af0
SHA512 1253ab9313f4b11acc5c3b23e7dc3b2e07270d35ed91a55c0991b868bacfb67a68de47ba1780c41c5c78978e6c28897db6427b0d2b134c84270b5fec4a0316d5

C:\Windows\rss\csrss.exe

MD5 51b28206a67a3b7d7a4bf3e3ae4a5319
SHA1 524f8f6d7fe54e70b33f4ba9d964e2a4513af885
SHA256 620c86af824f6404f55fe7cbd9dea30d6bbedfb6e13ed7f3821cf91fed422282
SHA512 b80364656ac3a0351663612c8bf29e6881de779a9e2788629b01ef5487931b54063b8e46b229d7abb0d611da0e0524dd40201da28692622c360671d20c49b427

C:\Windows\rss\csrss.exe

MD5 8f9d8ca2a638e5cf492b94b51463c1bc
SHA1 d5f917674f91848099505803b99bf7eb6b6c8871
SHA256 141ef982f399600d2849ed444b352d5d2abd84fcf3de10f05d074c1b5c9eb248
SHA512 0dbf2942e3fea8c9fb4d179bd274efb7803340828b3e5db565476eacea8e997063ed922dc02235d998f218fdf07673f0113ea10b54a353cdab7a2a7ad61ea892

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 3d0129dd0f07b577f3c823a53c06ddf4
SHA1 4cb6fd4e4c146ede70578a8cd174dddfcdd1198b
SHA256 1c2988684c4ad5ee0b414b77acea6908af8ba0d1091ec120b4db7e88ea21ae8b
SHA512 88170dd4399c2cd59663cfa5887ef7ab4ca0f3d32fd2ab0be909ccd0576fa5034ef12c05d7dcb134d9b6698e78f4858fe034dd9cec1fd3d4d7088676bdbf27f2

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 0d287a8937a6ee8abc19926b94ed53ae
SHA1 7c13672c8d49742ccc04ee35c7db97963c61f635
SHA256 2c73ef2306d0b7c9afd9a5eba8aa5fb6330abd58c3519d52947c8767e684b0e7
SHA512 8b3b7cbcb1ac5a9209034ef4b8eeaacdbb63a7e6d5da65d5f7915f2e3372cceec5344052e2bd6a11f01eef9e656ab95e28624169d8a037681a6a74672cef4ec5

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 27fd92a15da2d6b9bb6f93a6dbc9a3dd
SHA1 7dfb9880c2720571e859ca2295607a27cfebccaa
SHA256 c72dae3390bb342058e0b25077bd061cd36cba92120fc43d6e5205e5b114f3cf
SHA512 d0ba823b6644a599e2c3e1ef1f36f8d1427ab421570318d5ded0499b93f8397af3766209ecdfe4c43cca00f71752eaa92b554f515c07cd4497c4e1bde9985aa3

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 4b3abb01d3b1c9d16911ad10329bc1fb
SHA1 55124b5756d3ab7732e161bc3cf78497c11ecb3d
SHA256 ec41ebde8c0b2474a1df607f2112ce39275dee60a0ec9dec2ebe301f6a06f631
SHA512 fe2021dd6ea55032b6c04d2d257434d66b3dfe021d1e9cce1071f65112bf6bdb539504dad985b42b1999fa6bb9588dcda948c24bb704bdc60cc331bd76fdcacf

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 f9202c2e64702a42ebaa6ddf3db3f0ae
SHA1 4c8a2eed2722551350f03c0e09194a0ee1436a87
SHA256 e59916ddf93f178807c72e8ec05fbd2ec4a2cef03bd41b3a15942f9dd20a22f8
SHA512 fcfab27aae94ea0bfb6f87b5da7dc4f64a0ccc1ec426afb8ea00b5addeae8a390e08b600a3d5625413d39cc9358442ba10e3fe3c26f8496e4e6e4ca4e68710d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 fdd89730a0bbb8d14a757815e105be99
SHA1 3c10a0e4ce2757175db2df4f0cab9cc3a669ec4f
SHA256 2cd16b9ed0dab3712d0df88a751f8acc8a8b225eaf775e0eb896b71681c60053
SHA512 4ccd4da813dfd890a2b0617eeaed0a36b5fd4146396a03de71d62d5204044418bee76f12c29636fb77bcf3aafa90fa20397f5446ab3536c3b8238668663ed29e