Analysis Overview
SHA256
82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f
Threat Level: Known bad
The file 5c1e965d21ddfb6972824827a6ad3ed5.exe was found to be: Known bad.
Malicious Activity Summary
Amadey
ZGRat
RisePro
Glupteba
xmrig
Detect ZGRat V1
RedLine payload
RedLine
XMRig Miner payload
Downloads MZ/PE file
Stops running service(s)
Blocklisted process makes network request
Modifies Windows Firewall
Creates new service(s)
Modifies file permissions
Executes dropped EXE
Checks computer location settings
.NET Reactor proctector
Loads dropped DLL
Checks BIOS information in registry
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Manipulates WinMonFS driver.
Drops file in System32 directory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 06:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 06:11
Reported
2024-01-26 06:14
Platform
win7-20231215-en
Max time kernel
167s
Max time network
183s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2424 set thread context of 1048 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 2424 set thread context of 912 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe
"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {B66B5301-23A4-494E-8CAC-0434A042401B} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 604
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1352 -s 264
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 604
C:\Users\Admin\AppData\Local\Temp\nst789B.tmp
C:\Users\Admin\AppData\Local\Temp\nst789B.tmp
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1376 -s 88
C:\Users\Admin\AppData\Local\Temp\BE7F.exe
C:\Users\Admin\AppData\Local\Temp\BE7F.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\DDE2.exe
C:\Users\Admin\AppData\Local\Temp\DDE2.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\DDE2.exe
C:\Users\Admin\AppData\Local\Temp\DDE2.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\e6aba1ea-de9e-4a06-878f-429825eb2e30" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Users\Admin\AppData\Local\Temp\7861.exe
C:\Users\Admin\AppData\Local\Temp\7861.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Users\Admin\AppData\Local\Temp\DDE2.exe
"C:\Users\Admin\AppData\Local\Temp\DDE2.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| DE | 45.76.89.70:80 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 144.76.1.85:25894 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 20.79.30.95:33223 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| NL | 195.20.16.103:20440 | tcp | |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| MX | 189.232.10.46:80 | brusuax.com | tcp |
| DE | 146.0.41.68:80 | tcp | |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | ftsolutions.com.pk | udp |
| US | 64.31.22.34:80 | ftsolutions.com.pk | tcp |
Files
memory/2752-0-0x0000000001050000-0x0000000001458000-memory.dmp
memory/2752-1-0x0000000001050000-0x0000000001458000-memory.dmp
memory/2752-2-0x0000000001050000-0x0000000001458000-memory.dmp
memory/2752-4-0x0000000000620000-0x0000000000621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 5c1e965d21ddfb6972824827a6ad3ed5 |
| SHA1 | 3267ccd4de8c23ab99433235d5529937409162e7 |
| SHA256 | 82b89bb8dca3aa64c2dd76ce7b654ac62e916bed5e49ee456a21b3cb2b931a5f |
| SHA512 | 2cf327b300952bcfedd43a6410fbd45593a449add6493fb8ac2ae86b5571ec531a921ed859c2ce2d84505ba7523e8b7d1264a893fc48ff8bfa9481d875718fa0 |
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
memory/2752-15-0x0000000001050000-0x0000000001458000-memory.dmp
memory/2748-18-0x0000000000D90000-0x0000000001198000-memory.dmp
memory/2752-14-0x0000000004BD0000-0x0000000004FD8000-memory.dmp
memory/2748-13-0x0000000000D90000-0x0000000001198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
| MD5 | f8f73b867727ba2da6db30a8951282bf |
| SHA1 | 77a9013dc3956723e24d571ed32719050c788c91 |
| SHA256 | d053de48d37ac29071fbc230adb897b80160a88d381322ec2b00f9177d1ba0cf |
| SHA512 | 3bf166d8706aecc7fec785848f465b0c5d6d2f9b9a9f1be0c73eefe2c2dbaae6f7c7ba8231b9f90ebcbb56ec18dcc1229c4381e0ef36c58a1ca6aa4d11d1052e |
memory/2748-33-0x0000000004880000-0x0000000004D63000-memory.dmp
memory/392-35-0x0000000000E60000-0x0000000001343000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2748-46-0x0000000000D90000-0x0000000001198000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | d09b17634c4c041cd155b573db9407e1 |
| SHA1 | 559e08af74dc0dbf4320da35b3be6c7da3693546 |
| SHA256 | fc933130eab350154d0939ef56ed5944ddcd0b909e1283b9b33fa884fbcd2750 |
| SHA512 | 8d7a77718dc977b559a589ebde2c08073a92e22b16d5ff309801c396d2e41db4e639d24155bd39d73de5b5f7569e189ba781229fddbf606fe8604b49808a6352 |
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 2660aeb7a3b635dc3b1b2f9a920d75e3 |
| SHA1 | 7c8cf8fa75447c55b9c09b2c06623f6b11d3d533 |
| SHA256 | ddf3d083c24276901c4663da43bf3c51ed20875c3e5cfe33cf402e8a92c8f1a6 |
| SHA512 | 7316edbfa44790b3b02f6e84c1750d14f3b8e8193b9a518f7240326c83c611e3dfd196e1c1b76a69268f16acc663a49404973df331ca3e5935d04f700df14871 |
\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 8677f564a90c3fce16f04f115aac94cf |
| SHA1 | d8a837dd45f998a2d94349caa11db71503920ba6 |
| SHA256 | b84b9e7cc4910b6316bc9799cb3663a2856aecfc2caa2d37bd4da40d97a96a73 |
| SHA512 | afa5587c4e41122b025675f520eda201d5f4198e50b3848f6d0933fed6c71d219fdf3f79cf0ea89a1600086d669eb4a71aded900d3f0cd27e6752d0baccfbcbd |
memory/2748-63-0x0000000004880000-0x00000000052BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 3590c8c90e84dd350e0558f1fa93d192 |
| SHA1 | 2f4bc18c0030d10f93cb9b259bacb1cf18b5991a |
| SHA256 | a7c05eb9170e76fda3d76e283ec4226ba8d32be41e173e78bfaa5b779a4f7203 |
| SHA512 | f9f7ecdaf789302b584c3a491778ee26b940fb47d77871a3753315aca3ff8fca115c0d88ebba66e1c61ed7e042a9fc9948e85ebd40a1298c2b1dbcd512f8bd6a |
memory/2748-64-0x0000000004880000-0x00000000052BD000-memory.dmp
memory/544-65-0x000000013FF50000-0x000000014098D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 94a874bece82ea6cf8c7f94e1d83e513 |
| SHA1 | d0a6f872a8984139a546e2ee1c27f3886747c2ae |
| SHA256 | 878c8859220f4cc7cc90df5629c2f3d38a0a0da0b658a7231c35184ccd2c0e23 |
| SHA512 | 7de6ae3bc94e0112eb27acc39e97671bd3b4fd9bb63d1f12c30d06be610ee74e266be0f435892e398a7ec50b9b0012f4e2b7b62358ad95dfef2ea4129a69bd3b |
memory/544-98-0x000000013FF50000-0x000000014098D000-memory.dmp
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 8a8da349580e781a1bd80b74baf61b98 |
| SHA1 | 1868d8425881d334b6b6ac1e754cb788025f237f |
| SHA256 | 9b04c797292ee092ea8d6d35981552e189e3f067e8144ef186a91340a9b63cad |
| SHA512 | 863f95d34647e2576c5a97b510506fd1e94ad2bcd97d439ef4486b998a08ec0d932236d1b198a2a988bb1b2878fc2bd021e9a85376b6f9fc70ba51a381d8c710 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 07ca98b8a7f68122e4a2619882d9957c |
| SHA1 | fa949b30ad5ea4f7f3c85f4a9a97694326bf5369 |
| SHA256 | 09f169f6581338ec15bfc896736426cec166b5ec1c6f1c240b8c748b04275533 |
| SHA512 | 1dbd9df53a7bc137ae892813bce772cfe864c7d15fd789e95d85c8b0bb513373a68e05eb59041b1d236ab23e26b2e4fe8790fd64ba4bfc8840de4d016b3ac2c6 |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 9f0e16fa099aa8c28e38f73c4be95d4a |
| SHA1 | ae9d30236420c0941d73b9eaa064abbd4ed11da5 |
| SHA256 | 9224454094f913f297602730b57de65db7041f9ddb4530cd37434fe02ac7538f |
| SHA512 | a27aa80ea96a6d852a0aed9fe9a70bcffdb560786f789be418252b0bf1dc00881e8413e5781fd92bdd924997d7f8ad0cc7886df925a0e18540aac9ecfef72b9e |
memory/2748-102-0x0000000000D90000-0x0000000001198000-memory.dmp
memory/2424-103-0x000000013F5D0000-0x000000014000D000-memory.dmp
memory/2748-104-0x0000000000D90000-0x0000000001198000-memory.dmp
memory/1048-109-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1048-108-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1048-107-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1048-106-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1048-105-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1048-112-0x0000000140000000-0x000000014000D000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | e32e9cb01f0f50e7a6fd396fcd01cca8 |
| SHA1 | 3488f9c0589ec7a355cf05035cee635092c37a6b |
| SHA256 | 0b1a8954d754df59dd7ebf80d58398c458d4883e1fefb2549eb05a600da0fb28 |
| SHA512 | 7a8f83f83c8f0d52cb18070a6a6a7b624e511171d59e28c1d816dbf931f83bf96905c5890ed6f60ad1ee8ee2ba8f04d6803078aeb8a63faae3fdd0489977e9f9 |
memory/912-115-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-113-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | 7422f7694ddc4096a916d8cc21f8500a |
| SHA1 | 6fe68d845edf90817792317a8ae50cc63c253fe0 |
| SHA256 | 89281abfb1056eaacface8a016d278643a3efc09c1ede9a3170f27356d7b8e21 |
| SHA512 | 51b01bc49c75c093176e2926fcae8f8f7075fb49bc11f8621eedfcf99f261c73de5f1cfbacf7e9668e059a123c892d58c9e773fee36335be05f2db5cfeb4eb5e |
memory/912-127-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-126-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-128-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-116-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-130-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-131-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-135-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | 9c50787afcfe05bccbc677939420a8ab |
| SHA1 | 302839ef6920772afc05a381bead457402a51341 |
| SHA256 | 95da1f5821a2ec20854bb54e2af47e2d546f498bc4f0d0ae49dc1a66409280a4 |
| SHA512 | 749c9f5e1e4f40efe95f9748988adad4445d9e8972f6f8dfc668bf22efb6d05ea4935bb7d55592d4fde6a39d33e60918ee0a68632e52e23050e768c9d0ec16c1 |
\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | 6573abee7390dd46100ac8d6baac09bb |
| SHA1 | 0c454f4f7cce4b4c1def4c494a89da7a9bfca140 |
| SHA256 | 0a42c733489f9dba2a8c88633d4d72767ccaac8ab6d0bdb38c34c871c32cd45b |
| SHA512 | da5b48a652be203a36cba82e3c763595ae7d761152f4cd02d142fad7e5200ae823d9fe7a026d17e92ed0ba05066be773e93f4d3b820907655a503db0d4b716f7 |
memory/2424-138-0x000000013F5D0000-0x000000014000D000-memory.dmp
memory/912-141-0x00000000000B0000-0x00000000000D0000-memory.dmp
memory/912-142-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | a26ea4e6d5270125e955a738d0bf341c |
| SHA1 | 564548dcfc28c79ff48ef36bf21678947873dc95 |
| SHA256 | 770e32af61475604ed9ad342909c2a9f9e697e625ea7754fbb9547b951814db8 |
| SHA512 | 6fa2fed42bd4219f5df85e1e9ea82c9d256576173cb995760667cbe5db4ed2debf7b6d2091e7989e5dd86be6d26848cc4b8c141f3be7798fa5dde01c8e3c6913 |
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | 7f5536c3ea81a377293ffddd50129bf9 |
| SHA1 | a209c2c31876693ee8eaa144c40e4e8c6612e06d |
| SHA256 | 4434216d1c512a7229c769deeaffc1490a82f956fc83fec1ce21ffa090f429be |
| SHA512 | c29b3b818653ca36cd2350be2a9ce3fbcfec17ba0f8844fd819c5d4938bd1a1bd30c74c673cd918565f20308457d24081e6dc40a05d477f5afe40d458749edbb |
\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | a4d054446836e383eb0c7be8cae227cd |
| SHA1 | 01af82b28457a41cebba0592114970e62d2c3f97 |
| SHA256 | c36c6381b7a4e649fd5cc2eb50a5ce1479f1104d27679a35a660ed9c7bbbda90 |
| SHA512 | d4608db4a2b92395601f217510ebcbf1a05c06ca28bc15724c5fa68fbbda455ae65651f6204bb9b36f688d819806b669f60ce9b11dc237c53b5fa5b5689cf6f9 |
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | 90978afe7bedf36de2f51584c31e0e78 |
| SHA1 | 69e1aa356fdccbec0578937356ce1a3a1a4b7654 |
| SHA256 | ae52881f5b6bbbd3f6d577285b9db5f02675f8a5b06eb64a8afb1f2716844d5f |
| SHA512 | 391eb21269b99867dcefaad8ffc70d96520eaafb30749ca4b3a6266847a288c3c921e65fe6cc5b020f21e0a23bfc5e190ed95a746521d49dfbd68c7c43ff737e |
memory/912-157-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-139-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-158-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-159-0x0000000140000000-0x0000000140840000-memory.dmp
memory/912-160-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1744-163-0x00000000011D0000-0x0000000001226000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | c3efa951c7a7701d71d7409d3f90de43 |
| SHA1 | aa3901104e19c0617aaad428e39035a8e28a6f68 |
| SHA256 | b10b275bf6b973546780a206d862d31d7da94ad054e95ccc03f4fba11995c4cd |
| SHA512 | 2efd9428a110daec0b9ca24680275dabdc7f6dc1413165642c2d56b5042f36cd502d71571e2db0da5140e849fe86f861e2e646051d6d128fe542fb0d591f4b4d |
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | 135e456d4a7fcd688a685e6551d675ae |
| SHA1 | 4962ca2c529c11977f7c7bdfdd8273839fd8782c |
| SHA256 | 961f4f8c93d9bf713365b6e88e791a5f02a423a818cccd168e7d86804f6e5d00 |
| SHA512 | bdfde9c92e64cde62d07525b2407aa85d668a9d69ac170913d01ba2066af1abb7c00f994a043bfafffdc51463107c6cb71f61042767ec7dcd56d095387478104 |
memory/1776-179-0x0000000004E20000-0x0000000004FCC000-memory.dmp
memory/2840-178-0x0000000004660000-0x00000000046A2000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | abba23d716f61ade1c2e9d25928f0fc9 |
| SHA1 | c71905206a937011627ac76dbe72c3cb2a0f9c0d |
| SHA256 | 1c57c168405c9324a906f1fd3b40a36814c815899150e64dad9e24e7414eb33b |
| SHA512 | 11363c783d9ff8ede1b5b8fbee5cf1d465a8cd8421d496c881ba15f55d2e8fd2bedbd84ded544239648abf75df53fe23abb0d228eb32466583ebbd5970e390a8 |
memory/1384-162-0x0000000000DE0000-0x0000000000E32000-memory.dmp
memory/3016-161-0x00000000010B0000-0x000000000111C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | eb4da02fa30cef5e8ab727042a3b9335 |
| SHA1 | 21a2f60db4bd3403e24640dc4dcdb68333839d85 |
| SHA256 | b83eef2f58a52b710eab281fccbae316d9dadf84508b3ce85bd72cdef3dbac96 |
| SHA512 | 8eb9610af9d6ecc778e761dbb112524012c8c460756e33a7b01e86d69e4e68560328059a4172eae79f070d73ced0713c207b6d86b9dc402671cb402da881282f |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2896-195-0x0000000000D90000-0x0000000001198000-memory.dmp
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 4f79f277a8354bc0fc18ffeb9174a841 |
| SHA1 | 4f2c6ae642bf8f1a6bc07ce65e0cc9ed9c7597ec |
| SHA256 | 2758f4d595530bf8ae579b2a055e98e703923d084fd70f306d29a2622a0b4c1d |
| SHA512 | 5e5e08706575060de5cfba6098ad089f56f4225f65a8d851eeefae1a578a2f42843c96491d375079e41c33c137bf64cd98513ca11670f6599a10af72b6179124 |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 57847c4c8c1136617f2426d2554ecbee |
| SHA1 | 3a6d89d9bc79aa5b85ac268735ff332371c69a25 |
| SHA256 | 4d8f042e6b26ee2bd3e76616f7a5909c98d0f99cc568b2be5214baa2aa78290e |
| SHA512 | a6219df1acf27020ff96acd39a4c92e1c6db4a3cd52ba1c4c0d7116268267f4ecb66ffb91d1ebf0ed051131d707749474e6783dd81ad228cd1338bf9497d057c |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 433036891e15f403d1da1c060d582c03 |
| SHA1 | 945d9271cdeb31fbaa3a520a6390af46b3aa50c9 |
| SHA256 | 0fcd33b2dd821dfd0110edbe56b6cfb13cbb28dadb4a94400affc6077240d531 |
| SHA512 | c663b5a010d082dab50498bbfd4b615825dde2a6f4f168d056d15a8c4afdf119c63d662a39583512ee71051df0fe5bb917de79aeb350a637f5450ab38876320c |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 93e30adb2df1a19448c3af78eeede794 |
| SHA1 | 1aa5f21e6bd658039a0a5c55abdfad97dff3079a |
| SHA256 | 17593f7fe2190c3f96bac0880b7d2b43f7c1391a9c4742e6b4c9d87a5ae0c5a8 |
| SHA512 | f4e6d3af4382ad46ae20f31303871e3ef488f6dd6fe7ab2f5cad164bb6c9e7c986f282a92d04f4c7495ac9134340a572ab6b4bfae9db530241c08cb362e47fce |
memory/2600-204-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2600-205-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2840-202-0x00000000046A0000-0x00000000046DE000-memory.dmp
memory/2600-206-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1776-201-0x0000000004C70000-0x0000000004E1C000-memory.dmp
memory/2600-207-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2600-210-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3016-209-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/596-213-0x0000000000400000-0x000000000045A000-memory.dmp
memory/596-221-0x0000000000400000-0x000000000045A000-memory.dmp
memory/596-222-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | b42b486e8e55035076114f5b8da97c63 |
| SHA1 | 98aecc3c7bfc55dff0f718769310eac122ae35e5 |
| SHA256 | 48701fb4c814e8f3e50efb83ad11bf30d8bf09dce0b990a5aa36f7b6603130c6 |
| SHA512 | 422de2a874389a44b1c92a07b7b5b8d8b1a7006ff919e4b513d5def827966a9ff698d9655315caa9eee1fc59d39fd69d799092c578ec7b06ec4228435879d77c |
memory/596-235-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1384-226-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/3016-243-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/1776-244-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/1744-246-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/1776-249-0x0000000004C70000-0x0000000004E15000-memory.dmp
memory/2840-248-0x0000000004730000-0x0000000004770000-memory.dmp
memory/1776-250-0x0000000004C70000-0x0000000004E15000-memory.dmp
memory/2840-247-0x0000000004730000-0x0000000004770000-memory.dmp
memory/1776-254-0x0000000004C70000-0x0000000004E15000-memory.dmp
memory/2840-266-0x0000000004730000-0x0000000004770000-memory.dmp
memory/1776-268-0x0000000004C70000-0x0000000004E15000-memory.dmp
memory/1776-265-0x0000000004C70000-0x0000000004E15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | 9cfd3a72e354922513c723854e5728ee |
| SHA1 | 1f0ed12732d7adeb0a23d51052514c76ba8b3656 |
| SHA256 | dd187c9b62db78b37be02b33d43205624484707052a04829e59b18cffd9d9cd6 |
| SHA512 | 0a9b4d9a426d7d3c4e5702e1674e7129faa9d51020622ec813d72b62a26cddedf4a1d4e616e3c0ddc3cdd58c20d8e3d26d530d8b4989d7625c1ce8c8be9913c2 |
memory/1776-272-0x0000000073FD0000-0x00000000746BE000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | dc6872eacec5a6787f12e39e8e04ae2a |
| SHA1 | 1ec7528a1b051f434f521ef831b83545254c6f16 |
| SHA256 | bf91ec9080d52af7d3ccdec1e859f04308b7e3db3948f89ecd5695cf591149cd |
| SHA512 | 238c3119061593848be30ba8e0fdfcad93073831de4fc72bab31b35617e634c4f56a088cda46c04d1e2a15f7f86accacf58d8c0d9193cdd8af3cff2b5bb209e5 |
memory/1764-288-0x0000000073FD0000-0x00000000746BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | 21eec361934eef3f509df55eccfc684a |
| SHA1 | 4ea2ae1cae9366f1d4f6cde7b8fc791eeb2dde31 |
| SHA256 | ab8a86f0064ad9a4b6c5315e5723a4857b8c57f0d0126a907cc50d7ea8ac8b6b |
| SHA512 | bc9e4b7e23b03e02c88b2dbbae2ae9c233cdff7488f08fe779242653db0545605f8d271e454824d91966fc62252c846bac2b9f3b4eef73396fce050a741bc7c5 |
\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1620-292-0x0000000004890000-0x0000000004936000-memory.dmp
memory/2748-294-0x0000000004880000-0x0000000004D63000-memory.dmp
memory/1620-300-0x00000000049A0000-0x00000000049E0000-memory.dmp
memory/1620-298-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/1384-275-0x0000000004DC0000-0x0000000004E00000-memory.dmp
memory/1776-256-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/1776-252-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/2840-245-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/596-242-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1744-241-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/596-238-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | 4a216adeea2835984a59e69609ea40ed |
| SHA1 | 4e851650de9fa9ef64a03f4df29cba58dd8684a1 |
| SHA256 | 239bd98dbbf2f8f3fb4fc2f2adc5618873cb9d9cc3907691328f3dcecc0c70cb |
| SHA512 | cc4b296be8be82fdccac885629be9ab397bbac84ccbb9d6d2475e30864839805569a05f5dea7433b1b7a97e402640c8cee68538793d7d9cc482ef4b027f9bdb4 |
memory/2600-219-0x0000000000400000-0x0000000000452000-memory.dmp
memory/596-216-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | f9485be2fa41f3182adc887ebe8d58c2 |
| SHA1 | 2da0ddc3dd609e714b8f73145294103ae455bc18 |
| SHA256 | e5abeb781f3ebfde7ca4ed6dad2cdba9bf5574c7b103fd679c83affd7562a527 |
| SHA512 | ac72b0794def32d3fdca378525f380d8828878d8a217dc70371e8486e72afc926d32eeef33c7798693609a567c2c6e7ac69173c667aa12098f2afd9bbea4be00 |
memory/912-312-0x0000000000110000-0x0000000000130000-memory.dmp
memory/2600-215-0x0000000000400000-0x0000000000452000-memory.dmp
memory/392-214-0x0000000000E60000-0x0000000001343000-memory.dmp
memory/2748-211-0x0000000000D90000-0x0000000001198000-memory.dmp
memory/1620-326-0x00000000047E0000-0x0000000004886000-memory.dmp
memory/392-336-0x0000000000E60000-0x0000000001343000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 0e9b7cb9d45b4d226b6f44a327f8b6a0 |
| SHA1 | 71ba48ee79d0363ab538978cf67b2446491bffdb |
| SHA256 | 95db0356e78e71d4b3943d0bffc00ed8cc3677d7272dfef5ac563cf7b4b5e8cf |
| SHA512 | 518e6379846bb72e51990aa95e167085ee873d9f7b52bdbf44e960d2c60d2397bf51af2d7b15e968bb58e3d627fb8a974baea8ec918ea57b783b49222b9b409f |
memory/1620-339-0x00000000049A0000-0x00000000049E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | ca482e935995aa63660830599b18a68a |
| SHA1 | 252533e8c6fe18827c1cff2ae8ff3065d946116b |
| SHA256 | 9165784cf9e175b0332826a529480b6b2da8ee1ec6d63743f93bcca43d484032 |
| SHA512 | 8c5bf4c5f7c00dc74148cc71bed9db33271b2e5b3f8ebb520d5669c96787d9d4d5e27b8e72d6b4cbca28092b2868570c0310672d06b0744d4d9529cec0a23d8e |
memory/1620-346-0x00000000049A0000-0x00000000049E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 73f3287cb09bf53075444168b088fca1 |
| SHA1 | 338aebe637c42c735293fb388b33f06829397728 |
| SHA256 | 36e6507cc94ce946039f61e23b18e47cc669a657d2d31d5a1661de94397071a0 |
| SHA512 | 924984b5203777347470eaa80589118ca262fa7970139f0ea71545098d86ab3ba227b1ca583ad9c21e2aa22105177ee4eb72b32af3dae069b5ef244d0cfc6042 |
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | b6cf95b07589996c70c5dea5480c6585 |
| SHA1 | d33fd1e123a6afe4d232d7b86e8f895b2ca488f3 |
| SHA256 | 8fc0af6225ca2e6799e44492060ce2538867fa0adb46f3badfe0e1e9762a1041 |
| SHA512 | 962d51698f0958d097f8828c205fde292ef6f77d3c819daa4de42abe113362486d4c5a77f14f54f044e28a8f7efc5b17380a6a741601767ad5c06d03544f5ac6 |
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 11d0bb2b4f010e393d4a3810c5dc8cb8 |
| SHA1 | a40409267c956549d880027da115a622fc052b03 |
| SHA256 | 8df1f6700e78b8fd80b42caa223d5d8bc00af29d66f5d3b2b214da1032031ae3 |
| SHA512 | 2877043eaa849d6905c3c606aa1f5b69c3b3aaf36ccdfa55aeec8b80289f9de72bad5a8ac5b76594b63bee51c665066d737211db4e3b54648b62aa9577f105a0 |
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | 52d55fef169d2b85e0e0ef82722ad4fc |
| SHA1 | 22ed12168ca609151c629a9b5141bdccef11aebe |
| SHA256 | 1f7861dd15de882cdbf57e99e16fd1d4d171e931c70526944968f543c86b279b |
| SHA512 | 047062f653cd1fdc4710996fc7924313221733997a4c05f6fcae6d5b6018bb76253d9958791e54ad6a20d34f9b1e3432527224873dad1ea8d4acdc6f7d618176 |
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | bc8bed0c4f00b83ccd37642be24b8c9a |
| SHA1 | 2353a7523214745ba9f57d5382d12fa5d19e5e83 |
| SHA256 | 31d6b481cca4ddbe409e0440ff7f59e9eb5b283841887056929460f0349342c7 |
| SHA512 | 9d0a4a63710f558c048762191275c5abf881f2dd864b17a5be67e5841f5e2fba221a8aa65aeec4eeb58945bfa8f37e14cbf5c30c697dbdae3deacf0e5df85dd4 |
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 340b1683c7f31eade2383e5e67c84817 |
| SHA1 | 9d73425c3db2295a0e58b41ff425041807089123 |
| SHA256 | 0a3cdce66c251198465c36986e82ca335b8e362bbbfed3007617dc752fed0d9e |
| SHA512 | cc936fa1a5b7fd12702dac490bc71fc68a25decfa73331b6c90f65d11b48c0675b560b6d45b4054fcab412b6ba6e5ff87476fc86b3da03a8cc8e26c160cf3470 |
memory/1620-342-0x00000000049A0000-0x00000000049E0000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | be1fcc275f61be8ea04caa98a17b1e7e |
| SHA1 | 7161e51c8682824698ccfb1f3eefcb36a7a357ac |
| SHA256 | ad93fc5863097cee62aa9f5a69d7145795e3a8b6ffb5405de51352b9458d95cf |
| SHA512 | 633d3558f17828babf864f55b890de4fd06c4f2a2375af52fd63c4285b1bd41f58852befb3596d62e3967a6ce20391941dd3a22a1ffe5d3438bce7e4e0cafc46 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 5f6b41ea62d3ca3d583b189f2f645258 |
| SHA1 | 905ae63bfe9f71c55b8421cf4e042f0d812b463b |
| SHA256 | a9ca06c53f4bdb9f154e1b16fbdb739a52badffa727c278dae94d7f1d62ae3c7 |
| SHA512 | 2bb4c091648a3af6ae689071d27ff4f99a1ca9202c3dc136a6fd9896795c12b58a818042cb8023fc39b88c528ad95ac4b9ef44b10c5f0ea43d0fc852cd14e5a4 |
memory/2656-384-0x0000000000FD0000-0x0000000001052000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | a39626f94e78d5a1b029fcb1f8c0034e |
| SHA1 | e86c4e1cfc5c2f7fcee9ecc690407c4b1187b99a |
| SHA256 | 3c08d233aa2c310363c9e0ef37f73f0a84812f44507e2afec5a3b5cb6c084a37 |
| SHA512 | b806cc78a243e7f982b8fddadb938b9beabd833143b8a7eeb8a1bfba3120e789153ffce8b40ad786cfb51cdcc99b5e539b1569c27224cd562afe8dd1477d532a |
memory/1776-387-0x00000000027C0000-0x00000000047C0000-memory.dmp
memory/2656-392-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/2656-399-0x0000000073FD0000-0x00000000746BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
| MD5 | 5e10772d9861a717acf0c55f161d125e |
| SHA1 | a78a6336adc2935ef4519282521abdf53c3cd2c9 |
| SHA256 | 9e923396a1c67ffe7873a08750046420e974b93165990aa271fc045f569f99ce |
| SHA512 | 81a3d915d87c3df00411b3ae88d6bb5e3b699abd8dfdc8085eb6999c4a9ee70c9f91996a6e975f9a0478328d6b3d913039006bcfc2fe7e29ff7cf84769c1ffea |
\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | fb919fc450d53e699b5065c8231f5866 |
| SHA1 | 0c471aad9ab853f53c64d9954b62bf62c908ef1d |
| SHA256 | 1534a18f5d7ade6c54d92f172adb7293eebc997eafc33d1a6ad8de6223a55c86 |
| SHA512 | f1c5b9cd256c2360bbdf0c03dda7db6c1642a390e4b53ba9b743433b9b3f49c9d1e19a371f30a43053a9d9e2a4e685cd724d25eb22bc10636c0818d9116dd70d |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 1fe9d507e5c798f8798cb0999a40ff20 |
| SHA1 | 2723e4f7e5be8fafcfd8988d7de101ceb4407fef |
| SHA256 | a3b91ea932a3464fc5bdc236ab8661037682632d9e6fb0e4221aae95423b4f17 |
| SHA512 | 1d7546f40a3f7f769bb315dbd957dc41d917cd204432c6914109f53ef541ad96e57bfc908d2cd24403f4a11dedf66720c2af7be163f87a6d65638efa3962ee3a |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 8fa01123e7f54d7780b1a10884bfd7ab |
| SHA1 | 361eccb16da00aabf214ac0779de44ec2dfde23b |
| SHA256 | 5c8f20e7496ddf0fe4fb2d2d3dde58577f7d65bf49e1d1bfafd9535f1bba039d |
| SHA512 | d7f119149f3f41051dc82215386605d76371f4c773b801363c228282e6264fb2bb9773c27c50d45f7528b546b00ebe3acda61a4fbe9a1f6b46fcad56b6f46547 |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 9930d8d84ab1368c2ac32f4fb2dbbc1e |
| SHA1 | a641380fb0bc4ad187d0dffb7b6c7ce274fce1fd |
| SHA256 | 72fe222762a6c032cec53d4f9d0cf955e2bd4cc8e93beb68603d5c45210a2785 |
| SHA512 | aca59a9e9bdaf2ad6affe5273bd6f4cad69dcd116a8cce7b5fe9507825a8becbf2c6ee18b13b5a5acaa98fea113dfc359c174d7c30828a129a3b6abe27e5de4e |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 685a67e41c1ff3ba47a218b898480fb6 |
| SHA1 | 65d5cbabec7b6d933c5df9d861e6de8eeb9df905 |
| SHA256 | 21d3a5b479561231067c4e3ea4088f069039c9615e228dd714f6e2420b8abc82 |
| SHA512 | 5e638148afbcbb52dd2c3c7b171a912d67b67c2e824305f247488a340ab77e7c4706ab9984fa125ea2f82f3a713e9ea1fde745e94a9fe8cd6f50d4723e1d97df |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d8e9ef307600f52ad2cfca1616f9e183 |
| SHA1 | 71078c6fb2384640148f8dbb3fac9ed0dd28b84a |
| SHA256 | d44928d3074ffce4b37446a949d8e0a2e2d56e639de2801409b2c2be239b299a |
| SHA512 | fcf085526e17d635f217de934b5e5df723f2291e4f9e241cbaf0b606d291d486d8f8a9af1cd776e1e02744c307aa1507ce16fe619c1ba7dc25c6500faa6fecd4 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2c8ddf7d0c4f1f3b58c1c9775b754a87 |
| SHA1 | a31aae10f4fc33410165ab954e61177448dc722f |
| SHA256 | 53cc18619e01650460ea20d7d00040b1b4b480d6bffd0e48b2bfba7a7719fe95 |
| SHA512 | 5f855b9a370e73e613c59f249504737b87042d2eca537ce4de280841feba6c9e32c717081eae6871426ebc083df1284f6ab201c3c952f5cb7a5bdafecca8ee9b |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5bf0b5cd02e23c85e043cc9e705b15a8 |
| SHA1 | bb1cdd136eb101ce9bca069dbd0b6dbb2465c2ed |
| SHA256 | 9ab7b9bad6da333efdc334ab71001d26227bb41a1c5f52698ff0f469a7dafb3c |
| SHA512 | 111f2a4f76f210a63e4ddb9cbb33e33c974b707d079324a7950a53d732f0ae5366ef1cc32f94219d39c8f36c6282c782f8de7320306ffd6b9e354ccd1911eb45 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 82b1fa57bd1d7a09df0d3e3961565400 |
| SHA1 | 8d8abd1b2a3813dde18e2736e9ef20d6221b0176 |
| SHA256 | 89c73b5ad1c1fe267e2a386cff43928d0ac0095fc2d3143d9ef9842b66590824 |
| SHA512 | 3e1d378c54d6aa09972af9764fbabaaa9a2d4e467f7837066d3288a3a0c0a10861eb1d5e007e1970e94a8e835497c420f9428006bb5585682d70d14e11654031 |
\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | ae6f81b1735218b73967d2db100644b9 |
| SHA1 | 4700b66ca1336de26b056a918d2d8ec9fb6501cd |
| SHA256 | e998a4e92b7a9a98f406813b3a1d974eb07f40ccd6a44c5217635a5d52f20d7b |
| SHA512 | bec487cab2e06e8b65e30c00031d4ce8327af51480e0f91c1cd9cda5c224222ea09b660ec5eb7e446461f9568be6fec13e832ef114b4da59987a230e11599c59 |
\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | 078a9ea200315e48618d5bec71f4eb49 |
| SHA1 | 4070bc5666709b6974e686cc3f08d91f3d309b9a |
| SHA256 | 25b7ed60bac04c2b9d96691dd5ac5f47c0449380a84af06fe635272bc2cb195b |
| SHA512 | f5fff7d601958c3c807baa30b5f9dd5d8f196fc1fbd2f33b91da887f89393594f7ae772e8a93dc3db16762e46fed377e61ccd34b4c2ab15a6bfb8e5a78e77874 |
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 0812359cbb97c26307d59a2c938fc9e0 |
| SHA1 | aae81dc050dfee6dfba66246087f087810c2c292 |
| SHA256 | 558b7c9d913bdba52e4e049cfe4ff406a1123dea4e47ce9d2af9a2a1a55d49a2 |
| SHA512 | d721596b7e5b97c0c89053981d8d8899890dcb5d2916a1f8b29a092b1266bfb1973a45d89663729985e826b71ba61a98011254ee186f17d369ef13eb5ec6869c |
\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | e352fd3c082ade70132a39c470db6e39 |
| SHA1 | 8cef92158f960c35de968a58e0aa4c3268d3876f |
| SHA256 | bd682455e8dcfc83a866bc1d86c0f45c21c2765a57086226d6fc9381de937e2b |
| SHA512 | 21ee8e0bed8b1333cafadee8f9aa9d27594714b85aeaf34f3a518feb882f91dd52f22baebf8288ff09ae2fba7c5db580de59f721b1bcbdbb965ecec7102df26b |
\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | caa7d8c52ebc6e04d4d33dd8f4eceb72 |
| SHA1 | 30e0e74741fd4936e3946d1b12df588a307ddfd9 |
| SHA256 | 066d9bf3778573c30165f1ab3246faa7c8dc056ecb97c496f570bdebf9475925 |
| SHA512 | f8cb9fec3d7d782ec78e43bef01ac6fafd34f45ea47e182989646171d61586e4666ce668f43417a5f5c7d1f3ba54cb837d95ff61fa42ed9f02bd3c876f4def7e |
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | b2f3f214e959043b7a6b623b82c95946 |
| SHA1 | 4924ee55c541809f9ba20fd508f2dd98168ffdc7 |
| SHA256 | 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29 |
| SHA512 | c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67 |
memory/1764-329-0x00000000002A0000-0x0000000000BE8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | dee63473a06ba61e8c176166609f3dbc |
| SHA1 | 40d399b25974e5d969a1f97604b35e93e19b82d3 |
| SHA256 | 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b |
| SHA512 | 416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c |
memory/2656-454-0x0000000002460000-0x0000000004460000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | d6268edb1d41560bedd57e013cc46f14 |
| SHA1 | 3bf6f8d81116efe2789369a684f7d4f8f5988769 |
| SHA256 | 4edf6197e809664c8f5bee7505ebcf8f7cca2e0926d6163352d0eb2e9e32c41b |
| SHA512 | e2ac56e85456ed995ed105251f61673ea844721fc05f6e0fb2af329715adaa7dc6d012efd12f63692b1ff69db1f55021f090647ec27e233ddb6363bdf5a3c2b8 |
memory/1084-464-0x00000000000F0000-0x0000000000144000-memory.dmp
memory/1384-466-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/1776-469-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/2840-473-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/2840-477-0x0000000004730000-0x0000000004770000-memory.dmp
memory/2656-482-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/1776-486-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/2840-489-0x0000000004730000-0x0000000004770000-memory.dmp
memory/1764-496-0x0000000073FD0000-0x00000000746BE000-memory.dmp
memory/1776-488-0x0000000004C30000-0x0000000004C70000-memory.dmp
memory/2184-487-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 22cb5511adc8457985a804f1940d5a74 |
| SHA1 | 201fd9c01f56930e248330b7dfa8bcf6e4239971 |
| SHA256 | 9e92a7f052d01b8de0646b5d1805f22360b3a7074dbfcf62924133c0a58f1c7e |
| SHA512 | 338a17a2845ad114f8d06452e6342fb2be892062305f75e66dc7e1db3b93e7d4c66fd5cae935b64843e36a464fe805240adea1a0960e3d7f47e86a749279f668 |
memory/2840-481-0x0000000004730000-0x0000000004770000-memory.dmp
memory/2840-479-0x0000000004730000-0x0000000004770000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab67F9.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar6ECF.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\nse4A89.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nst789B.tmp
| MD5 | 444c5adbaacbe3b46582adbaab8848e9 |
| SHA1 | 27a7eb3f93b9f210eccbf4660c280248f154a5bb |
| SHA256 | adcfbb7fe5cd4792e4c182b580e4437c8c491416e921597e852859eb29e2e0a2 |
| SHA512 | f393042f85b2df6a4fb8ae928ee2a9099cd4c9f6a58f03c8ae45001625f140ebd9b0ec96e0c9141d6506187cae3cea63504f1b4c3f41c8d9c461d63ad5bfe05f |
C:\Users\Admin\AppData\Local\Temp\BE7F.exe
| MD5 | f6304a26d04bb93807ce226ae4d2b0e4 |
| SHA1 | b61fa453a54b088d8bd138e004364435e00678d1 |
| SHA256 | 2e22574ce65eb936693a3f0161b38470b054d7dcea5fa1df46357dc37debefd7 |
| SHA512 | 6b4f1d1f8c6899ab6d948155f7de30d0138af5c486e1bcccd2cc49fb9de23059977fd5b76aef8214964434478e6eebf4d683963644dd975eeba6b556e4a2c41b |
C:\Users\Admin\AppData\Local\Temp\DDE2.exe
| MD5 | 6c49c55e6ea1e7b5fa6cb618df503d71 |
| SHA1 | 3e3c766506ea031947b4f9dc95e4d2bdfc2e2faa |
| SHA256 | 0d0063de8ae9b402a51c3c91bfeac5e0455799ab8ed3721ebe13de7621ce2390 |
| SHA512 | a24e23bdeaa72c6d6012d7739e5740f8882af7e9e9fc34c542db032f30b4c44c81df14ae3160cdec47e0f00d6efc2562d3174f2fd3f731cbcce72a1fecb368cc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 06:11
Reported
2024-01-26 06:13
Platform
win10v2004-20231215-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FirstZ.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\System32\Conhost.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-362 = "GTB Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-912 = "Mauritius Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-731 = "Fiji Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-392 = "Arab Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-401 = "Arabic Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-441 = "Arabian Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2452 = "Saint Pierre Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-214 = "Pacific Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1912 = "Russia TZ 10 Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-92 = "Pacific SA Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2942 = "Sao Tome Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-462 = "Afghanistan Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-335 = "Jordan Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2592 = "Tocantins Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1872 = "Russia TZ 7 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe
"C:\Users\Admin\AppData\Local\Temp\5c1e965d21ddfb6972824827a6ad3ed5.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4068 -ip 4068
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 372
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1760 -ip 1760
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6100 -s 288
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6100 -ip 6100
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 440
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 5308 -ip 5308
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5308 -s 312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 744
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5492 -ip 5492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5492 -s 1208
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 768
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 784
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 812
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 624
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 628
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 928
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 944
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 848
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1760 -ip 1760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 920
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1760 -ip 1760
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3524 -ip 3524
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3524 -ip 3524
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 3524 -ip 3524
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3524 -s 732
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 684
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5640 -ip 5640
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 788
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 672
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 372
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 636
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 912
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5640 -ip 5640
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 972
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 988
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5640 -ip 5640
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1108
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5640 -ip 5640
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 1124
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| DE | 185.172.128.19:80 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| RU | 185.215.113.68:80 | tcp | |
| NL | 195.20.16.103:20440 | tcp | |
| DE | 185.172.128.33:8924 | tcp | |
| US | 172.67.129.233:443 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| DE | 20.79.30.95:33223 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| PL | 51.68.137.186:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.68.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 186.137.68.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 104.21.23.184:443 | tcp | |
| BG | 185.82.216.96:443 | tcp | |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| HK | 154.92.15.189:80 | tcp | |
| BG | 185.82.216.96:443 | tcp | |
| RU | 185.215.113.68:80 | tcp | |
| US | 162.159.130.233:443 | tcp | |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.119.249.228:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 5.42.64.33:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 40.119.249.228:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 173.222.13.40:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.141.68:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.179.193:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 172.67.173.89:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 172.67.129.233:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 20.12.23.50:443 | tcp | |
| BG | 185.82.216.96:443 | tcp | |
| N/A | 20.12.23.50:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 88.221.135.217:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 81.3.27.44:3478 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4468-0-0x0000000000690000-0x0000000000A98000-memory.dmp
memory/4468-1-0x0000000000690000-0x0000000000A98000-memory.dmp
memory/4468-2-0x0000000000690000-0x0000000000A98000-memory.dmp
memory/4468-12-0x0000000000690000-0x0000000000A98000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | fb69be017bf357f8211ddfa76078dc36 |
| SHA1 | 45964800a8901af84850316c346989a0750fc999 |
| SHA256 | d150feabbcc4aae5491e6488b7a88be4f31041b410a07808f27f700c3be8ebf8 |
| SHA512 | f9c27cfa7734e790e80adc35fe490c4da7651a7971e6728e7f08596d43db630673cd612f3d5dffa21173e0d04d52e22a2bd2dcb060b4c37f5cc48b745db0a105 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 53412bbb102473ebadf7880a25578597 |
| SHA1 | a785805f6fb0598479b5cf827cd50ba1da3418b6 |
| SHA256 | c66143cda121f20fe1aff4faec2c0a782fc097f8e7b3f38620c5229436c5c789 |
| SHA512 | beb230c277985cc6862677c33aa8e9a6edce4b2a2e70144545ab9d85f2b5652c5507678cd5f522866c60fe0ff6c346efb0c76911a9d698608088f6ae73270041 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 55aea01f21ac2e8806639583eaeb349a |
| SHA1 | 8cde033cac24e9c978885e7156b3627d48689418 |
| SHA256 | 8773febcde56930d27222f3bdd3e15d420cdb07fa03acbc9be0838d44ef73613 |
| SHA512 | 23881714c79fe530f9e6e375b65610a8cbf40e22e154e49bbe8fc434dab46ffce65275df1bfa347447e84eeb2d6a1b15cd5173881a7fbd086200134acb3d5e3f |
memory/1948-18-0x0000000000580000-0x0000000000988000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
memory/1948-16-0x0000000000580000-0x0000000000988000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 5be010fcbca732027b1827d951ac1809 |
| SHA1 | f4f814e8d012beaa508bf66fa253320a4386fab1 |
| SHA256 | a7b9aa9c5570a94b84ef8bdb32de2de144d9ec664fcac3562fe824ea2c13a64d |
| SHA512 | d9d62c5c4f817a63bbfbf17bdfc205b1390052ecdf931b4795fcdff18e41bb80e22a9f89d1a2f8452d7e765233597ba21d1b191fc17b33ca6903b37edfe4319f |
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | 0b4fe42f318029cc59f6d042b1b477c0 |
| SHA1 | 6fa25e328499ff9ee6041fc8210965edf8850da2 |
| SHA256 | cc1188de2b5f2a21cf8a93367fec453d5b84aa3c609ef778949e73768c2ad18f |
| SHA512 | 0811042e16693b5d37b315376c16bfa8df60cb7f1721d3865f2912988f2e93edc80aac127a25f4c42b0f469a424947029f1c2ea4b6e3c3b5546b027c6778911f |
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
| MD5 | a01a91a8e82f826f8e18da57442c2c1b |
| SHA1 | 0a68fbace281435e18db380769b8884926ac7056 |
| SHA256 | d2ea0f68c1b550d503370fb280914edec7a5d190487a37d6c71dd60f784361bc |
| SHA512 | 15b696d073a9eaced5d1c7f588aa594adcdbc77043cdd8a243d573d378166397dbd121bd1b2aec4d8f3c42d7e45352db930ba9581c4650c9d854a7a2780f55cd |
memory/2740-39-0x00007FF6A7610000-0x00007FF6A804D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/3036-59-0x0000000000460000-0x00000000004CC000-memory.dmp
memory/3036-61-0x00000000028A0000-0x00000000028B0000-memory.dmp
memory/3036-60-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/4984-64-0x0000000000400000-0x000000000045A000-memory.dmp
memory/4984-67-0x0000000005C70000-0x0000000006288000-memory.dmp
memory/4984-70-0x00000000056A0000-0x00000000056B2000-memory.dmp
memory/4984-72-0x00000000057D0000-0x00000000058DA000-memory.dmp
memory/4984-73-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/4984-77-0x0000000005760000-0x00000000057AC000-memory.dmp
memory/2740-76-0x00007FF6A7610000-0x00007FF6A804D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
| MD5 | 1e17144c5aa7340c87eb4d28a350c0d0 |
| SHA1 | cf8ea5439024864d0b0887841fc68bd0849578ba |
| SHA256 | 4a1d10b3aed949328b64f9515d3b744342de2238518d5960e3b293a2fe890edc |
| SHA512 | dae090fb16f5e2ae7d6f1073b63f2a888f3da6c89360a68ea74d2f3a33da94183640b9e0f37653299e3e9502da152e7ff1244942de7da11d4ffbac2ff796f611 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 918da0105549aac3409ac0a601fa8c8b |
| SHA1 | 99ea14c67138d423cfc8b37f8bb145fc3df6355b |
| SHA256 | 511189e2f3f4641f07806100751b5fcdc2532e48076d32a7b2da7f6472efcb67 |
| SHA512 | 2a107938329911ffc6d8efd6d0d19d462adc3ec0289b0f52b8e3f829f7ff8ab8f51a2a27399a9400f35483b5fdb46f78769189f98d00adbd697d78d0cbf23d5f |
memory/3552-101-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3552-102-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1168-105-0x00000000002E0000-0x0000000000332000-memory.dmp
memory/3552-106-0x0000000140000000-0x000000014000D000-memory.dmp
memory/3552-104-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1168-103-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/1168-111-0x0000000004C40000-0x0000000004CD2000-memory.dmp
memory/4984-112-0x0000000005AD0000-0x0000000005B36000-memory.dmp
memory/5032-114-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1168-118-0x0000000004E70000-0x0000000004E80000-memory.dmp
memory/5032-117-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-119-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-121-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-122-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-123-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-124-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-120-0x0000000140000000-0x0000000140840000-memory.dmp
memory/1168-116-0x0000000004C10000-0x0000000004C1A000-memory.dmp
memory/1948-115-0x0000000000580000-0x0000000000988000-memory.dmp
memory/2016-127-0x00007FF669250000-0x00007FF669C8D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | d9b18b522917365fcc3d323da23f4b66 |
| SHA1 | 4b782ca675d5adbd1852eda905a654aae24df8e4 |
| SHA256 | 42ecf9196def58ace41ec6afea4428515a657447da33ddd97ca51a03f17a35bc |
| SHA512 | faa82a225756919c947b739a5021630a0cefd6ba778f6e57ee24baa2f97c7f17f61864653160694940670bf1dbf0aea111ca79de239d11f5d304526d3a8a5585 |
memory/5032-128-0x00000230BE710000-0x00000230BE730000-memory.dmp
memory/5032-148-0x0000000140000000-0x0000000140840000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | acf0f40ee0a3542084a6db8387eec3b3 |
| SHA1 | 342c0c363fa998360cd489d3d5fcf8b7917f5ff0 |
| SHA256 | 1a8379d2a05cbc4172346b51a7f5986c84cf4ea4a4ae097884cc2768dc88c7bb |
| SHA512 | 1f5e6933cb33cdaf6ce5149ed1cfb70131d52e07d752ef67d2ae304bac7d96630ddb513489cd4fb69a49288f8de7cf265d2224f8ae4b864358c5f19cfd7a150b |
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
| MD5 | 200d35a7f6656faa9f84e1a66d503737 |
| SHA1 | f7acbe2b49704b284cfe7ffd92b8f216c9c0a8a5 |
| SHA256 | dc088fb819f3907a89a3aa305141678ab8bbb9ce3b6fbd474900fa7563d98100 |
| SHA512 | ca5c00e08a74d52afa7a01f248328e30fa98d6bcbb3b5e57e0951aff0421e21ec29f5cb1f3f9a1a13814b81134dda7f68604601e5fcfcb6936af817fa8c01352 |
memory/5032-151-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-146-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4832-154-0x00000000050B0000-0x000000000525C000-memory.dmp
memory/4984-155-0x00000000067B0000-0x00000000067CE000-memory.dmp
memory/4832-156-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/5032-153-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4832-159-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/4832-158-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/4832-160-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/4832-163-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/4832-162-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/4984-165-0x0000000007300000-0x0000000007350000-memory.dmp
memory/4832-161-0x0000000004EF0000-0x0000000004F00000-memory.dmp
memory/4832-166-0x0000000004F00000-0x00000000050A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | 0f35692594963b3364bec1b4b807fe30 |
| SHA1 | 08f1fac251cb7dd77a915705efaa9423c0aeb467 |
| SHA256 | 9de8418c6660cf533e354e826a7c50c0fac5cf785519431488d633665e3a1036 |
| SHA512 | a8b2dc4804bd1b7ccfbc32b7320bdace0ad2d0b125ed58072ed731178119f1ef35f90dfc33ad1ced6bb8d41a63179cff766d25ee4dc4b9bcc1582a71642f47ad |
memory/4832-157-0x0000000004F00000-0x00000000050AC000-memory.dmp
memory/4984-178-0x0000000007E00000-0x0000000007FC2000-memory.dmp
memory/4984-182-0x0000000008700000-0x0000000008C2C000-memory.dmp
memory/3100-191-0x0000000000C00000-0x0000000000C56000-memory.dmp
memory/3100-193-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/4832-195-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/4832-192-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/3100-199-0x0000000005610000-0x0000000005620000-memory.dmp
memory/4832-202-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/4832-205-0x0000000004F00000-0x00000000050A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | 9a3f4a2d9ff0afdeee57cbfb7998cd7f |
| SHA1 | d3fb95ee7de62bf876f1c4ed8bc2526e15b70854 |
| SHA256 | 2ea670ae2b35f9d73f264191ee71bc329ae2b7c66989c67b0c364dd1e0ac71d6 |
| SHA512 | cbb6c4e34c5e5013359b67e6065c61e026011e9ed1cb4813bf7acdef94b24c7ad01574cc8e47dda413265cda8ce2ebcb9c64f1ef019894a37676c3d2e53d54cc |
memory/4832-232-0x0000000004F00000-0x00000000050A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | 48690187f749909f8b8313fb08172e50 |
| SHA1 | bd9c4a7b4a68039975643d6fb7e1fa308d90dcc6 |
| SHA256 | 8990a8cf9800c1ec94f8d15dda549e01cbed52dd4c33dea1ab6275ca920d226c |
| SHA512 | 1e5303f701a2c524391a8f7da58469bea182c82d2db8b3548f6cf0a88680814d7cd12606af0997c6e9c2c6623cb647ad74b27ee8e909af93eeae6666609e5124 |
memory/4832-236-0x0000000004F00000-0x00000000050A5000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/400-251-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/724-253-0x0000000004A10000-0x0000000004A4E000-memory.dmp
memory/724-257-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/724-259-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/724-272-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/724-275-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4832-274-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/4832-278-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/1228-280-0x00007FFBDE130000-0x00007FFBDEBF1000-memory.dmp
memory/4984-279-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/1228-273-0x0000000000970000-0x0000000000978000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/724-267-0x0000000004C00000-0x0000000004C10000-memory.dmp
memory/4832-261-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/1168-288-0x0000000073780000-0x0000000073F30000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1dfbfa155719f83b510b162d53402188 |
| SHA1 | 5b77bb156fff78643da4c559ca920f760075906c |
| SHA256 | b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831 |
| SHA512 | be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad |
memory/1844-294-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/1168-296-0x0000000004E70000-0x0000000004E80000-memory.dmp
memory/4832-295-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/1844-292-0x0000000000400000-0x0000000000592000-memory.dmp
memory/4832-291-0x00000000029B0000-0x00000000049B0000-memory.dmp
memory/4984-255-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/4832-254-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/724-250-0x00000000024D0000-0x0000000002512000-memory.dmp
memory/4832-249-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/400-247-0x00000000057C0000-0x00000000057D0000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | c838ad2afaf2e86044561f24879e07f6 |
| SHA1 | ee86a1456afa2cb16e389b9804b339376544acaf |
| SHA256 | cb4f3c780e5f401be85ac2cc2f8de2816477ec85808fd3ca87159c5ab159b39c |
| SHA512 | 71c4ac326f007425f7daede5fcf9befc396fd7efe9b78a141e5dd4a5317095ee5884151774f4d21da985cc3cceddd31526cdfb5e5dc7ab307b0b31aba2b0b765 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | c9dc42a14074c1987b7c655da5ef5877 |
| SHA1 | 1ce48160c039c2cddad3e3be97c07270dbf9b74d |
| SHA256 | 32d28467af9604b36e9637c67f9934ea663725bd14dae60fa102ebf2201b238a |
| SHA512 | 6c84d0d39d84a443c038ba426ba71dfbf8a27abe25cab3616a0806e56952af81f072c32bcadb19a0282bda92aa54e0ae1af379e6a81b34cfbf2669d3df9520d4 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 15d5b40e0d37d0e656c41d08f3a4d4ac |
| SHA1 | cf97c6c5b345c415ccab37e345b62542036e6187 |
| SHA256 | 465b91b4bed08f729ff3a806c0428a3efedd77f7825a341a344bef899f0423f1 |
| SHA512 | e4d835fe088bdc8d772b1f41dd8de423aed2da4634d1b6abe8971b2262eba3327eaf0bfe355633392c8659745a0b316bea6b3008a05112c031eb6477591c2da4 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 7c6158126fcaf750413a7930915b308f |
| SHA1 | caa1e195ea7af6169a0e6ac0709223557998792b |
| SHA256 | 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3 |
| SHA512 | d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0 |
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | b42b486e8e55035076114f5b8da97c63 |
| SHA1 | 98aecc3c7bfc55dff0f718769310eac122ae35e5 |
| SHA256 | 48701fb4c814e8f3e50efb83ad11bf30d8bf09dce0b990a5aa36f7b6603130c6 |
| SHA512 | 422de2a874389a44b1c92a07b7b5b8d8b1a7006ff919e4b513d5def827966a9ff698d9655315caa9eee1fc59d39fd69d799092c578ec7b06ec4228435879d77c |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 13d4efc2a10f443673cfde54faef6ea5 |
| SHA1 | 1c2ecede2b5f4440d7121193e830e7e12fba19db |
| SHA256 | f17a369b4861f55141ba1fdcf371b931cba6586417067335772d7d44e5dd4a8d |
| SHA512 | 8aec72da71091d8136b020305db9cf6c177858cbf0ba5a86f8df1fded1e53da3796b49b769f7d8b2e8070820b899b9ec97f5c5dcc6f26c5a072077ca280da3d8 |
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | fcc52b464bceb4b40920b6bf05f3bb51 |
| SHA1 | 919ceeaeebdb090496f049f7a1b36c80367efb63 |
| SHA256 | bb1e8b632d133d2cecc918736e8ed65caaa887d74060871881769881c7e56445 |
| SHA512 | 36b2b346853e175e350aa0fd142055523e86a8a1c5f5e35ae8ccd4d80c0f9e3727e13b496d4f7cdd33d06c105be0de21024ff860f6c0a0f9507b32e70950b570 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | d992f0885cfcf317a8a85d7bfdf69a02 |
| SHA1 | 99953be7642ed4423584877efde585c7e6174f69 |
| SHA256 | c38e579d81b9e841484005e6a9416fd18e9a3f57ee0a617c8f68852545da9495 |
| SHA512 | 4c3157c6e9efacea942babed088b3d084b62e15c6caabfb2abd48c09b7c460b476e6fcbaec31282fa80aaa8c126463b1eb4bd43959f01849ef0324fd287161ee |
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
| MD5 | 982ff7212a1382621e8abfa1a1918d11 |
| SHA1 | 79adecfe98857bd18f7f741f2ad75d662b2264c0 |
| SHA256 | 26602ed80e52e42b1050beceed4ca1cb6c296d95684640390a94502df8ec420f |
| SHA512 | 7b7b5dcb8b6523c4186e6e4f83c274700646a9613518132ad6615580dcfc890a2af386fced1f8ba604d79f3937011d53d31977631f8219915a8c5d4d38dee1f9 |
memory/3100-237-0x0000000002E20000-0x0000000004E20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
| MD5 | e8f02798ac1ecff0e99b2264df45bf70 |
| SHA1 | 7c449a68588d5fbec8e8ee5543a91e3f5aa2cf7d |
| SHA256 | 04fe1d37c58942262890171c3b6f86f392b0a939f70f64ff92cdcb4dc4a56631 |
| SHA512 | f2be59d593d896e06b2dfd3394cc93c6b20e691da6bbfef935118fdabbc5acf1b50b2eaf815009920f72ec880e2602b939e8ecfd59c068c075a4084462d2ed3b |
memory/3100-230-0x0000000073780000-0x0000000073F30000-memory.dmp
memory/4984-229-0x0000000005640000-0x0000000005650000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | 852e9d0a2df2716f36925c575e31c70d |
| SHA1 | a978d7c0d9f9dc5e2f04654184f6fc421f84d7b7 |
| SHA256 | 17fa9f002b4b354a1f3642ee67c1fe67b542faeb0386c1f02392f5201b7b16fa |
| SHA512 | 3c7fd38268ed40b880704daa7efa619e05dbc457d3bff79ce8768a1ea59cb9cf2ae8cd3554cca1df46d133eb4e7b72a5dfdc4c9a678637aecb9226667e13bafb |
memory/1948-219-0x0000000000580000-0x0000000000988000-memory.dmp
memory/4832-218-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/3036-217-0x0000000002A80000-0x0000000004A80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | 2503c8077eae621e4054820aedd46912 |
| SHA1 | 09ddcf018c13a38ed475c0a1f271456f780a9620 |
| SHA256 | 4abb967b84adc989c0e76142ac7b35cd8927cab0fa06ce7f94987c5ab33c9061 |
| SHA512 | 3448571a237c5ec47626de1f078ee1e638ba290fc1c6525929c514393b1650a2e2c4eb938d9d159e19d215239a446255df15019d83fd4785599077ebc3059612 |
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
| MD5 | 9a93dc5a9ff1a9e2f291f17331fc5aad |
| SHA1 | 272480849bd20b1dbe5337b538d1ecd757f78ecb |
| SHA256 | 8ae2596d49090df6956daf15c5aeae122d127a3f1958f605ed4c9a4613b91707 |
| SHA512 | 4449b3e8b6d9c97735ff5f5b5a8ec3a60cbbd6629eb4a26008cc439b4ab20d4dbb56e97d81151eabdd9f9e56d6aefc03087b199611506ae0232c864f54f0dc89 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | f958acf237887abd029fbeef7067c6ba |
| SHA1 | c95c471a564be0a0eb82e4f9acc520ae6ba3dfbb |
| SHA256 | 53c4c574159a230c523e6249d02eb94b11ffa6dea28235dd0fdb34616a8a43b3 |
| SHA512 | e2a8a22556f6f636538d352423fde8bfb83950e9888f0fcbb47eb9d327125deecdf97f74136494141e6f24ed1bfba127ef4155dd75ac9cba617bfc5f4fa36ec4 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 971d8da6ad03fc455b01fc80c31f5e71 |
| SHA1 | eb594c5626f7a2c0471bec35899d33cf9383a145 |
| SHA256 | fea8637994a1da07c25e0384a789938a055cace8e1b8d6156fe01648f6ad8de4 |
| SHA512 | 102214059968bfe80cecb4222b7d8e6faf300ca1c0c67ab425c6b4cb8caccd39cb98f8bc25f5f33941b3c44983f5dffe0ace03cc908235ddf9e66477751b3711 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 91b3615718af6633c9996dd1750857fc |
| SHA1 | f6ec963be50ad020ff16caad40a532a8cac51422 |
| SHA256 | 073f86ea7b76e47c3071b44095869a5f051f67ee0e7100ee5051b493e58c6021 |
| SHA512 | 1306546c931bde9a453b66d38853d338db7e4dc40154623503bb7771fff6fbf08aad3d3b95a6599be99c81cdb7fc7c3bd680a93293d970c57b867784524df68d |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | fba2866d974fad9ffb1d5ade3a861958 |
| SHA1 | bd6bd25881ad9e3993912e8da7ef324d1fd9bfb2 |
| SHA256 | ad16b6cfd0271515ce784baf4cd18dd387961a366c4be0c503852489f9aa6cff |
| SHA512 | aa551c36ad56518c74cc44b5207dc6edaef259bce328be0ccbe0eb351873995bbaca7ecc0168124cec2c8376c874dbb17aae0515fcbd1042e069a4a29d49d463 |
C:\Users\Admin\AppData\Local\Temp\nsj900C.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | e21cdf8762533e331940e16c5ccf0f9c |
| SHA1 | 14793d011e19af1e05b5166d7598db9fa60430ac |
| SHA256 | 3c605a382b49a8b953480c083423ed1c60b602f602665862a6d7bb4748b06870 |
| SHA512 | 23f8edf6f608b56a15f42ea5f03ef194d799de262a10ab99cc5c18c096a56d840abd3f491408601c35c948b5c3ec864c5d2970b0bdaac6b9eb69be7c7e8a3ad0 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 358819c479c6210d2009cc7c9c51119c |
| SHA1 | b1c00d0d2404dc937cace084e1e7948d180f09e1 |
| SHA256 | b371d7e1e1290b170437b32610cd219f868f8c8449d25dc14013049c99dd0eea |
| SHA512 | a7b20e9f292c0a86cdce373e84e7b22aff9da75d9e2a84bb44dc8da7914c6a18cb7a12a126461b10405c8e5cd43347a75cd1a640baeb8ca87b6378a381ba7c71 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | b427560697c9d02c5571dd59780f3262 |
| SHA1 | 5e4edab649c24105ae43571b9dc61989b0a8d2e1 |
| SHA256 | 4d1d05c2b0d68e14ee49edb1d63b7b731d20dbeb14d1c365c1851d899b25f3a5 |
| SHA512 | eec2da5da9881a87bc539d5caa6cb62e4009d10551585945038a07036f4f5094473f7ae5b00f365206f8de6b80ffe8712bc303c176dc5d72fca25b18efd5b250 |
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | d0ab4a4863934bd7fa63eb3e9a3ef185 |
| SHA1 | 4a536fc101321511ae05c6e2a68d7b202df91130 |
| SHA256 | df149017f93525b78296ee42191be6ea6d6ee8cb2f15d95cb72c1692a71b1305 |
| SHA512 | aa03ffcd60398d315f1724d81cdf2a86cae966e757b749c2022ad4755b57b19fe8b84d19abcc45bf13d08bad49801ce848153700a9bf36f196d3ab4f6e4589f8 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 3bb95d2e5ed1979fbd073f6614439f93 |
| SHA1 | 6361efb464b4f9035586cde1cd065cae28e30d38 |
| SHA256 | f5419bf16ba1d11ba67715e3bc3b80533212a9686236a86494c9d12e22a358ba |
| SHA512 | c0ee338900b0d3d92705804f03675cd4bb36b3d60827d7b72f9eb7afc34f7dad5a42f85007ce4332a0e271625a8bda1997e837b66a844a67e78ab09888ab9ba4 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 0762eb59b048af6f4c844cc7bd6c141f |
| SHA1 | 27ba3c76db77f5106bbff9bea305cd5e55493b60 |
| SHA256 | 0dda68ac17ec559d74bba2fb6d7b9261bb34bba4a1b9341768892d0f09f41e5d |
| SHA512 | 368319c430d2d92a20a0891503076237bf4987c26780c06bb0ed3e309e5f8d8562783842b9cd1bb7e78e0b90d5090a7c3f3e58d5ec5e5d7885f5bac515ebc0a1 |
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | b2d1b5222c4bca2673b979b4db97abe9 |
| SHA1 | a2df94645c8c84bcb5b2248c6092ccae259e52b0 |
| SHA256 | aea2a90f7fdb16b6348b00b2a9a42f0f325c6d611979cd5e7d71ebb813acc2bf |
| SHA512 | a12e3c4fc3898c32ae30ebb192519e4611b4de3f44dea000d76b16c37a753e4570ce45f3d9455f81525e86d89ff174218efe6eda9263b5259b4fdbf27946b625 |
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 7fcffd1b80ff3e09023b3bbfc2c553f5 |
| SHA1 | 2cea15cacf42f558e73bc664e0157219eae3d8fb |
| SHA256 | ce1886174191df78839e516e68d0f182306e7d85c65f63c0ff9be6ef3c090bc4 |
| SHA512 | 223d47834ee232d59cd46295d394326873e19e31f14c1bd5a417cea73f4d01c9c2626f4ce03869642b805db82e3e556b87874cab6cb7656ddf4901c6071fb6bc |
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | 0f004afcc5dea0aa2307a0b52e9dc929 |
| SHA1 | dc284a126de760d8c67d034fc48a073cc91d999f |
| SHA256 | 046ffc54daa9ea2081f77546bf5d4ea8ef9b10253f672d0e48cf7097069783a1 |
| SHA512 | b771b3b58f7ac9bbccb5bd84e2bcb7936ed055acd3ee51bb62d9bf540c31003c4e43984fd9ce6bb23683ac61a38a01b05ca52d1efcf24f261ed51df01e862d18 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 53da6a223e72d07be846e3be301f1539 |
| SHA1 | 3bce9eb7c2aa94c99d7d71cd029207b3d0b3c6df |
| SHA256 | 1261a6d2f249611a241140fabfc845b42887d9adcbd6bd7a7029e3f74b00f192 |
| SHA512 | 1ba358478da4f63f269e724b39e991a0ed9917ba99ec8097b6b3976fee54123137adaa9b39d8b3048836e13066d584c704b17cc051a9dc313aec094f3d394b6c |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | add28c048a423ae41055610da76a3503 |
| SHA1 | 08dd97d5d86565a9bfa5a591ecb5d850aa5847ac |
| SHA256 | 1114fa5879383f2be5f0837e8f95d5eb5b0e6104d646a5a09a5869531f018238 |
| SHA512 | 965801db96346b75e874faf5c9c52b9d27c73b23cc2b36151715d83700d8e427202c5b96e7550fb78c0a2140df5b7ed46e87af1454b4a187b93b0bcdc04d6c3d |
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
| MD5 | 1b4677c02e09d6a51f20f1461c08b6eb |
| SHA1 | e2be17f0191ab166f3119a4272987451d1b49286 |
| SHA256 | 48caf267b73db9788c319e05325a9b107f1e45fe6d7140df91359e890a9c63a7 |
| SHA512 | b88e8fdc3f22c1be692fde1ff9e738819459889fc2a62174b0bece3f671f21b671dd468e6310304782750992636d24aa06183fd2f512b9b01f76646306f711f0 |
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
| MD5 | 4038beac7ab20d77f43c72adc1526174 |
| SHA1 | 162fcc586b41500b2521b4dbba2879009145a27a |
| SHA256 | 19b0946cf06f5236b05308ed4f1f79fa7fb698cf24e43196554d1e3fc42e419e |
| SHA512 | 6eed065dc49d9394a78f5a719e2a53c034b676dae3f4b116c16e580b32566447477349a8caf7377630c2295e264f2b170e0ab205d7ba9c4ade94eb6d57614e7e |
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
| MD5 | a90c58ac9c8c5e4e9dfc2bb860b5d08b |
| SHA1 | a3902054b5cfd22127062a872e9e57efe5d206e0 |
| SHA256 | aa84d7d50aa7c959603414f2d18932eef7cc36f5b13583b5915c588b441052cf |
| SHA512 | db8ffb5bd47d71eda0b18a39da936376592e9e719ae7d8ab94248b3823e1131c57e724de7e7110c6632b1954e6c1f443089a3fddb5de125b7c997096a45d6319 |
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
| MD5 | 0a3f4465bc792921a8f384d4f252dad1 |
| SHA1 | 5c72f029c0093086dd0645309df79cdee33d7942 |
| SHA256 | bccace8eb6240dc1f6f75b188bac45d304bbdde638d98214fe21e9d167018efe |
| SHA512 | 6663564c3ddab95a1754e3525f50607ac093f1753b3ae7fe04706cb3466b591d29848777f06c95cb1eebab72e6ce4bbcfa997e9d83a506d5fba591f203e89ddd |
C:\Users\Admin\AppData\Local\Temp\nsn99D1.tmp
| MD5 | 8d457a930ac3f2f1e362ecd765cdf5d4 |
| SHA1 | 60f5afd859216362cf1d6735276f15da434af428 |
| SHA256 | 211ba0e98e7085c759c4cfee60a65b4cf1e56234c457ff87df7395d30a84ee82 |
| SHA512 | d3c81c167992bdf808e54309bbc84a9a582bfc51baa3f92f83d24149b3a8fffbd85e3eac3e45cdcb8cb1797186781cd29c0405fd66fef2e307aaa98f1d7f59e3 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
| MD5 | 7f0cddd8f7952920ab647450603a7433 |
| SHA1 | f8b305a25080eddf40ac219f4d19edaaf7c7f6d1 |
| SHA256 | 8e9d26d55f77559e8b21b293581be092b019a0bc7c33795d9c9e89cd7830365e |
| SHA512 | 9e0b0e759ff311ee934302926b940761c954934a00a12e001319bb2cd2e8167e4ed869e44296dc04616ddd13dd2ffd4ac2570bf926c5b6d2f49a2989a802d247 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | a6fef0562abecca0d7b3567825ae5b99 |
| SHA1 | 2fa30153197cf09fd9bc36a26c062ee69644be2d |
| SHA256 | dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b |
| SHA512 | 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 784b367f202683574645c90f3780e7b1 |
| SHA1 | e2b667b362ab32875bc2d0f4b60ce4ab6c895d47 |
| SHA256 | cf8ffb58e2bd37fd98434cfcca2c99186ebb41e7cca123f1188293634e506c4e |
| SHA512 | e60fad49b766fd4503dbf9c6f26312aa20bfc7c6644e1b973c736dd62fb5b0192ca4446f13e888d2b5e68002bf1174e27fa9e3cceff5eac626d143f8fecac2c9 |
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
| MD5 | 254e7cd008c17a7c0db7bf999702cc04 |
| SHA1 | 6816eef9ac362c94bda8873396924c70cf94fb08 |
| SHA256 | 516a68e86a80ee80cb66d2ee749634d1a5b0756cc20c34416e11bd5b2664bbf0 |
| SHA512 | f8bbf00a30d48c6ee53c5d6c8f9b20b7a348f71f873037b6947a2696b56f0c3c52d5e2023340d9fb9cda315f8a5b3c7f0aa0367a075760054f8949e9cfd2303d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e500265d4a1aee36b86987f6e2760f48 |
| SHA1 | d45132b6e49ecf57f5ce11869d07445c3a219dbc |
| SHA256 | ad899c8fef71f5e17756700c255870c351b0045323afcfee0ed139482fecd5e8 |
| SHA512 | d0264acce0ae7b39c8b992ff0a40f9fcacc6988b1871cfae762593ce06e27d0e99de1c8c9f4098586a4f2db8091b897841e570e4ebacd7657bea9e1271323ac2 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6668d29bd9a029b75a331320cd7fc4fc |
| SHA1 | e5ebfdc6ce76e5de49603ecb763dc4351b7aefc0 |
| SHA256 | bae3d0e67b6d823cbeb20504309a0d161351ab66b2a65b9d881616c95916e47d |
| SHA512 | d288e07384687f0d39c683b4bbc6e37c6b855ebe7ec4f09cc7ce69c1253f7a272dad65578aa6926b68429c961750d0e17dc8694ece75684ab6cad82f6e763ede |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | e46be2a8ee23841d6bb09a141a93d851 |
| SHA1 | 4e5c8fc539f5b4682930a16c6e909132c4c6ba91 |
| SHA256 | 90701504d97d7e24ce2a96cf4ef3b2dc9146db20cae6df79a1d5a28f9067247a |
| SHA512 | 0ea5011c967796e4213a48109cdcceee7244b4ac1506ed96da285e866698802352101b113bbfc38d5441a4fa613628532addb5a254a772ecd659f9f87b416cb1 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 573bfad48fbc019b6757bd6b1cae118b |
| SHA1 | a8b90a3778703fe5782a8578f7fa37f6f032accf |
| SHA256 | b813972b6a6c787a1638ee9da4f407def919b6a94f04150c2e4c70e019f26b03 |
| SHA512 | 374dc1f31034e16aa2585b892cb717448a962ce17915c7fbdf05d20273e129250e801b095ce271cbc159025421ccba5f89bf7703c31294873f958cdbb271930d |
memory/400-204-0x0000000000400000-0x0000000000452000-memory.dmp
memory/4832-197-0x0000000004F00000-0x00000000050A5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
memory/4832-177-0x0000000004F00000-0x00000000050A5000-memory.dmp
memory/5032-152-0x0000000140000000-0x0000000140840000-memory.dmp
memory/4984-140-0x0000000006590000-0x0000000006606000-memory.dmp
memory/5032-126-0x0000000140000000-0x0000000140840000-memory.dmp
memory/5032-113-0x0000000140000000-0x0000000140840000-memory.dmp
memory/3552-110-0x0000000140000000-0x000000014000D000-memory.dmp
memory/1168-108-0x0000000005150000-0x00000000056F4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
memory/3552-98-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2016-89-0x00007FF669250000-0x00007FF669C8D000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | d03c4906c952132f93f399169df517e3 |
| SHA1 | b0b4ae6ec0920a9e22921d0b755e84c9c26ff5f9 |
| SHA256 | 6bc8dd684b86178ffe2ae02fc5ba713823b13bc61686845b95365840e0d90d7d |
| SHA512 | cb68bdf0f18703ec9996007cad40e15f4230bc5a2af9e1253d16e5c2b244f13b52739cd40feb779a7039f6c9689f0f266ec115bb930e6df445d70bc119dfbc01 |
memory/4984-74-0x0000000005700000-0x000000000573C000-memory.dmp
memory/4984-71-0x0000000005640000-0x0000000005650000-memory.dmp
memory/3036-69-0x0000000002A80000-0x0000000004A80000-memory.dmp
memory/3036-68-0x0000000073780000-0x0000000073F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jb4ewra.qv4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9cf397494fb0a5cb99cb71353c3ecc67 |
| SHA1 | 38e62b291f59f063f9b0c31d92eaab372977a859 |
| SHA256 | 30e8b9b8c292ceff748cb1e33f5a6633fcda128bceea642ebf5f9910e20e9a08 |
| SHA512 | b861d1d1252ac9d1b57fc45578f349b03b220d9f8c17031b016636d380a0c71c4bf9b5a9baf25d307a7ddd1ac8fb51a48ce6a7bb2f702f172382b649bfb1670e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 963011512e80ac2831d48de6e4872deb |
| SHA1 | a198993154aa3d66395e958806f3de672164cd87 |
| SHA256 | 0b25653f922f467f1c19d288d5d74ab2ec77ed9803896c4bf5d92f60307f562b |
| SHA512 | 8ad5f7283bcf070d425bda0911d71dcd8c89511db1446d97de65ab2b41b7fff7f1c4c1d5f3ff4c4caf857d6c570a4b4666a27f6576253ec268da5512e5a8f6b4 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | d4bacd1fd08ca6b3dd24f9182846d666 |
| SHA1 | 08509a2dbff494cda8011896563b48b300527e8c |
| SHA256 | bd663a0a55eac67011a3e5608b9b9455aa73286e8de20751100d35e2e3a05af0 |
| SHA512 | 1253ab9313f4b11acc5c3b23e7dc3b2e07270d35ed91a55c0991b868bacfb67a68de47ba1780c41c5c78978e6c28897db6427b0d2b134c84270b5fec4a0316d5 |
C:\Windows\rss\csrss.exe
| MD5 | 51b28206a67a3b7d7a4bf3e3ae4a5319 |
| SHA1 | 524f8f6d7fe54e70b33f4ba9d964e2a4513af885 |
| SHA256 | 620c86af824f6404f55fe7cbd9dea30d6bbedfb6e13ed7f3821cf91fed422282 |
| SHA512 | b80364656ac3a0351663612c8bf29e6881de779a9e2788629b01ef5487931b54063b8e46b229d7abb0d611da0e0524dd40201da28692622c360671d20c49b427 |
C:\Windows\rss\csrss.exe
| MD5 | 8f9d8ca2a638e5cf492b94b51463c1bc |
| SHA1 | d5f917674f91848099505803b99bf7eb6b6c8871 |
| SHA256 | 141ef982f399600d2849ed444b352d5d2abd84fcf3de10f05d074c1b5c9eb248 |
| SHA512 | 0dbf2942e3fea8c9fb4d179bd274efb7803340828b3e5db565476eacea8e997063ed922dc02235d998f218fdf07673f0113ea10b54a353cdab7a2a7ad61ea892 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 3d0129dd0f07b577f3c823a53c06ddf4 |
| SHA1 | 4cb6fd4e4c146ede70578a8cd174dddfcdd1198b |
| SHA256 | 1c2988684c4ad5ee0b414b77acea6908af8ba0d1091ec120b4db7e88ea21ae8b |
| SHA512 | 88170dd4399c2cd59663cfa5887ef7ab4ca0f3d32fd2ab0be909ccd0576fa5034ef12c05d7dcb134d9b6698e78f4858fe034dd9cec1fd3d4d7088676bdbf27f2 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 0d287a8937a6ee8abc19926b94ed53ae |
| SHA1 | 7c13672c8d49742ccc04ee35c7db97963c61f635 |
| SHA256 | 2c73ef2306d0b7c9afd9a5eba8aa5fb6330abd58c3519d52947c8767e684b0e7 |
| SHA512 | 8b3b7cbcb1ac5a9209034ef4b8eeaacdbb63a7e6d5da65d5f7915f2e3372cceec5344052e2bd6a11f01eef9e656ab95e28624169d8a037681a6a74672cef4ec5 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | 27fd92a15da2d6b9bb6f93a6dbc9a3dd |
| SHA1 | 7dfb9880c2720571e859ca2295607a27cfebccaa |
| SHA256 | c72dae3390bb342058e0b25077bd061cd36cba92120fc43d6e5205e5b114f3cf |
| SHA512 | d0ba823b6644a599e2c3e1ef1f36f8d1427ab421570318d5ded0499b93f8397af3766209ecdfe4c43cca00f71752eaa92b554f515c07cd4497c4e1bde9985aa3 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | 4b3abb01d3b1c9d16911ad10329bc1fb |
| SHA1 | 55124b5756d3ab7732e161bc3cf78497c11ecb3d |
| SHA256 | ec41ebde8c0b2474a1df607f2112ce39275dee60a0ec9dec2ebe301f6a06f631 |
| SHA512 | fe2021dd6ea55032b6c04d2d257434d66b3dfe021d1e9cce1071f65112bf6bdb539504dad985b42b1999fa6bb9588dcda948c24bb704bdc60cc331bd76fdcacf |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | f9202c2e64702a42ebaa6ddf3db3f0ae |
| SHA1 | 4c8a2eed2722551350f03c0e09194a0ee1436a87 |
| SHA256 | e59916ddf93f178807c72e8ec05fbd2ec4a2cef03bd41b3a15942f9dd20a22f8 |
| SHA512 | fcfab27aae94ea0bfb6f87b5da7dc4f64a0ccc1ec426afb8ea00b5addeae8a390e08b600a3d5625413d39cc9358442ba10e3fe3c26f8496e4e6e4ca4e68710d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | fdd89730a0bbb8d14a757815e105be99 |
| SHA1 | 3c10a0e4ce2757175db2df4f0cab9cc3a669ec4f |
| SHA256 | 2cd16b9ed0dab3712d0df88a751f8acc8a8b225eaf775e0eb896b71681c60053 |
| SHA512 | 4ccd4da813dfd890a2b0617eeaed0a36b5fd4146396a03de71d62d5204044418bee76f12c29636fb77bcf3aafa90fa20397f5446ab3536c3b8238668663ed29e |