amadey | cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8dce9705c0c4c3f6175d0ac758a7aaad.exe
Size

791KB
MD5

8dce9705c0c4c3f6175d0ac758a7aaad
SHA1

6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b
SHA256

cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea
SHA512

f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731
SSDEEP

12288:qiX3xOEm6Yc4aWfAPDnHo7YNQn2YcKify3ieduiDtGnSr3/35elActMblmZunnh:qEmeDnIwQ2siK3PftGnQ3v0lAca0unn

Score

10^/10

amadey lumma redline risepro xmrig zgrat 2024 @oleh_ps @pixelscloud @rlreborn cloud tg: @fatherofcarders)discovery evasion infostealer miner persistence rat spyware stealer trojan

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

amadey

http://185.215.113.68

Attributes

strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

lumma

https://braidfadefriendklypk.site/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 8 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4624-83-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
behavioral2/memory/1032-291-0x0000000000400000-0x0000000000592000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4624-83-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe	family_redline
behavioral2/memory/960-108-0x0000000000F40000-0x0000000000F92000-memory.dmp	family_redline
behavioral2/memory/2532-234-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral2/memory/4360-257-0x00000000049D0000-0x0000000004A0E000-memory.dmp	family_redline
behavioral2/memory/4360-251-0x00000000022C0000-0x0000000002302000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 14 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1952-155-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-156-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-158-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-161-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-210-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-262-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-254-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-249-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-242-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-267-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-182-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-178-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-166-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral2/memory/1952-162-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

30 1572 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
30	1572	rundll32.exe

.NET Reactor proctector 20 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/2380-157-0x0000000005070000-0x000000000521C000-memory.dmp	net_reactor
behavioral2/memory/2380-160-0x0000000004EB0000-0x000000000505C000-memory.dmp	net_reactor
behavioral2/memory/2380-165-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-181-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-230-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-241-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-247-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-253-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/4788-255-0x00000000031B0000-0x00000000051B0000-memory.dmp	net_reactor
behavioral2/memory/2380-259-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-215-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-212-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-207-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-265-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-270-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-201-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-177-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-274-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/2380-277-0x0000000004EB0000-0x0000000005055000-memory.dmp	net_reactor
behavioral2/memory/1032-291-0x0000000000400000-0x0000000000592000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Logs.exemoto.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Logs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Logs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exeRegAsm.exe8dce9705c0c4c3f6175d0ac758a7aaad.exeexplorhe.exeRegAsm.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	8dce9705c0c4c3f6175d0ac758a7aaad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	RegAsm.exe

Executes dropped EXE 27 IoCs

Processes:

explorhe.exestan.exemoto.execrypted.exe2024.exeLogs.exealex.exerdx1122.exeleg221.exeRegAsm.exeqemu-ga.exeolehps.exeMRK.exeInstallSetup7.exetoolspub1.exeBroomSetup.exeinstalls.exe31839b57a4f11171d6abc8bbc4451ee4.exerty25.exeFirstZ.exefsdfsfsfs.exesadsadsadsa.exensxD89F.tmpexplorhe.exereakuqnanrkn.exeexplorhe.exe

pid	process
4656	explorhe.exe
1584	stan.exe
3200	moto.exe
3136	crypted.exe
960	2024.exe
2792	Logs.exe
2380	alex.exe
4788	rdx1122.exe
4360	leg221.exe
620	RegAsm.exe
4512	qemu-ga.exe
5036	olehps.exe
2792	Logs.exe
3372	MRK.exe
4040	InstallSetup7.exe
2576	toolspub1.exe
4616	BroomSetup.exe
4064	installs.exe
4992	31839b57a4f11171d6abc8bbc4451ee4.exe
4556	rty25.exe
5332	FirstZ.exe
5364	fsdfsfsfs.exe
5692	sadsadsadsa.exe
5800	nsxD89F.tmp
5388	explorhe.exe
4812	reakuqnanrkn.exe
6056	explorhe.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exeInstallSetup7.exe

pid process

1572 rundll32.exe
4040 InstallSetup7.exe
4040 InstallSetup7.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1572	rundll32.exe
4040	InstallSetup7.exe
4040	InstallSetup7.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000609001\\stan.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

75 pastebin.com
76 pastebin.com

flow	ioc
75	pastebin.com
76	pastebin.com

Drops file in System32 directory 4 IoCs

Processes:

powershell.exereakuqnanrkn.exeFirstZ.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 28 IoCs

Processes:

stan.exeexplorhe.exe

pid	process
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe
1584	stan.exe
4656	explorhe.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

crypted.exeLogs.exerdx1122.exealex.exefsdfsfsfs.exeMRK.exereakuqnanrkn.exe

description	pid	process	target process
PID 3136 set thread context of 4624	3136	crypted.exe	RegAsm.exe
PID 2792 set thread context of 3836	2792	Logs.exe	conhost.exe
PID 2792 set thread context of 1952	2792	Logs.exe	conhost.exe
PID 4788 set thread context of 2532	4788	rdx1122.exe	RegAsm.exe
PID 2380 set thread context of 1032	2380	alex.exe	RegAsm.exe
PID 5364 set thread context of 6044	5364	fsdfsfsfs.exe	RegAsm.exe
PID 3372 set thread context of 728	3372	MRK.exe	RegAsm.exe
PID 4812 set thread context of 3208	4812	reakuqnanrkn.exe	conhost.exe
PID 4812 set thread context of 5812	4812	reakuqnanrkn.exe	explorer.exe

Launches sc.exe 18 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
2772	sc.exe
5436	sc.exe
3344	sc.exe
5380	sc.exe
3664	sc.exe
5084	sc.exe
2664	sc.exe
5188	sc.exe
1488	sc.exe
5072	sc.exe
768	sc.exe
116	sc.exe
3312	sc.exe
332	sc.exe
5732	sc.exe
4944	sc.exe
4172	sc.exe
4508	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 7 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
5348	2576	WerFault.exe	toolspub1.exe
5620	4992	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
6128	5800	WerFault.exe	nsxD89F.tmp
6140	4992	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5412	6044	WerFault.exe	RegAsm.exe
5604	4064	WerFault.exe	installs.exe
5740	728	WerFault.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3552 schtasks.exe
5724 schtasks.exe

pid	process
3552	schtasks.exe
5724	schtasks.exe

Modifies data under HKEY_USERS 50 IoCs

Processes:

powershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\ROOT	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

moto.exeLogs.exeRegAsm.execonhost.exeleg221.exetoolspub1.exe2024.exeRegAsm.exeolehps.exe

pid	process
3200	moto.exe
3200	moto.exe
3200	moto.exe
3200	moto.exe
3200	moto.exe
2792	Logs.exe
2792	Logs.exe
4624	RegAsm.exe
4624	RegAsm.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
4360	leg221.exe
4360	leg221.exe
1952	conhost.exe
1952	conhost.exe
2576	toolspub1.exe
2576	toolspub1.exe
1952	conhost.exe
1952	conhost.exe
960	2024.exe
960	2024.exe
2532	RegAsm.exe
2532	RegAsm.exe
1952	conhost.exe
1952	conhost.exe
960	2024.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
2792	Logs.exe
2792	Logs.exe
1952	conhost.exe
1952	conhost.exe
1952	conhost.exe
5036	olehps.exe
5036	olehps.exe
5036	olehps.exe
5036	olehps.exe
5036	olehps.exe
5036	olehps.exe
1952	conhost.exe
1952	conhost.exe
2532	RegAsm.exe
2532	RegAsm.exe
2532	RegAsm.exe
2532	RegAsm.exe
2532	RegAsm.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656

pid	process
656
656

Suspicious use of AdjustPrivilegeToken 30 IoCs

Processes:

alex.execonhost.exeRegAsm.exeleg221.exeMRK.exe2024.exeRegAsm.exeLogs.exeolehps.exesadsadsadsa.exeRegAsm.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2380	alex.exe
Token: SeLockMemoryPrivilege	1952	conhost.exe
Token: SeDebugPrivilege	4624	RegAsm.exe
Token: SeDebugPrivilege	4360	leg221.exe
Token: SeDebugPrivilege	3372	MRK.exe
Token: SeDebugPrivilege	960	2024.exe
Token: SeDebugPrivilege	2532	RegAsm.exe
Token: SeDebugPrivilege	2792	Logs.exe
Token: SeDebugPrivilege	5036	olehps.exe
Token: SeDebugPrivilege	5692	sadsadsadsa.exe
Token: SeDebugPrivilege	1032	RegAsm.exe
Token: SeDebugPrivilege	5400	powershell.exe
Token: SeShutdownPrivilege	3340	powercfg.exe
Token: SeCreatePagefilePrivilege	3340	powercfg.exe
Token: SeShutdownPrivilege	2252	powercfg.exe
Token: SeCreatePagefilePrivilege	2252	powercfg.exe
Token: SeShutdownPrivilege	5580	powercfg.exe
Token: SeCreatePagefilePrivilege	5580	powercfg.exe
Token: SeShutdownPrivilege	4144	powercfg.exe
Token: SeCreatePagefilePrivilege	4144	powercfg.exe
Token: SeDebugPrivilege	3536	powershell.exe
Token: SeShutdownPrivilege	5848	powercfg.exe
Token: SeCreatePagefilePrivilege	5848	powercfg.exe
Token: SeShutdownPrivilege	5980	powercfg.exe
Token: SeCreatePagefilePrivilege	5980	powercfg.exe
Token: SeShutdownPrivilege	6016	powercfg.exe
Token: SeCreatePagefilePrivilege	6016	powercfg.exe
Token: SeShutdownPrivilege	6116	powercfg.exe
Token: SeCreatePagefilePrivilege	6116	powercfg.exe
Token: SeLockMemoryPrivilege	5812	explorer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exe

pid process

4484 8dce9705c0c4c3f6175d0ac758a7aaad.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exeexplorhe.exestan.exeBroomSetup.exeexplorhe.exeexplorhe.exe

pid process

4484 8dce9705c0c4c3f6175d0ac758a7aaad.exe
4656 explorhe.exe
1584 stan.exe
4616 BroomSetup.exe
5388 explorhe.exe
6056 explorhe.exe

pid	process
4484	8dce9705c0c4c3f6175d0ac758a7aaad.exe

pid	process
4484	8dce9705c0c4c3f6175d0ac758a7aaad.exe
4656	explorhe.exe
1584	stan.exe
4616	BroomSetup.exe
5388	explorhe.exe
6056	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8dce9705c0c4c3f6175d0ac758a7aaad.exeexplorhe.execrypted.execmd.exeLogs.exerdx1122.exe

description	pid	process	target process
PID 4484 wrote to memory of 4656	4484	8dce9705c0c4c3f6175d0ac758a7aaad.exe	explorhe.exe
PID 4484 wrote to memory of 4656	4484	8dce9705c0c4c3f6175d0ac758a7aaad.exe	explorhe.exe
PID 4484 wrote to memory of 4656	4484	8dce9705c0c4c3f6175d0ac758a7aaad.exe	explorhe.exe
PID 4656 wrote to memory of 3552	4656	explorhe.exe	schtasks.exe
PID 4656 wrote to memory of 3552	4656	explorhe.exe	schtasks.exe
PID 4656 wrote to memory of 3552	4656	explorhe.exe	schtasks.exe
PID 4656 wrote to memory of 1584	4656	explorhe.exe	stan.exe
PID 4656 wrote to memory of 1584	4656	explorhe.exe	stan.exe
PID 4656 wrote to memory of 1584	4656	explorhe.exe	stan.exe
PID 4656 wrote to memory of 3200	4656	explorhe.exe	moto.exe
PID 4656 wrote to memory of 3200	4656	explorhe.exe	moto.exe
PID 4656 wrote to memory of 3136	4656	explorhe.exe	crypted.exe
PID 4656 wrote to memory of 3136	4656	explorhe.exe	crypted.exe
PID 4656 wrote to memory of 3136	4656	explorhe.exe	crypted.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 3136 wrote to memory of 4624	3136	crypted.exe	RegAsm.exe
PID 4656 wrote to memory of 960	4656	explorhe.exe	2024.exe
PID 4656 wrote to memory of 960	4656	explorhe.exe	2024.exe
PID 4656 wrote to memory of 960	4656	explorhe.exe	2024.exe
PID 1016 wrote to memory of 2752	1016	cmd.exe	choice.exe
PID 1016 wrote to memory of 2752	1016	cmd.exe	choice.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 3836	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 4656 wrote to memory of 2380	4656	explorhe.exe	alex.exe
PID 4656 wrote to memory of 2380	4656	explorhe.exe	alex.exe
PID 4656 wrote to memory of 2380	4656	explorhe.exe	alex.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 4656 wrote to memory of 4788	4656	explorhe.exe	rdx1122.exe
PID 4656 wrote to memory of 4788	4656	explorhe.exe	rdx1122.exe
PID 4656 wrote to memory of 4788	4656	explorhe.exe	rdx1122.exe
PID 2792 wrote to memory of 1952	2792	Logs.exe	conhost.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4788 wrote to memory of 2532	4788	rdx1122.exe	RegAsm.exe
PID 4656 wrote to memory of 4360	4656	explorhe.exe	leg221.exe
PID 4656 wrote to memory of 4360	4656	explorhe.exe	leg221.exe

C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe
"C:\Users\Admin\AppData\Local\Temp\8dce9705c0c4c3f6175d0ac758a7aaad.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:3552

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1584

C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3200

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:3344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:2752

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:5072

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:768

C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
5⤵
- Executes dropped EXE
PID:4512

C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:1844

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:5460

C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe"
3⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4040

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
6⤵
PID:6024

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4488

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
7⤵
- Creates scheduled task(s)
PID:5724

C:\Users\Admin\AppData\Local\Temp\nsxD89F.tmp
C:\Users\Admin\AppData\Local\Temp\nsxD89F.tmp
5⤵
- Executes dropped EXE
PID:5800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5800 -s 288
6⤵
- Program crash
PID:6128

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 348
5⤵
- Program crash
PID:5348

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
PID:4992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 372
5⤵
- Program crash
PID:5620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4992 -s 388
5⤵
- Program crash
PID:6140

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5332

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
PID:2772

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:3664

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5580

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Launches sc.exe
PID:5084

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:116

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4144

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3340

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:2664

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5380

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:3312

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:332

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:5188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:5956

C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4464

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 728 -s 1216
5⤵
- Program crash
PID:5740

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
PID:620

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1572

C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe"
3⤵
- Executes dropped EXE
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 1116
4⤵
- Program crash
PID:5604

C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:6044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6044 -s 972
5⤵
- Program crash
PID:5412

C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
PID:2792

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3836

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2576 -ip 2576
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4992 -ip 4992
1⤵
PID:5412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5800 -ip 5800
1⤵
PID:5912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4992 -ip 4992
1⤵
PID:5980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6044 -ip 6044
1⤵
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4992 -ip 4992
1⤵
PID:5020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 6044 -ip 6044
1⤵
PID:5284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4064 -ip 4064
1⤵
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 728 -ip 728
1⤵
PID:5680

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5388

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:4812

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:4092

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:1488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4172

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:3208

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6016

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5980

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:5392

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
1⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
343KB

MD5
a7400185a6083fe2700284b266022a1d

SHA1
c69b74df3a318041f9f965f19f419fbb35644ba4

SHA256
b24a2209f804c1160bb84c6c8e866037055fbe6fe6b2bb0bd03260b3cb25390b

SHA512
fdc1c1eb7861f6e353cf39eefc3ae2803b1f0d232258ee99836f16431dd31fbf4ba833fae2852e2bd55c36acc49a2b80c5c4cd7970c16a54ca8fbbcb246bb423

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
297KB

MD5
a477947a60509bf0e9cec4f0920f7cc4

SHA1
bcf54636d030cf2bf3e0f2feabd07549936a9d1a

SHA256
4cbde0abe1f013a5fe2538168ab205e6a919c2dd3290522b54fe913ca43a4146

SHA512
d0dc1f2320c19ebae5fa157c90194562e973175e39f6764c6e86f59f52639e48abbd7ac468dcf4d3889c4145954371802b36513e5d585629acb5db58f71cd296

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
1.9MB

MD5
e633b2e2746d64062aa2a3ea77d56af0

SHA1
bf4a2dc6cc89515d9e3eb963c5ccf54142eeb5dc

SHA256
a6a22cc08394d7a40bf2321e7584b1748158e2e3994bf8e2ac013309b8714f73

SHA512
97e99ecee6e77a6f489ac30aa1fadc671540ccb06e69cd314531fae60053180f03f93c70f9fe63179a46420cced500289fb4fa483eea94eb172ee1a7900cc237

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
1.0MB

MD5
d95e479f0b7200b4302bd0172376aecb

SHA1
4330eb7cf08883af675d4f8838281e14e406e773

SHA256
aaddb9139556d50de1efdedc30866b6d6e6d2705d731096748befed83e8910f7

SHA512
40478755de43018da6a4900d39ae398300c57599cd5e7d5f5ff19212306253706aa3928398b8204de5097e6a204d99126ba19b3db0a43325aba8f8b9ad61d509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1305705ab4eb7a8ff5a73874670d91f4

SHA1
a118cf0ba2d4ac47473b9140c0aa7745efc6aac7

SHA256
d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b

SHA512
27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
680KB

MD5
3f65edd1e57395311234bf540f50c796

SHA1
3fa11b85db0ac67ef02848435267081339c0836d

SHA256
923c733c3e1a84719ce9aa0db33b8b628dd066dd152bc0c1459f2c3eb2f000fd

SHA512
a5c2ded4c158f28c39707953c664212ebf3d1ab1f2c38344f1fb17b990e11dd64a975c09a1f8738df2438884a2c31c92a8abd6c204135ccc492af6950e5666e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
364KB

MD5
0a5e53025cb4d370f538cb86af37a0e4

SHA1
d0faf00075e104aa9b1b6a94f0949ea16095f362

SHA256
c6feed45ac9b3827e1a9a1bb479d611040207364b08c21ff7865aad627b0062c

SHA512
52b946cd8d59f2e1679b02f2bf6d3616c408da7de12f016ffdc14435b99af6cc630e5388b58f3378c3a6e1a2ac97419f89e427298d1027985b5ffb4939a47de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe
Filesize
842KB

MD5
5e7aee781ee96f685c07f0185ba22c26

SHA1
46b65b87410f15f6f60a46bc592301e2ed139402

SHA256
3cd5ee709929bd897500a26f8d31f81d8fcedd1945d912efc84e3ee1323e3ccb

SHA512
f973df678bdc5fe3d1c3291ddbb45fb0ac3c01459807ec64c3b411523bea86303de8ee1ae92b850f15c2ba435592242ead67360dca140e824954c981acb4a356

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
287KB

MD5
df9a2423424a2fdb8a5c9e1401e47ca8

SHA1
ea16e6ff98a73a6aee9ba8c7724243a4f61cba4d

SHA256
0c8fb5b0ee0810622464785b50f068ab20ffd071e57e4c95cea3df267f08be4e

SHA512
aeaee0cb0086ff6aecd6c63c285a78f4abfb074fcec14f429cf30b0489f89d442f9024128868c0101fb67a46faf536c66c71f60b7e998761b143b9d374462e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
938KB

MD5
052e44d57c51b49a36edc466d906c5ef

SHA1
b22a2d5c24a45ca0362029e24d9daeb990647ebd

SHA256
0471322d50a2dae3cb92aff99641024807df669a3a9c9a96ad07dcffbd5f7553

SHA512
6cd39b0ff9d31d213eb318e9ce7597190d667c5861634f92389526438b77d886559491a34fe1a22644fd2ec21c956268fe34484488361a0ff6aff9705d527c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000639001\moto.exe
Filesize
1010KB

MD5
9e494b59ad4cb08a461023dcae65c98a

SHA1
3031c66b8c55ae729547a26e57386b9524012e47

SHA256
d341ee4a2c59f3c65df692668c922c55e4509d575c3ec65dc8e79d1db31bbe49

SHA512
48ecb251ac51af0c5aae9ec933a9a8a44781a62ed68938e3c868c51dd56d037ee869b198ee08d9466b932e7ecac999fa2c7c6d939e5f1c67b3ddb1a54941800b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000640001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000641001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
153KB

MD5
9d07dfd0589e5786bb391df6041dc096

SHA1
cb3e9923f1cdd65b041ead34d15d1573390d081a

SHA256
5b05d1a7d742137def6309fc0c4cda96209ba14369d727e8e00bf8cf98b44fcb

SHA512
fb97af89db4578204da044540c677378f35b9e55e9f73171a9c194db309996065428bbeed987c46f25f607b6affe2d1c35c22d72f3dc03421d1b706e9c638a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
660KB

MD5
e97e3f48f8b75845d7cd5afa246bbc59

SHA1
002f6c64d1641af0f56d81049568bc4ec6c59b47

SHA256
64fc6bd950253e2b3241430623568846a64c0e8f1f4eb56edfa8df2af0942ea3

SHA512
3616b9555819409450409e4f41994f13114a1df472d8007a460fe2c27ce0ba9c01e5076af1c240644877e9a1483326610bd30b5a32a9cadf91f204f837161b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000642001\alex.exe
Filesize
562KB

MD5
6bc0a47b3d6fef1a6d8e24349356a676

SHA1
230e6ce5a707117f8768cabacb4badfc5dfc681c

SHA256
923ceea0206384cd42bcefce18649af2124fe8a452f7b09c188eebae8e2a2195

SHA512
cf782d61aced1320e8cc8475f755aaf7130bddea0e1ca77d7ab3612dbc7aeb540ac57004e56ba726f2a8ad6ad8d0211f545fbc547bf8222a4ee8979d1ea2d3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
329KB

MD5
927fa2810d057f5b7740f9fd3d0af3c9

SHA1
b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8

SHA256
9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9

SHA512
54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000643001\rdx1122.exe
Filesize
36KB

MD5
c29b16281e627e7f0181746a3312a243

SHA1
ab3e58430056d1cd791164b9f2efbaddbec80c71

SHA256
9c754e084fe537801524b5b26f60289854b8babaa577c71477ac76fb4eae67d2

SHA512
062e51cbc0cd6621a92c378e839155431e70cb5b40f46870134ce9de12ccdf7609bcec65fd8c211f8536055233f626e427687efb21b94d892075e980a45779af

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000644001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
42KB

MD5
86ac6093a3956f3a5fc7d2e71270c1a5

SHA1
c373a2e511bc5393837039fd04ae3bdfa2115728

SHA256
b3d80cb48056352afd4bd082412085c08161ada497c5989c26f02c60a66b2cef

SHA512
4f5ab051af2ece31d20201ed6d56eb69d607994d1d47889b1424fdd56c4f1c7a9cbfa03dd7465fe2e8bc9005dfa7eec8d4964637185e0a9cf650625fd54d8dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
315KB

MD5
9bc23a4f6bf6010dc69e18b7ee6b663c

SHA1
4d8dcef54751326bfff562101a8e3aac4ca3d952

SHA256
594278375bc400a3c04ac5cbd51e2543ba718669db868269fac18d7f910a7b77

SHA512
e137b27a1ef41c1a90ea22fbb4f51732d89a3d9d3e96fd9789c76cba4432acf6b91872f2b658c49cf2eeb6dd7fa1e4b7f5954e0309c74e5b4e5c165d23b646f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000645001\latestrocki.exe
Filesize
181KB

MD5
8371ac25c2dcb0ec78ca2b75397818ad

SHA1
28498697b5d7cc5903e1dd4ee8186bc8cc112997

SHA256
e9d61c2e80650b8ce56b20fb5656a29353fe4ff6c4e75c2bcd0fcd6eacc543c5

SHA512
0973aa37b34ef5981964c99c250b02adf38b6dcb58e344e82c5a415e83801e3b566fa1cb9600691914d64dbeca115df17e786613dd8f4f16c4f5452c3c8b5b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
29KB

MD5
7ba659fd15731e335aefa5c04f91456b

SHA1
5b2ef748c9d8c671f341ececcfcd6c641f07e678

SHA256
b95717d574e151d0b58712c12da73649a1e82d3e235c3fc3a1c73b625b15156c

SHA512
fbe86eea7ff2834795aeffd93f20a8057967f697bf3d1e63a334bac8ee050867efc4b3e755733b9c49892ec6de55971943ca6f009a715322b26a289d35447481

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
245KB

MD5
9e211ead33bf39227f0f15403ef9db93

SHA1
50135b963c5c14cc1f131e94648f3e0d44b8926e

SHA256
83ece9fb6cc1156cb0b279a647855dcb107c0106fc5e8c56f41027c9a61acd31

SHA512
0f791cd01ae73f70c11b4bf7bdaa27c8f7eaa2fc6a88b1aca466f27577d37dcc25f35a7d3e8a0877069197d5a1efcf935aa9e22d5ace961c8ad29c397f6f322c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000646001\MRK.exe
Filesize
297KB

MD5
d51cdcceb12bbdefe5dcf00490c2fd08

SHA1
256c77fceccc53ca23a79458eb87967e0ac830ed

SHA256
318a6f1087074886c5efbe1b18096b24f16b5fd743ef2168caf752ccb34bffe6

SHA512
1a66fa3fb163106ab0591949db14566b8e30327d2605efc18560f5f0457276f8d813edce637aaf65f0ad69acfadd6a9bd32c9ae59a86f54b839cec348181cf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
125KB

MD5
febd9774fa6a215a58f0836af795071c

SHA1
5c14fbe407f812f4c2cf49a57fa2fdcac24421aa

SHA256
d7fc2135c5c30f06bc63f5a3d7406622e20057276ee283c0f8efe9348075caab

SHA512
fe6f570703e5013cfa2449af5a386d96a20a5f633532c34bdb88694eb9dbcfbd33d3c56fe8ff19b435901d5c245ab196a9eadbe46a50a4a03c3591e480d3c779

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
165KB

MD5
6b291786f5a0e71ac6348b0f7659ef8d

SHA1
6fa863809a86984ac4aa45edc07d8a0a769df824

SHA256
a191a8c5e80b0e7372173292f0ce8caf321290d294bb317f1e9d5ac3229f1580

SHA512
9a52b93336225f71495de3f07a8c17ca5578578106ba5649434c70846fddaa43973877e2a9287267601713b46f0585a12ae0d5e2dcfc355fe4ac51d98c5576a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000647001\installs.exe
Filesize
57KB

MD5
949fd6cab6e7bb9991ca8f8b60737861

SHA1
4a12a62728aea7bc0d2bdb15a45bb3b058f35c9e

SHA256
10e6a669d7eac7eb8a28561fb773c257645bdf1dfd9937e84d4cd8a4af99a158

SHA512
19c5a1432493239342bd2ca9f19848c048bc7202af7045e2dcd4973269717e13e9d0476433406396b942abc94727873b8d3326d9eed0779c130a6ebfcad7d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
89KB

MD5
4161306b9ffbe764ee29de7b3924f15f

SHA1
274c032365a8d32b7b31b27770aadfc08e6f6faa

SHA256
cd9964c5938a5530bd0a70f2ade335ee622d25866b49683d39cd49e8f8526cff

SHA512
9dfcc94f72801690b885642b6f5fe605c56f1d0188263c1b2e43e16ba38b49f8d6de6efa06341adccb83aafe02a701a956c74aab9a6f44929ec508f9137be543

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
211KB

MD5
15050a1538035bace6a7820269a4e01a

SHA1
0c6b0c00a367641de72ee90aa96116674f2124a5

SHA256
9f0d0f45e14636c79306c9d7125dbec2a7d43077e7fbfc8bf5c6146c5d59f2a4

SHA512
d6bb6b760f1e638ce8c271a787b81b30bcf83660efa0308bdc6f0dd5b93461937a98689eb8057d70757251c835a79dc2ed97835d3d2faafcd035d14456abd92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000648001\fsdfsfsfs.exe
Filesize
229KB

MD5
b27586c8b590a58f0004fdda5ee264c2

SHA1
953717925198fbac02e8a699725032743bbb8bd2

SHA256
4319e4c8152d0c4e2da5f821d77a0b2083a6acd97551c94f79ce8eb7a462a290

SHA512
52d698497377e8b319acca214d285611ca6b5b00f8fb911df339569cf0a816d7ed4a45da61a19fb3e72c9cd63810188d451a0776e56b8a1cdbec42ea4969eb44

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000649001\sadsadsadsa.exe
Filesize
146KB

MD5
5747f4626d655f5f8bdd1528cdb8b192

SHA1
12fa9ec7d13577e505b3787a586d082e98289cb4

SHA256
3d1f033ef29e6b45007481e50a8a70ee28fbdb6ff96c7fa144f00fc9b54883bb

SHA512
81dbc530371f79189ec0f273702376f7f1ff296a56adf6873213cb9736f9f7da8b5f1b5ad4d628199498d36e3e9703771bc77711f7daed1ef3c0ad32fcf9d6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
240KB

MD5
69d16eef8f89a6a0ca6d489cbcfc0445

SHA1
50768153875a764cddf59ad72406664a9d2740f1

SHA256
8848e7cb29436068856eb850284b61b98fe1001d4493f105b6ae8316408c954c

SHA512
2ada53d5f557fe587e0a747e1beba0f27bf386741317ffc7a5f0b1cf1ce14ef2908903df97dd2e401ac54e3422693438481f3210a21bd2929461f9c0c961241a

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
233KB

MD5
f1d407dd42c1f74f4a2737f41e03ddf9

SHA1
2245f7990ed4c138f201ba7c82d39999554753fc

SHA256
8a17232a06ca97afc58cba65d1c96593e4bb27ab0e0e30704fadec6ca8b13764

SHA512
fbad29888b8a650effa16e416b17857035d1feac239052f14c98a2e73b3cc43babab2c33bfd9bd12c3d58cffa5a3e93fae982fde409ea65daa5faee1834d9559

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
184KB

MD5
f5fd2b87902f60701de49a635434e285

SHA1
b453d42cce0f107740d4d69532bd8a7d0ef9a0e8

SHA256
6af173cef5b642d990153a28fb27f2eb66b27832a00c6b46e8d4502f0699c7d1

SHA512
5fb74286c00a6983dfe1fe98eeb0f98dd6292ace063537d4aef844c626c14f536b7c04d3e291476ccc2b00b421b97f9dcd1fb6aa8e9469a3a13b66171ad5b592

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
267KB

MD5
0c7fe45bb5de27548dc90f4722e92f44

SHA1
8229dbfc03895e7ab17e7bf4272aeac5d1a5ca0b

SHA256
df5e2dafcd7418689287e063e9bea101ec9c75a42f1995b9f36e5e83fa3ec377

SHA512
6179f0e8e86f5600842b7cd94422a8510c2c6ed770629526c336a84bff5929576267e9613991540fac0a0c457eda5b4fa0e62a61cb5f601665ecbabf4cd87d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
1KB

MD5
416c86010c09fe4b9a27d9254e211a1f

SHA1
ba372d9ad6715848c1cf7692ff1236c212f847ae

SHA256
22085ff3e536acded0f65127d10233a67a17452b49ce05b30d9e50b77d415ff5

SHA512
d26696d353be55d254e2efbf0d8741c9df967c2c42cc4d44b518205685d295747524ffc8ebd9dc46d99965bda6e5d48e209b90c62576398d34694e0ad67130ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
121KB

MD5
81df188319c7963f2be0210511795323

SHA1
13908f70a5b6f3c6e9c601f836601ef8fccc9f69

SHA256
6f84bf50405eb1131d31b5bb62c5b66b6be20668d670ba14dae5dbcbc4550937

SHA512
3a906e1af2ea198c09c330bbbd7865db94c8fa2902da985a5a374a44e8b5b035d3583adc1f7b3f03abadc8982aeca0aed1163423558711534b78b4f8655aa6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
49KB

MD5
2d1de5a0747aa0375092897bb7f73feb

SHA1
2a33bbd9ee06126cb834377cd323485b09c8528a

SHA256
174c1aff178bf1ccaec8f10afdb9b5217a66705e4ba8ecc52346f800a1e83dcf

SHA512
99f8a9d3501a91c5b003f33ee2d0554a878feb7b37ee231eb7dd59987021d5bc1605c866125310050fdadae2f61c4320cc400bd3abcfa3c36c6eae26ee9057cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
101KB

MD5
ab9b3fae181ec624ab18a28d464d8a58

SHA1
ddad0aed41bad715c504d1dc4ea920dc2e557135

SHA256
3b7fb7f644d5aae077b38f99b5a1919cce78de23e8df138899d3bdfef800cb78

SHA512
504d6e799315f4a4919d4141e0af63a07becfc4ccb4a79e9025fae3f5ba75f0951a39d4aa1927c9efb8595e4bbb266553d2373748c83ea58d7e447dd0135ccd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
320KB

MD5
5a66bddcab821a83d8ff7e9b7fe1deb5

SHA1
6c4df8267f5c7e6c14a523e153a427a49bcb93b9

SHA256
0a76c10081736807932b58037ebf2298259083cbb297f95ff7404cea9d6006d5

SHA512
0120484dbc946e2eab52878c363a5aacc04b4f6c5ea9308a4c87fea0a32623ed9275af45a28313ec8572c43dd94a13cc0712ef632637125d0029c505e4b9104d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_k3akpbkm.4k1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
669KB

MD5
766ead3ebbd05dcd03413cd426ef392e

SHA1
047e93441c80643492970311c7147a2953ac322f

SHA256
cf70d91b43f76402955535e6c46322c47377ab08d0421ddea1e23bba29166cb6

SHA512
e16dd8c21c4be1d2155667b92f527ee976077c96586118b9d752b09d3d4ed9472bf9c2d3522504a0f8dc2378faf93cfee58c177fe3272fec4c23eb22a4a97613

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
768KB

MD5
f8d70f6c82c5886cb3703218da97ce17

SHA1
67e745428e089fe96da63380a2ffd909e450c342

SHA256
e3744e511b63b7cd98ea5155071964f239066a6a6fff75c7bedd3ed006638eed

SHA512
8cd620e78385e81f81968636ef59d3eb61e2f331546ee18a35b7a8f21cfc76367ba9bb32069c9fb43e3cd47d768b0575ba49938e79def516814103afaddcc256

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
268KB

MD5
3e76035cf169d46c0f83da54eed211d2

SHA1
3ffbfa7ec0cec42b96c2ac78b3425c2895787ce6

SHA256
5e7c4706b198174bf22f80943579cad60de5d6ea9c2f56064bf8c12f844c627d

SHA512
cdd85fe34da623790441bd09d2f255a86cf2c07a3fd77e7a09fabb645b055dc354d8cf4474159932815a9e31e5aec36af10925625ef34187692bcfa8989840e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
791KB

MD5
8dce9705c0c4c3f6175d0ac758a7aaad

SHA1
6648dc678a7ca05cc9efa72cbc4be49a3e10ee9b

SHA256
cd19c8e9270cc07872c4f7fe6b0b20751bd079ccc8bd35f6362fc4fb7a1f14ea

SHA512
f3bb6b0f0f5284051243b787cabd226ceb2aa8089726019b5f99a95f33943fea65189357bb4344fd99a2ab6d3766ba7b2837d71c0f246c5f44a32c731b5b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
455KB

MD5
a0b30e63236acf34efad640b2a001f04

SHA1
cef42a459e43363235f89cc9f7423f3f8c2b7155

SHA256
b56f67c9461cd11311e617d712e2c0a07d8930b5ce031ba2d841fa47c9acbc75

SHA512
84eff872b5537b8f5974e1cb1b6f6ec929f8766b3b33ebeded469b97ae7f39e76c614d98c1c0d42e7e527a12ff5ea1f940c093e7ed404e8d41ba909481953e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsnCD34.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD89F.tmp
Filesize
192KB

MD5
415a3a5dfc7e8a56d77a6a0d2d3e1417

SHA1
c747c6503bc3f173a6a79936336c0cc252413c3e

SHA256
8ed502b52bbe01ed19f14b545ca3197ec752736861e5bdfd9509fb14fad1fd6e

SHA512
253e7ab2dc8b9ad964c7c14ef745063e9b950f1f80c78cdaa425d81e0908c24ef4653d3afa82c5582cda0324e0e9566ae935783dcfaf3b8075c2a07228f96923

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD89F.tmp
Filesize
91KB

MD5
e4b05f94da787bbb372c392b8f81c19f

SHA1
3a10c11ba9564a1e2cb42ddde45ec60024b8e81d

SHA256
473ba530c067805d5781cfaab9d519552f6c09a6ee909951c92fff37fd68acc7

SHA512
90bc65c2fdeb139cd16b6855d170ac049d5bd4fc6736918805bddc305f03416c0754d65bc4eb2dd1dc2ed747aa826aff06d30e5e07675905f25d785421d358a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
82KB

MD5
74ac6c95145932c85ee2047e79a2305b

SHA1
473aed623951b071a2a12013f206e9f58d1d7f27

SHA256
3cefc5da8f2372f8e1fd60fbacc6cd2cb8ad06421945b4be5ca08e31ecbdc07c

SHA512
1f014fea0a963ba2e504024a45f865198130af49f14ba05490e557fe113c30a50f7c40730c1c14155e863a1fe547cbf9493ff194e8f097c74b3e83a8da4d8f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
52KB

MD5
b9e8916959c11cfb064a76b47be20cf3

SHA1
7e1c0d85148a29cf9c0329ac7fe6b09351db351d

SHA256
4c3b78c91b9f2c7cfaa423ab9bb695d86c8a01d7635534390a1569f304108793

SHA512
9572e9499173370cdb451a691d9fcef5414388b9b710aa08e929243b3266454be528f203aaba6b0fb3c70a64e0a636f3407d02277ce279a9c0ebfbacb5e7b82c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
128KB

MD5
520b2df978c98c12c090c157b6f3a112

SHA1
1825c2c0d3ac9cee977096fc7c49edda2f16d689

SHA256
74adca55c956b1377f2d09f4b9728f5f761227f36f139c6e77ca34c013c527b1

SHA512
27b8e7ef02bfde29545f24129908d94685781d1688c4b56993f48461eeb30d40875ddd154e5eca0d7f7e20016278b2670d513b1b4d5e32d0c52b8b8f07976f26

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
224KB

MD5
4fe7bef521345515a1a3e94fa4a25c3a

SHA1
081fe1bedaabd9586b4c3af635814de71d41467d

SHA256
c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

SHA512
3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
100KB

MD5
5d22e6e9f0c5e7e07de509132f486b9f

SHA1
97618acf2aceda358a551ee7c4c1ef8062d91116

SHA256
46cd3e90c5042fbda8481c94f40c8ed608a4414733f117942f496b980513ab7d

SHA512
0f230d8d5c9bf60827ff90dfe90efa68a87a8c12752f41454b5ae957f81b7fef2dd103368ec6d77e57ad7b3d29722d07c0cab105d6dceef63e8b132e2bcf0676

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
160KB

MD5
ff4c87bc2b44ffceb287c8200b484d4e

SHA1
3976f51ca165a83ee969d9d17cee72e7d9c6e40e

SHA256
628a0b15830741aa955639deb1d2102f18674d920353e38782248198ce1c387c

SHA512
7e7f1ea0f7955e8da515cd55ee7d28495ffeef2bac529f6c32d0ed60cf7769a213e7ed74176d1900885a372eeb96aec95eccfba45bb515593fe16717c1384534

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
57KB

MD5
329f8ce8eaa554ab6356b9570a443bb2

SHA1
e76517626f13ced1c671b95b8ff917b59fe65531

SHA256
ee15bca12f7c5840a2d3ec3056244d789a40acae4291203af1215565f85b1dce

SHA512
0f78c82f899622259f0e7b2d3a89c596297924d3cff717ce5cacc4d8232dd3bdaf923fe21bf7c206cb4f1ac497b92253027a47fd566815b0521024c93ccc9ee2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
7KB

MD5
d6785901be8d0bd62e193e9f9608adc3

SHA1
e6d1fafb26c4c6101dec6ac9b97526a4ce140c79

SHA256
1c0a3cb15ebc0ad08df71bdf4233eaa783b6c6e15d4f5fc70e60707cbc4f48b3

SHA512
9f4ebdeca3311475aef4f86de05cf59418739478bd7b62108d48199351134b8ae27b0038990e6967143dfba6d0f03ccd9cd38eb00727cd97abc93d3b9c5f7342

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
64KB

MD5
60ac90a1c1ccf2f87f8ca2bff245b56e

SHA1
e85111405eef6cd4480bce76465a45c44dd3738a

SHA256
07d2746aaa0f406cf3d535c09d3d56cf6db2599e1b5248de90fca3c095310178

SHA512
ae31ac4c2b4ef379914425ad30afaa8ef5592440a6ac02bba7a265589476a0137f49c714217163120813a05a9423a96ce2059353330b4d4153627f73eeefa693

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
141KB

MD5
cbae64ef49a187a71bcd33cc13e90818

SHA1
0c0f412e9272bd5ff5d67eb2182dd5b012dcb9a1

SHA256
bb16f8bea6c1e1f8f5220c4ff7ed52ae175710f113393fe13b8a4ea13129a300

SHA512
12a72fdc11db330a6bd77147417362398c5ace58174f88bfe483b1a0e78769b81afcce21c3809cdab5a11c9bf7eec12d78b218de4c5ee987a769f24d854072ae

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
149KB

MD5
51afb84aee9eee4eb4301ae57c94df4b

SHA1
40a44f59318d03f808ad4bbd2d46bc1a808346dc

SHA256
0be735e1dfed2ddd067c49a4e6e20089e08fd2f00f3feb8d74f1be8e75912798

SHA512
f0c2913b59538f69e94ff65272ea3c70201f7514d84cca69d46f11998f1f74f3dc0c9c6e262c340c378ec7747ff780abe243fb4424e909d17a2de5da0824bfb5

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
86dcf064474fd20f25006f96ab661f01

SHA1
69375b55e39c2bab40cc6da7896762a56d631d91

SHA256
d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc

SHA512
86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

Download Submit
memory/620-351-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/620-322-0x0000000000E60000-0x00000000017A8000-memory.dmp

Filesize
9.3MB

Download
memory/960-116-0x00000000058A0000-0x0000000005932000-memory.dmp

Filesize
584KB

Download
memory/960-112-0x0000000005DB0000-0x0000000006354000-memory.dmp

Filesize
5.6MB

Download
memory/960-108-0x0000000000F40000-0x0000000000F92000-memory.dmp

Filesize
328KB

Download
memory/960-109-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/960-317-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/960-122-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/960-123-0x0000000005880000-0x000000000588A000-memory.dmp

Filesize
40KB

Download
memory/960-325-0x0000000005840000-0x0000000005850000-memory.dmp

Filesize
64KB

Download
memory/1032-318-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/1032-291-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/1032-311-0x0000000005630000-0x0000000005640000-memory.dmp

Filesize
64KB

Download
memory/1584-216-0x0000000000150000-0x0000000000633000-memory.dmp

Filesize
4.9MB

Download
memory/1584-180-0x0000000000150000-0x0000000000633000-memory.dmp

Filesize
4.9MB

Download
memory/1584-36-0x0000000000150000-0x0000000000633000-memory.dmp

Filesize
4.9MB

Download
memory/1952-213-0x0000022812E90000-0x0000022812EB0000-memory.dmp

Filesize
128KB

Download
memory/1952-262-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-254-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-182-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-249-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-161-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-242-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-210-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-162-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-155-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-166-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-178-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-156-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-158-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-150-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1952-267-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/2380-265-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-259-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-160-0x0000000004EB0000-0x000000000505C000-memory.dmp

Filesize
1.7MB

Download
memory/2380-201-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-163-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/2380-167-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/2380-207-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-177-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-212-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-215-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-165-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-159-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/2380-181-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-274-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-190-0x0000000004EA0000-0x0000000004EB0000-memory.dmp

Filesize
64KB

Download
memory/2380-277-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-157-0x0000000005070000-0x000000000521C000-memory.dmp

Filesize
1.7MB

Download
memory/2380-270-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-253-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-247-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-241-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-230-0x0000000004EB0000-0x0000000005055000-memory.dmp

Filesize
1.6MB

Download
memory/2380-305-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/2532-234-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2532-271-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/2532-276-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/2792-126-0x00007FF74F640000-0x00007FF75007D000-memory.dmp

Filesize
10.2MB

Download
memory/2792-211-0x00007FF74F640000-0x00007FF75007D000-memory.dmp

Filesize
10.2MB

Download
memory/3136-106-0x00000000029F0000-0x00000000049F0000-memory.dmp

Filesize
32.0MB

Download
memory/3136-78-0x0000000000440000-0x00000000004AC000-memory.dmp

Filesize
432KB

Download
memory/3136-79-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/3136-103-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/3136-295-0x00000000029F0000-0x00000000049F0000-memory.dmp

Filesize
32.0MB

Download
memory/3136-80-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/3200-58-0x00007FF632350000-0x00007FF632D8D000-memory.dmp

Filesize
10.2MB

Download
memory/3200-113-0x00007FF632350000-0x00007FF632D8D000-memory.dmp

Filesize
10.2MB

Download
memory/3836-127-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3836-128-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3836-124-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3836-125-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3836-139-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/3836-141-0x0000000140000000-0x000000014000D000-memory.dmp

Filesize
52KB

Download
memory/4360-251-0x00000000022C0000-0x0000000002302000-memory.dmp

Filesize
264KB

Download
memory/4360-273-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4360-266-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4360-269-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4360-261-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/4360-264-0x0000000004B70000-0x0000000004B80000-memory.dmp

Filesize
64KB

Download
memory/4360-257-0x00000000049D0000-0x0000000004A0E000-memory.dmp

Filesize
248KB

Download
memory/4484-0-0x0000000000850000-0x0000000000C58000-memory.dmp

Filesize
4.0MB

Download
memory/4484-1-0x0000000000850000-0x0000000000C58000-memory.dmp

Filesize
4.0MB

Download
memory/4484-2-0x0000000000850000-0x0000000000C58000-memory.dmp

Filesize
4.0MB

Download
memory/4484-16-0x0000000000850000-0x0000000000C58000-memory.dmp

Filesize
4.0MB

Download
memory/4624-115-0x0000000005050000-0x0000000005062000-memory.dmp

Filesize
72KB

Download
memory/4624-83-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4624-308-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4624-248-0x0000000006160000-0x00000000061D6000-memory.dmp

Filesize
472KB

Download
memory/4624-107-0x00000000050C0000-0x00000000050D0000-memory.dmp

Filesize
64KB

Download
memory/4624-154-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4624-323-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/4624-258-0x0000000006390000-0x00000000063AE000-memory.dmp

Filesize
120KB

Download
memory/4624-279-0x0000000007410000-0x0000000007460000-memory.dmp

Filesize
320KB

Download
memory/4624-117-0x00000000052E0000-0x00000000053EA000-memory.dmp

Filesize
1.0MB

Download
memory/4624-286-0x0000000007B30000-0x0000000007CF2000-memory.dmp

Filesize
1.8MB

Download
memory/4624-288-0x0000000008230000-0x000000000875C000-memory.dmp

Filesize
5.2MB

Download
memory/4624-111-0x00000000057F0000-0x0000000005E08000-memory.dmp

Filesize
6.1MB

Download
memory/4624-114-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/4624-119-0x0000000005220000-0x000000000526C000-memory.dmp

Filesize
304KB

Download
memory/4624-118-0x00000000051D0000-0x000000000520C000-memory.dmp

Filesize
240KB

Download
memory/4656-129-0x0000000000220000-0x0000000000628000-memory.dmp

Filesize
4.0MB

Download
memory/4656-164-0x0000000000220000-0x0000000000628000-memory.dmp

Filesize
4.0MB

Download
memory/4656-17-0x0000000000220000-0x0000000000628000-memory.dmp

Filesize
4.0MB

Download
memory/4656-15-0x0000000000220000-0x0000000000628000-memory.dmp

Filesize
4.0MB

Download
memory/4788-255-0x00000000031B0000-0x00000000051B0000-memory.dmp

Filesize
32.0MB

Download
memory/4788-204-0x0000000000F80000-0x0000000000FD6000-memory.dmp

Filesize
344KB

Download
memory/4788-220-0x0000000005900000-0x0000000005910000-memory.dmp

Filesize
64KB

Download
memory/4788-208-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-260-0x0000000072B30000-0x00000000732E0000-memory.dmp

Filesize
7.7MB

Download