amadey | a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c

Analysis

max time kernel
102s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

194d36596016f52a59cc6163a5cc1898.exe
Size

790KB
MD5

194d36596016f52a59cc6163a5cc1898
SHA1

db46517b2906cc7dbe9f3f477e009476b7fe951c
SHA256

a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
SHA512

f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09
SSDEEP

24576:zxH5+1N5SnhwQ0iyIakELr0bLObmNrUE6:H84nhllL8obLOSgE6

Malware Config

Extracted

Family

amadey

Version

4.15

http://185.215.113.68

Attributes

install_dir
d887ceb89d
install_file
explorhe.exe
strings_key
7cadc181267fafff9df8503e730d60e1
url_paths
/theme/index.php

rc4.plain

Extracted

Family

redline

Botnet

2024

195.20.16.103:20440

Extracted

Family

risepro

193.233.132.62:50500

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

redline

Botnet

@RLREBORN Cloud TG: @FATHEROFCARDERS)

141.95.211.148:46011

Extracted

Family

stealc

http://185.172.128.79

Attributes

url_path
/3886d2276f6914c4.php

rc4.plain

Extracted

Family

redline

Botnet

@PixelsCloud

94.156.67.230:13781

Extracted

Family

redline

Botnet

LiveTraffic

20.79.30.95:33223

Extracted

Family

redline

Botnet

@oleh_ps

185.172.128.33:8924

Extracted

Family

lumma

https://consciouosoepewmausj.site/api

https://braidfadefriendklypk.site/api

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Detect ZGRat V1 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3184-289-0x0000000000400000-0x000000000045A000-memory.dmp	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2480-234-0x0000000002E40000-0x000000000372B000-memory.dmp	family_glupteba
behavioral2/memory/2480-245-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral2/memory/2480-437-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 14 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3572-58-0x0000000002410000-0x0000000002452000-memory.dmp	family_redline
behavioral2/memory/3572-64-0x0000000004B20000-0x0000000004B5E000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe	family_redline
behavioral2/memory/2172-119-0x0000000000460000-0x00000000004B2000-memory.dmp	family_redline
behavioral2/memory/3184-289-0x0000000000400000-0x000000000045A000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe	family_redline
behavioral2/memory/4732-311-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe	family_redline
behavioral2/memory/2316-332-0x00000000007E0000-0x0000000000834000-memory.dmp	family_redline
behavioral2/memory/3700-379-0x0000000000400000-0x0000000000454000-memory.dmp	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe	family_redline
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

105 1184 rundll32.exe
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

1344 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
105	1184	rundll32.exe

pid	process
1344	netsh.exe

.NET Reactor proctector 16 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral2/memory/444-403-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-404-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-407-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-442-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-456-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-464-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/3960-477-0x0000000005740000-0x00000000058E5000-memory.dmp	net_reactor
behavioral2/memory/444-471-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-479-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/3960-481-0x0000000005740000-0x00000000058E5000-memory.dmp	net_reactor
behavioral2/memory/444-488-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/3960-489-0x0000000005740000-0x00000000058E5000-memory.dmp	net_reactor
behavioral2/memory/444-496-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/3960-497-0x0000000005740000-0x00000000058E5000-memory.dmp	net_reactor
behavioral2/memory/444-435-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor
behavioral2/memory/444-413-0x0000000002700000-0x000000000279F000-memory.dmp	net_reactor

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

iojmibhyhiws.exemoto.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	iojmibhyhiws.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	moto.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	moto.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

194d36596016f52a59cc6163a5cc1898.exeexplorhe.exeRegAsm.exenspAB65.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	194d36596016f52a59cc6163a5cc1898.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	explorhe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	RegAsm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	nspAB65.tmp

Executes dropped EXE 29 IoCs

Processes:

explorhe.exestan.exeexplorer.exesc.exewusa.exeqemu-ga.exeInstallSetup7.exetoolspub1.exeinstalls.exeBroomSetup.exe31839b57a4f11171d6abc8bbc4451ee4.exerty25.exeFirstZ.exefsdfsfsfs.exenspAB65.tmpWerFault.exesadsadsadsa.exeexplorhe.exeWerFault.exereakuqnanrkn.exemoto.exeLogs.exeolehps.exeiojmibhyhiws.exe31839b57a4f11171d6abc8bbc4451ee4.exeexplorhe.execsrss.exe

pid	process
5004	explorhe.exe
3896	stan.exe
3572	explorer.exe
4440	sc.exe
2172	wusa.exe
8	qemu-ga.exe
2688	InstallSetup7.exe
4168	toolspub1.exe
2512	installs.exe
4888	BroomSetup.exe
2480	31839b57a4f11171d6abc8bbc4451ee4.exe
4292	rty25.exe
2900	FirstZ.exe
3780	fsdfsfsfs.exe
864	nspAB65.tmp
3376	WerFault.exe
2316	sadsadsadsa.exe
3780	fsdfsfsfs.exe
4668	explorhe.exe
444	WerFault.exe
3960	reakuqnanrkn.exe
4756	moto.exe
5272	Logs.exe
5292	olehps.exe
5776	iojmibhyhiws.exe
3960	reakuqnanrkn.exe
2856	31839b57a4f11171d6abc8bbc4451ee4.exe
5728	explorhe.exe
5564	csrss.exe

Loads dropped DLL 5 IoCs

Processes:

InstallSetup7.exerundll32.exenspAB65.tmp

pid process

2688 InstallSetup7.exe
2688 InstallSetup7.exe
1184 rundll32.exe
864 nspAB65.tmp
864 nspAB65.tmp
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2688	InstallSetup7.exe
2688	InstallSetup7.exe
1184	rundll32.exe
864	nspAB65.tmp
864	nspAB65.tmp

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exeexplorhe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\""	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe"	explorhe.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

91 pastebin.com
92 pastebin.com

flow	ioc
91	pastebin.com
92	pastebin.com

Drops file in System32 directory 8 IoCs

Processes:

FirstZ.exepowershell.exereakuqnanrkn.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	FirstZ.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	reakuqnanrkn.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

Processes:

explorhe.exestan.exe

pid	process
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe
3896	stan.exe
5004	explorhe.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

fsdfsfsfs.exeWerFault.exeWerFault.exereakuqnanrkn.exeiojmibhyhiws.exe

description	pid	process	target process
PID 3780 set thread context of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3376 set thread context of 4732	3376	WerFault.exe	sc.exe
PID 3780 set thread context of 3700	3780	fsdfsfsfs.exe	RegAsm.exe
PID 444 set thread context of 2392	444	WerFault.exe	RegAsm.exe
PID 3960 set thread context of 2176	3960	reakuqnanrkn.exe	RegAsm.exe
PID 5776 set thread context of 5932	5776	iojmibhyhiws.exe	conhost.exe
PID 5776 set thread context of 6048	5776	iojmibhyhiws.exe	conhost.exe
PID 3960 set thread context of 5012	3960	reakuqnanrkn.exe	conhost.exe
PID 3960 set thread context of 3572	3960	reakuqnanrkn.exe	explorer.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery
T1082

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description ioc process

File opened (read-only) \??\VBoxMiniRdrDN 31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	31839b57a4f11171d6abc8bbc4451ee4.exe

Drops file in Windows directory 2 IoCs

Processes:

31839b57a4f11171d6abc8bbc4451ee4.exe

description	ioc	process
File opened for modification	C:\Windows\rss	31839b57a4f11171d6abc8bbc4451ee4.exe
File created	C:\Windows\rss\csrss.exe	31839b57a4f11171d6abc8bbc4451ee4.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
6088	sc.exe
4676	sc.exe
5200	sc.exe
5764	sc.exe
5192	sc.exe
5584	sc.exe
5320	sc.exe
2824	sc.exe
212	sc.exe
4780	sc.exe
6004	sc.exe
5488	sc.exe
5592	sc.exe
5160	sc.exe
5376	sc.exe
5344	sc.exe
4732	sc.exe
4440	sc.exe
2052	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 48 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
4276	2480	WerFault.exe
4432	2480	WerFault.exe
4084	2480	WerFault.exe
2052	4168	WerFault.exe
2612	2480	WerFault.exe
1472	2480	WerFault.exe
2236	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4588	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3260	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
6128	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
4780	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
208	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
496	864	WerFault.exe	nspAB65.tmp
1524	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5736	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
6020	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5796	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5856	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5872	2512	WerFault.exe	installs.exe
5672	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5668	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5548	2480	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5844	2392	WerFault.exe	RegAsm.exe
5708	2392	WerFault.exe	RegAsm.exe
2372	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
2828	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5064	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3544	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
444	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
3520	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
1392	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5188	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5360	2856	WerFault.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
5948	5564	WerFault.exe	csrss.exe
5192	5564	WerFault.exe	csrss.exe
2440	5564	WerFault.exe	csrss.exe
4636	5564	WerFault.exe	csrss.exe
4612	5564	WerFault.exe	csrss.exe
3056	5564	WerFault.exe	csrss.exe
3612	5564	WerFault.exe	csrss.exe
2236	5564	WerFault.exe	csrss.exe
5436	5564	WerFault.exe	csrss.exe
2800	5564	WerFault.exe	csrss.exe
4880	5564	WerFault.exe	csrss.exe
4828	5564	WerFault.exe	csrss.exe
3188	5564	WerFault.exe	csrss.exe
2884	5564	WerFault.exe	csrss.exe
3684	5564	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

toolspub1.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	toolspub1.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

nspAB65.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nspAB65.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	nspAB65.tmp

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

2448 schtasks.exe
5264 schtasks.exe
3632 schtasks.exe
5760 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

452 timeout.exe

pid	process
2448	schtasks.exe
5264	schtasks.exe
3632	schtasks.exe
5760	schtasks.exe

pid	process
452	timeout.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exepowershell.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	explorer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	31839b57a4f11171d6abc8bbc4451ee4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)"	31839b57a4f11171d6abc8bbc4451ee4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

explorer.exetoolspub1.exenspAB65.tmpwusa.exeWerFault.exesadsadsadsa.exesc.exemoto.exeiojmibhyhiws.exeLogs.exeRegAsm.execonhost.exeolehps.exeFirstZ.exe

pid	process
3572	explorer.exe
4168	toolspub1.exe
4168	toolspub1.exe
864	nspAB65.tmp
864	nspAB65.tmp
2172	wusa.exe
2172	wusa.exe
3184	WerFault.exe
3184	WerFault.exe
2316	sadsadsadsa.exe
2316	sadsadsadsa.exe
4732	sc.exe
4732	sc.exe
4732	sc.exe
4732	sc.exe
4732	sc.exe
4732	sc.exe
4756	moto.exe
4756	moto.exe
4756	moto.exe
4756	moto.exe
4756	moto.exe
2316	sadsadsadsa.exe
2316	sadsadsadsa.exe
2316	sadsadsadsa.exe
2316	sadsadsadsa.exe
5776	iojmibhyhiws.exe
5776	iojmibhyhiws.exe
2172	wusa.exe
2172	wusa.exe
5272	Logs.exe
5272	Logs.exe
2172	wusa.exe
2172	wusa.exe
2172	wusa.exe
2172	wusa.exe
3700	RegAsm.exe
3700	RegAsm.exe
4732	sc.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
3700	RegAsm.exe
3700	RegAsm.exe
3700	RegAsm.exe
3700	RegAsm.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
6048	conhost.exe
5292	olehps.exe
5292	olehps.exe
2900	FirstZ.exe
6048	conhost.exe
6048	conhost.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

672
672

pid	process
672
672

Suspicious use of AdjustPrivilegeToken 38 IoCs

Processes:

explorer.exewusa.exeWerFault.exeWerFault.exereakuqnanrkn.exesadsadsadsa.exesc.exeLogs.execonhost.exeRegAsm.exeolehps.exepowershell.exepowercfg.exepowercfg.exepowercfg.exeRegAsm.exeschtasks.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe31839b57a4f11171d6abc8bbc4451ee4.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3572	explorer.exe
Token: SeDebugPrivilege	2172	wusa.exe
Token: SeDebugPrivilege	444	WerFault.exe
Token: SeDebugPrivilege	3184	WerFault.exe
Token: SeDebugPrivilege	3960	reakuqnanrkn.exe
Token: SeDebugPrivilege	2316	sadsadsadsa.exe
Token: SeDebugPrivilege	4732	sc.exe
Token: SeDebugPrivilege	5272	Logs.exe
Token: SeLockMemoryPrivilege	6048	conhost.exe
Token: SeDebugPrivilege	3700	RegAsm.exe
Token: SeDebugPrivilege	5292	olehps.exe
Token: SeDebugPrivilege	5944	powershell.exe
Token: SeShutdownPrivilege	5924	powercfg.exe
Token: SeCreatePagefilePrivilege	5924	powercfg.exe
Token: SeShutdownPrivilege	6092	powercfg.exe
Token: SeCreatePagefilePrivilege	6092	powercfg.exe
Token: SeShutdownPrivilege	2244	powercfg.exe
Token: SeCreatePagefilePrivilege	2244	powercfg.exe
Token: SeDebugPrivilege	2176	RegAsm.exe
Token: SeDebugPrivilege	3632	schtasks.exe
Token: SeShutdownPrivilege	3888	powercfg.exe
Token: SeCreatePagefilePrivilege	3888	powercfg.exe
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeShutdownPrivilege	6112	powercfg.exe
Token: SeCreatePagefilePrivilege	6112	powercfg.exe
Token: SeShutdownPrivilege	3088	powercfg.exe
Token: SeCreatePagefilePrivilege	3088	powercfg.exe
Token: SeShutdownPrivilege	3824	powercfg.exe
Token: SeCreatePagefilePrivilege	3824	powercfg.exe
Token: SeShutdownPrivilege	5264	powercfg.exe
Token: SeCreatePagefilePrivilege	5264	powercfg.exe
Token: SeLockMemoryPrivilege	3572	explorer.exe
Token: SeDebugPrivilege	2480	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeImpersonatePrivilege	2480	31839b57a4f11171d6abc8bbc4451ee4.exe
Token: SeDebugPrivilege	5348	powershell.exe
Token: SeDebugPrivilege	4112	powershell.exe
Token: SeDebugPrivilege	5568	powershell.exe
Token: SeDebugPrivilege	5612	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

194d36596016f52a59cc6163a5cc1898.exe

pid process

1344 194d36596016f52a59cc6163a5cc1898.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

194d36596016f52a59cc6163a5cc1898.exeexplorhe.exestan.exeBroomSetup.exeexplorhe.exeexplorhe.exe

pid process

1344 194d36596016f52a59cc6163a5cc1898.exe
5004 explorhe.exe
3896 stan.exe
4888 BroomSetup.exe
4668 explorhe.exe
5728 explorhe.exe

pid	process
1344	194d36596016f52a59cc6163a5cc1898.exe

pid	process
1344	194d36596016f52a59cc6163a5cc1898.exe
5004	explorhe.exe
3896	stan.exe
4888	BroomSetup.exe
4668	explorhe.exe
5728	explorhe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

194d36596016f52a59cc6163a5cc1898.exeexplorhe.exeexplorer.exesc.exeInstallSetup7.exefsdfsfsfs.exeWerFault.exe

description	pid	process	target process
PID 1344 wrote to memory of 5004	1344	194d36596016f52a59cc6163a5cc1898.exe	explorhe.exe
PID 1344 wrote to memory of 5004	1344	194d36596016f52a59cc6163a5cc1898.exe	explorhe.exe
PID 1344 wrote to memory of 5004	1344	194d36596016f52a59cc6163a5cc1898.exe	explorhe.exe
PID 5004 wrote to memory of 2448	5004	explorhe.exe	schtasks.exe
PID 5004 wrote to memory of 2448	5004	explorhe.exe	schtasks.exe
PID 5004 wrote to memory of 2448	5004	explorhe.exe	schtasks.exe
PID 5004 wrote to memory of 3896	5004	explorhe.exe	stan.exe
PID 5004 wrote to memory of 3896	5004	explorhe.exe	stan.exe
PID 5004 wrote to memory of 3896	5004	explorhe.exe	stan.exe
PID 5004 wrote to memory of 3572	5004	explorhe.exe	explorer.exe
PID 5004 wrote to memory of 3572	5004	explorhe.exe	explorer.exe
PID 5004 wrote to memory of 3572	5004	explorhe.exe	explorer.exe
PID 5004 wrote to memory of 4440	5004	explorhe.exe	sc.exe
PID 5004 wrote to memory of 4440	5004	explorhe.exe	sc.exe
PID 5004 wrote to memory of 4440	5004	explorhe.exe	sc.exe
PID 5004 wrote to memory of 2172	5004	explorhe.exe	wusa.exe
PID 5004 wrote to memory of 2172	5004	explorhe.exe	wusa.exe
PID 5004 wrote to memory of 2172	5004	explorhe.exe	wusa.exe
PID 3572 wrote to memory of 8	3572	explorer.exe	qemu-ga.exe
PID 3572 wrote to memory of 8	3572	explorer.exe	qemu-ga.exe
PID 4440 wrote to memory of 2688	4440	sc.exe	InstallSetup7.exe
PID 4440 wrote to memory of 2688	4440	sc.exe	InstallSetup7.exe
PID 4440 wrote to memory of 2688	4440	sc.exe	InstallSetup7.exe
PID 4440 wrote to memory of 4168	4440	sc.exe	toolspub1.exe
PID 4440 wrote to memory of 4168	4440	sc.exe	toolspub1.exe
PID 4440 wrote to memory of 4168	4440	sc.exe	toolspub1.exe
PID 5004 wrote to memory of 2512	5004	explorhe.exe	installs.exe
PID 5004 wrote to memory of 2512	5004	explorhe.exe	installs.exe
PID 5004 wrote to memory of 2512	5004	explorhe.exe	installs.exe
PID 2688 wrote to memory of 4888	2688	InstallSetup7.exe	BroomSetup.exe
PID 2688 wrote to memory of 4888	2688	InstallSetup7.exe	BroomSetup.exe
PID 2688 wrote to memory of 4888	2688	InstallSetup7.exe	BroomSetup.exe
PID 4440 wrote to memory of 2480	4440	sc.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 2480	4440	sc.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 2480	4440	sc.exe	31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 4292	4440	sc.exe	rty25.exe
PID 4440 wrote to memory of 4292	4440	sc.exe	rty25.exe
PID 4440 wrote to memory of 2900	4440	sc.exe	FirstZ.exe
PID 4440 wrote to memory of 2900	4440	sc.exe	FirstZ.exe
PID 5004 wrote to memory of 3780	5004	explorhe.exe	fsdfsfsfs.exe
PID 5004 wrote to memory of 3780	5004	explorhe.exe	fsdfsfsfs.exe
PID 5004 wrote to memory of 3780	5004	explorhe.exe	fsdfsfsfs.exe
PID 3780 wrote to memory of 5104	3780	fsdfsfsfs.exe	RegAsm.exe
PID 3780 wrote to memory of 5104	3780	fsdfsfsfs.exe	RegAsm.exe
PID 3780 wrote to memory of 5104	3780	fsdfsfsfs.exe	RegAsm.exe
PID 3780 wrote to memory of 4364	3780	fsdfsfsfs.exe	Conhost.exe
PID 3780 wrote to memory of 4364	3780	fsdfsfsfs.exe	Conhost.exe
PID 3780 wrote to memory of 4364	3780	fsdfsfsfs.exe	Conhost.exe
PID 2688 wrote to memory of 864	2688	InstallSetup7.exe	nspAB65.tmp
PID 2688 wrote to memory of 864	2688	InstallSetup7.exe	nspAB65.tmp
PID 2688 wrote to memory of 864	2688	InstallSetup7.exe	nspAB65.tmp
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 3780 wrote to memory of 3184	3780	fsdfsfsfs.exe	WerFault.exe
PID 5004 wrote to memory of 3376	5004	explorhe.exe	WerFault.exe
PID 5004 wrote to memory of 3376	5004	explorhe.exe	WerFault.exe
PID 5004 wrote to memory of 3376	5004	explorhe.exe	WerFault.exe
PID 3376 wrote to memory of 4732	3376	WerFault.exe	sc.exe
PID 3376 wrote to memory of 4732	3376	WerFault.exe	sc.exe

C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe
"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"
1⤵
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
3⤵
- Creates scheduled task(s)
PID:2448

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3896

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"
3⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
4⤵
- Executes dropped EXE
PID:8

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"
3⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
5⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:864

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp" & del "C:\ProgramData\*.dll"" & exit
6⤵
PID:5568

C:\Windows\SysWOW64\timeout.exe
timeout /t 5
7⤵
- Delays execution with timeout.exe
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2368
6⤵
- Program crash
PID:496

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
4⤵
- Executes dropped EXE
PID:4292

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
5⤵
- Launches sc.exe
PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
5⤵
PID:6080

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
5⤵
- Launches sc.exe
PID:2052

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
5⤵
- Launches sc.exe
PID:5344

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
5⤵
- Launches sc.exe
PID:5320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
5⤵
- Launches sc.exe
PID:4676

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
5⤵
- Launches sc.exe
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:6092

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5924

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
5⤵
- Launches sc.exe
PID:2824

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
5⤵
- Executes dropped EXE
- Launches sc.exe
- Suspicious use of WriteProcessMemory
PID:4440

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
5⤵
- Launches sc.exe
PID:212

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740
5⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740
5⤵
- Program crash
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 732
5⤵
- Program crash
PID:3260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 772
5⤵
- Program crash
PID:6128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 660
5⤵
- Program crash
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740
5⤵
- Program crash
PID:208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 712
5⤵
- Program crash
PID:1524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 768
5⤵
- Program crash
PID:5736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 632
5⤵
- Program crash
PID:6020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 884
5⤵
- Program crash
PID:5796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 800
5⤵
- Program crash
PID:5856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 644
5⤵
- Program crash
PID:5672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 644
5⤵
- Program crash
PID:5668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 788
5⤵
- Program crash
PID:5548

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 336
6⤵
- Program crash
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 352
6⤵
- Program crash
PID:2828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 364
6⤵
- Program crash
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 644
6⤵
- Program crash
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 692
6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 716
6⤵
- Program crash
PID:3520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 748
6⤵
- Program crash
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 756
6⤵
- Program crash
PID:5188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 716
6⤵
- Program crash
PID:5360

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5348

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
6⤵
PID:5896

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
7⤵
- Modifies Windows Firewall
PID:1344

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
7⤵
PID:4364

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
6⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5568

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
6⤵
- Executes dropped EXE
PID:5564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 372
7⤵
- Program crash
PID:5948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 388
7⤵
- Program crash
PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 392
7⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 676
7⤵
- Program crash
PID:4636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
7⤵
- Program crash
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
7⤵
- Program crash
PID:3056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
7⤵
- Program crash
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 752
7⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 776
7⤵
- Program crash
PID:5436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5612

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
7⤵
PID:4084

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:5548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 700
7⤵
- Program crash
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 760
7⤵
- Program crash
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 888
7⤵
- Program crash
PID:4828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
7⤵
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 972
7⤵
- Program crash
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 988
7⤵
- Program crash
PID:2884

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
7⤵
PID:208

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
7⤵
- Creates scheduled task(s)
PID:5760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 988
7⤵
- Program crash
PID:3684

C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
7⤵
PID:6012

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
8⤵
PID:6128

C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
9⤵
- Launches sc.exe
PID:5160

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:4168

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"
3⤵
PID:2172

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"
3⤵
- Executes dropped EXE
PID:2512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1076
4⤵
- Program crash
PID:5872

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"
3⤵
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"
3⤵
PID:3376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3780

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:4364

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3700

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"
3⤵
PID:444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:5108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:2392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 808
5⤵
- Program crash
PID:5844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1184
5⤵
- Program crash
PID:5708

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1184

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"
3⤵
PID:3960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
PID:452

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
4⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5272

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
5⤵
PID:5520

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
6⤵
PID:3192

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4756

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
4⤵
- Launches sc.exe
PID:5376

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
4⤵
- Launches sc.exe
PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
4⤵
PID:5600

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
5⤵
PID:5140

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
4⤵
- Launches sc.exe
PID:5592

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
4⤵
- Launches sc.exe
PID:5584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4168 -ip 4168
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2480 -ip 2480
1⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 372
1⤵
- Program crash
PID:4276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 396
1⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2480 -ip 2480
1⤵
PID:3536

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
1⤵
PID:1908

C:\Windows\SysWOW64\chcp.com
chcp 1251
2⤵
PID:3336

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
2⤵
- Creates scheduled task(s)
PID:5264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480
1⤵
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 408
1⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 352
1⤵
- Program crash
PID:2052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 680
1⤵
- Program crash
PID:2612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
1⤵
PID:2256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 716
1⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2480 -ip 2480
1⤵
PID:1188

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:5776

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5932

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
1⤵
PID:6016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2480 -ip 2480
1⤵
PID:5248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2480 -ip 2480
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 864 -ip 864
1⤵
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2480 -ip 2480
1⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480
1⤵
PID:5956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2480 -ip 2480
1⤵
PID:6012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
1⤵
PID:5200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
1⤵
PID:5828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2512 -ip 2512
1⤵
PID:5840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
1⤵
PID:5780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2480 -ip 2480
1⤵
PID:5592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2480 -ip 2480
1⤵
PID:2236

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5140

C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3960

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:5200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
PID:5216

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5240

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:5764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4780

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:5192

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:6004

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:5012

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5264

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\explorer.exe
explorer.exe
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2392 -ip 2392
1⤵
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2392 -ip 2392
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2856 -ip 2856
1⤵
PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2856 -ip 2856
1⤵
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2856 -ip 2856
1⤵
PID:1732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2856 -ip 2856
1⤵
PID:3644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2856 -ip 2856
1⤵
PID:2924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2856 -ip 2856
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2856 -ip 2856
1⤵
PID:3100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2856 -ip 2856
1⤵
PID:5644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2856 -ip 2856
1⤵
PID:5380

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5564 -ip 5564
1⤵
PID:5480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5564 -ip 5564
1⤵
PID:6076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
1⤵
PID:6132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5564 -ip 5564
1⤵
PID:580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5564 -ip 5564
1⤵
PID:2240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5564 -ip 5564
1⤵
PID:2348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
1⤵
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5564 -ip 5564
1⤵
PID:3904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
1⤵
PID:3648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5564 -ip 5564
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
1⤵
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5564 -ip 5564
1⤵
PID:324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5564 -ip 5564
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
1⤵
PID:5524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5564 -ip 5564
1⤵
PID:4740

C:\Windows\windefender.exe
C:\Windows\windefender.exe
1⤵
PID:5580

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
1⤵
PID:5432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
529KB

MD5
e38d2389ebc4194ced166dc29b7d8829

SHA1
04ee969be16932f35f90890807f61125bc5d6caf

SHA256
b6c9956f3f0477b4ebc018f81e8c4eef28073242c9dd7890a163151252faff92

SHA512
9c86cc10e7eaedc035c347f82976eccf059db24bec5524bc5d8a12e7e61b64ea0e83fd47c57c34dcbf8db29db32dda46e408087b087d4bf8e71b03efb9dbc404

Download Submit
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
Filesize
656KB

MD5
175a6c1f47c9c62ccf9eada2a8f2dc7e

SHA1
7446f8bebf48c682654d7c4793904555b7500a79

SHA256
82ac4d146c3107d854645e7a77b912ac38ae68240a4a5c7dd6aa0a3be6b4ac39

SHA512
619cb31d29206433749c59f22ad2ecf91584801085053ba928c6e712b528a9ed78ea82dcd7c58429189356154109736aec4f66fd16b1b45c563a19927e8f7f46

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll
Filesize
38KB

MD5
108ae188533e72b9c3c60586391ba324

SHA1
c2b728e5464f326ceef079ccbf4985946933ad95

SHA256
6f7dfc5a107b0195bfbf12e62dae6d86f6b7192e1a3d85dc86eda50af7efbc52

SHA512
1956c51b5a43b9d0c53819451a762562570f69112bed3b4fa0d402acd2e8d3c8e2452b16f5ed538635f5b9757f61a0eadc1ad9b987d22725cd7285d79c241533

Download Submit
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
Filesize
2.5MB

MD5
ffada57f998ed6a72b6ba2f072d2690a

SHA1
6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f

SHA256
677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12

SHA512
1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
Filesize
2KB

MD5
1dfbfa155719f83b510b162d53402188

SHA1
5b77bb156fff78643da4c559ca920f760075906c

SHA256
b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831

SHA512
be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
Filesize
1.1MB

MD5
49e1ba45dbfa0bb247ce9bf85fc30d79

SHA1
5c68ec8fdea0d71dc867e51883442a62d84c0bc6

SHA256
ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef

SHA512
b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
Filesize
1.1MB

MD5
8b38ce5d69aaed7ceece2df6657dc095

SHA1
404cb2f078a2023aec716fde7c8200d980aa672c

SHA256
eeefc030af324476406a587e6b5b48362e7f447775922ea89db7b380501596af

SHA512
fa963710b2816ede0cdaa0596fbac518e7990f2c1c6c60180581d25af2b80a9dfd1318c86059b96d7775e5410a93d77e2a452210c9fda079ab523c656a9cbcf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
Filesize
292KB

MD5
d177caf6762f5eb7e63e33d19c854089

SHA1
f25cf817e3272302c2b319cedf075cb69e8c1670

SHA256
4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0

SHA512
9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
Filesize
1.1MB

MD5
563c5c4aa752e3fbc728ea52352518d1

SHA1
27e849ce87cb1e9040a58cc28d091a9321bf3a57

SHA256
656bbfee84c6575802891ee72640b62de2380ba51644c749eb21c5800d7220e8

SHA512
be5ee2e5979b511a71970ec1cd1ca299fa7ee62fd31d1db4daece21eff4ed191e6295d02b878b579e5dc6ce4a653f1e66724b3a53f95c4bd32e122b8d16d09ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
Filesize
1.6MB

MD5
f3875d6f19b5f12b7e3bc32857e6a50d

SHA1
71bc67caef843199cc58e5d204b4c7a29576e14b

SHA256
02c72811356bb0bb2f6a2d71d55d298c74710a49666ade764bb5e630ee961fb0

SHA512
1454655e390b1c6075b572485aa7f85aacb914d534c85866f8f6ddb7cb69c92187a44a37cf917db63660b565c5c8ddb970bfe42ac4d4847b63aec0a672b95615

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
Filesize
1.8MB

MD5
b255a3ad56bc289d43b7e0df1adac70b

SHA1
49827334acdfff15ea61ef67d62ca5e99f894006

SHA256
5382fcab6a657c916622ed9f685a36ca1138ec4dbaae929d2ec2e49b131d51b3

SHA512
3ab21c70790d18134e40dba02718a3c107bbe8888018d1362ba21f0341681667e364194c3d7b3c246a8bd3e1ee0b898666da6cf425491bc2bd024ff6de2b3e4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
Filesize
300KB

MD5
2c470494b6dc68b2346e42542d80a0fd

SHA1
87ce1483571bf04d67be4c8cb12fb7dfef4ba299

SHA256
1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9

SHA512
c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
Filesize
384KB

MD5
5e48b243f8d075260f80a968ab068ba3

SHA1
8a2229e7ead4bef2710f19f9031cc683911e05fe

SHA256
4b6ed37234e1417585d0f135407b14564d45352ea53c0f5477d3a5b359dfc1d3

SHA512
daacd17dceaf1fd056c7ad7714417a5be1069c4470cbea8959091ebe0c18bbda6226b500b70113878506d1095f9176c265b770057c50fe2ae0b19536efc0ea51

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
Filesize
64KB

MD5
86cc0d98f51d57e482d6da67d7993b3d

SHA1
b2d7dfa85f586e273e7e103019d09c565c1b555c

SHA256
976c95b971f9593ec8ceeb64d52aa122fe09e42cb05356c826f7cf2d817f4bcf

SHA512
bbfebff74a2bdf638303fdf4b55445ff371b641bad284424725f1f9505d488641c40ee9409d3cf40828b5381d32f146d490eb8a2449bd2e323734d9246fbcc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
Filesize
74KB

MD5
714010684bb8c238399057863b51e5f4

SHA1
8648933967f47aebea8aaa21e3b4dd9ccfcc140a

SHA256
817a6d824010c50781a732104292c8be13e3536e36179fdc835a8706884d538b

SHA512
7309fa881449d6432e1a5f0ad9882050e4f74b167021347ad7fa6852bf06ec54f558531d018acd07d599fde2a1072f5425c314dc97e953c72a4e9128a4410bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
Filesize
133KB

MD5
d50db07295b910049dc44b9c037e7121

SHA1
ead74f4e3864b2c4c9e70162fea7238110598b5e

SHA256
1ae31f8f7ab325275b0d1940be5d412f5527d7100e68eeaa09f294759ddf73b4

SHA512
c634080ae1cb412835d35866bbc20bd218828fecdfadcd2ecde6b0aac2a19ce9e52757ab46b2c45f8a1bb462bffd10400ac2de2d36ff1fee541df1e936e9ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
Filesize
311KB

MD5
072de8d94a4d621a7d8f60e4440c857c

SHA1
ce0fe6ca32e031cafcb7780518d177d2fc657818

SHA256
9ddf67e475061ce4403c4eb9f1c14006fe1a0064aefe5ce2e0031b8ba07681d8

SHA512
c3983a505f0c0ba3d0e7f3513fc96622fd9dad5303bcd2e104eb3f74bd5a3481893970a8b02e314eee9a158278aaf1e730eaa5fc7924d6d0f13dbb0030fc7376

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
Filesize
412KB

MD5
3c9da20ad78d24df53b661b7129959e0

SHA1
e7956e819cc1d2abafb2228a10cf22b9391fb611

SHA256
2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319

SHA512
1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
Filesize
137KB

MD5
7e6f2c004143489bddf998e178447600

SHA1
54fdcce9f5313903efb1602925f6245665b7b8c5

SHA256
3fb780457739f0e6a78a6789d33df49b06380ea464b4671b92fc188a8aaacf3a

SHA512
4b6140519e9ac264f65c70f136a6ee95c4e556e9f25d6f044a0fa1976656c9671abf252f0fb0c9e9e55c822eac2c54cc6f6a51da2813cd38432999bccf9180eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
Filesize
329KB

MD5
927fa2810d057f5b7740f9fd3d0af3c9

SHA1
b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8

SHA256
9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9

SHA512
54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
Filesize
65KB

MD5
a0d45b92755377100edf894ce6bc5b73

SHA1
a9cdeb7299d1f9822daffb5705f8e1abcc8180f9

SHA256
1a82f76c3466ed5ace3bf1d7a06a578cdaf56f24f4959913b7211231666d0cfe

SHA512
fd2e291b98a05e284227dc54aa79944b5f178ec4b4154b23b04f5254c08c91b953debbc291bdaf2b5c73b5365f5f49c8ad611b8d191963d886284e4a8906bc96

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
Filesize
313KB

MD5
5a6358bb95f251ab50b99305958a4c98

SHA1
c7efa3847114e6fa410c5b2d3056c052a69cda01

SHA256
54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5

SHA512
4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
Filesize
118KB

MD5
6c0d16360d0718dc3e5594701af73039

SHA1
428d8b40394e9890268bdb72b0e33db89a246072

SHA256
da4f305c0cfd7cabf148cdd500d852ded2ba2912e8c52e7edecd6a916cf9986d

SHA512
37fdec437c6f86b904f6213c78462ad479ffbb1be2b481a21c522207e4a5b8ab8def4be697132f9596ecc70648450e6955ca7fb59a5d0a71ef7a3b4a19808db5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
Filesize
72KB

MD5
dacb28af383f7c34ffa1c892e8215cb1

SHA1
75436bc6206d2ec8c5efae8be76d66b9aa46c0a5

SHA256
47342507c73f2004230f5f27049fb29a50176c1d74b9453182dc88ec89f079b3

SHA512
112482790c2e75fe481283979e27388ef08e52ad8523ac94dbe40ae891427996ee2a485c91579a7e9a538d979596b4dca56a86f78673e18fd4060031301dba52

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
Filesize
268KB

MD5
d0d9d9aa8b3ad5853b760eb3aa892b6d

SHA1
35943c7ae7bbdb4ed9130fa468ae8910ad1297b3

SHA256
30fb90d175f358fc72830629c7dbd109459919e436532c48ca3353a2bd990a53

SHA512
8d1344fab192ab7e695a9bed4f992e1ae0e7824815308b553787b75a826977abb8798cb05aa6eceb9608e1c9d46b20a2bfbd349f85ab1be5a653dfd6df463fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
Filesize
121KB

MD5
d9c61ab04e9c3a3b967f35fe7868c65f

SHA1
d9e0000b8c50075dd895601a7eafc83819cbb40a

SHA256
38dc653663c987f32a8a8ab7f63790791f39d1fc0b1d345bb31c444be3206606

SHA512
ab5b2788515aff917e285e1b387b96cc7b9fad76686971073f7195f3825e7d741136e5305e00c8046870e274a1abf5ab58933ee5a484b2a454ad63152d458a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
Filesize
196KB

MD5
b96d6aac94f719546c676e761120714e

SHA1
347b53aaf7bbec3a5b150c2681a1df5e417af7b3

SHA256
fae9071b9f0d3e54eda0ddb1c26ba00a717ba5c1aea30ae761f134382bae0e55

SHA512
b831b718e78a4e75a07eab8dd36a1e8ece046a12251190b5df081b5fe52e0fe95138ed06de20414feef48f375ba0be35bb5cd7402a1dcae5c0392ae08bd03d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
Filesize
132KB

MD5
5be4a96754663f10f7871197875a4fed

SHA1
9cd0d1cb82ef80a9c3042a3192b58d2a7e09f0a0

SHA256
9a0f22819b6c026112266ad5d306239843b3cc30c26cc2c8d74272f4824b31fe

SHA512
d27d20aff1b863b61d451d8e2de8cbcde0acdb2cdef475895a3dbd91134374cb3fa7ee6432a6714fb747c1270b354319f19aef468b86228e78b5b82f358a7c14

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
Filesize
142KB

MD5
a83a4df54471201cd5a8673c1dfb1bba

SHA1
4efb4e7281b0809d54751b053f3de6cd99b1f932

SHA256
db96c4050fe77fc266731c8870dfa75c8e26026d1433691c186e29d5e506ecd3

SHA512
86aa530a209ce70affd4ad0ac43887cb8f655b149536f4ed90ac191c5fc83930c809d3f7a772477c082525549a86c2190228a921e3c767895e07f661026756c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
Filesize
19KB

MD5
0d7af60b7914857675cbaf88a3c5ff2d

SHA1
d36b0dc5f028c3a7db336d28da4d1fc8f77add0c

SHA256
1b04c0858f3eb92c62cfcdff5b8bd6f8ba20f4ac1aae3b12a2e376064b1804b8

SHA512
12f05adeb08e01187ebf4c15d308095da962effc4cc3759ada764abd9d6bb62249b3973e7b89fa533bc365e58f5c2b314d4aeeac57216c6ab1cb1ab5c6799732

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
Filesize
311KB

MD5
0e6e0443a9bd40df436c0a2cfb99c313

SHA1
d318aa7fa2bbff826f16e4f52dcf0ace2dfd6ff6

SHA256
5c2aaeed01e56a734b43233946e94beb66bb1f0cd018bd907847d9cc53c26594

SHA512
1f8c224089153bf05450c1bd4da0b2b35200547d0fa6abe494ac5915c7aa6785d3fff65273db55c75f78b44210e52df80b7f44492389fb60bb6757efa6d527b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
Filesize
280KB

MD5
874115437d0241018bc86184fb6b456a

SHA1
f7b2339fae03c8ac2b273c83fbb59d1d1d6bfb1f

SHA256
975562a70a6685f6bf8913ef2f7b8bcbcdb0797eef619fed0a2ea32630267710

SHA512
15fe2ac3d848756232edd6e74384a0591c66e2ee491f4a8404aadb167993c5883da930d6848a965603f8950034a05229b57bcf76641d68e2daa839ee28f15235

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
Filesize
237KB

MD5
1abd6eae26a304c260e949e4d87bb007

SHA1
ed4c90d0a7480d0973474364fff42b54a8e2abb1

SHA256
0d1931ab34d9160e9204ef3d61e413786378e2d5dcc01965d07449c782f7502b

SHA512
688f3776ad84cd62ad941baad8e557b3d7fa2de41c86131a1c93146ca60fe6a48c686bd28cdf5cfe114acea155a060eaaaf0aa989c963e8d20480052388dc1a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
Filesize
335KB

MD5
37d12febec1f204c2e0b56f2d50ad5d6

SHA1
2ad748e3097bd56340ed1a39784341aafd97ab73

SHA256
b9d2970bd33ab730574cdfbd7bf7949571d28044955adc68cfe1d82d5bbccf00

SHA512
2cdf9c3892e5751e5030291af26aef7968f64f9d2a53bb265a691876dfcfdcd40911530afcd6c23169288bb23628f1246eaa24de96430111785119fafaa2ead1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
Filesize
163KB

MD5
1def7c36d4f6d89a0140fe7f087d8ccc

SHA1
e8fc0b5b7c9f882ed62e1f5e69d659276fd5218d

SHA256
e90bfa1740d0418ce551670183f5d7b790dba0a5d4c8fe29820d3dc7229fdd0d

SHA512
6017a394c59820a361ff1557ef7c4422adfc22419c6d756196c9f59266db03eb1200b32c978238621119c9586e650e576fc4cc527f821df5e32026c4730067ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
Filesize
259KB

MD5
4bb74fc03fc3432cab36fc92c6a587bb

SHA1
5c234f504b137cae2e65c82ad0d82bb2241953aa

SHA256
e707c249eb71388182738032e18906f64fb9ca1da5c18920e4b4b0e30802ae98

SHA512
cc77c19154dba39bdff8af819ee73af2c0e4314d9bde312fb8fea3b9e1c7e39154e01a5c279093e0d077da8717389089eb930651df4f9d6e5acc188f6ef8b881

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
2.1MB

MD5
2a4fe2818d6078f3ff111be2354c2482

SHA1
4a797d116ea6b428b36d48d20e922a5631aab6af

SHA256
fd8388624f20c7ae95ff8c71154e53461a695226219a1227c936abdeecd4cfca

SHA512
d89aec9f819476c37e306fa817da0080fdbbca457a6b1e323e5f4cd65d7aa806ccf051ca6734dda9dccb7ae067054b6917ff80b0b1894b4b080f2a47e7c8300e

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.8MB

MD5
fcf4a98b7c566ab43a2ee56c2a7e5f7b

SHA1
72acf205516d117b1e92e741774e58ce1bbf93e2

SHA256
af1d0090e6a96b3cbdd42d9147484bd3bc4795d2fbfa51f432fc1337b922403e

SHA512
c294f9d7c8d0578e1d1c7eee3df85ba8748ec10cf355ba9d7699031cb8ab8a78ec46cfcad3bdf3a561f1ac5d0e61daa95d3da5d04fcbe01744705cecce8ad6c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
45KB

MD5
92a80884170d6839356624824b19cebc

SHA1
f5fe29396c7243484a0d0bc2e3e5efe81946ae7d

SHA256
fd0c5f25298d52fb8d054609a5b710cd81a1b236b84556f145ad1bd8276e0bcb

SHA512
7e391cb80b2d88ec00e43b9d99d12c3a0960f377c21df4c30ea768957f7a9c25323177c17cb38942ec7b003b3a06834ae0b6fa43dcd9ccda9e2335328f923140

Download Submit
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
Filesize
1.1MB

MD5
e9045a8ddcc8490aa44de4dc4b64f72f

SHA1
408294567482116ef89a2ac7795f5a1ae77d0551

SHA256
55d73cd58a381cef3e5fd68b8e084e93a95872a6dee7c0b763f45c49c55f8dea

SHA512
5864f7ed18501424f93f7e9ce7bb5897d873a505c80ba26e9b22a94cbeb9d6f1825e61fb49ea159f79899a764555cee8a4642e27874611c818188b1d8fda8fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
Filesize
2.4MB

MD5
9e7f5469b45458d39c5d9c6520af465e

SHA1
6fc950c5b70fd8423c52b0b97b1b3f9d7c6d381f

SHA256
0cc61c8953b078f886104d03fd33c3f2ad8f4250e4a9e6c8fa5e0bae4c4f5ab1

SHA512
bebcd4ce71e3dcb5f4ba42b0f110379ec9e7b47c59967ba11e8b2c5ea5f49cf51683de137e3856b26ecd525b01d1d931ad709a354fa467ba6672ba4ec3a95496

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
1.9MB

MD5
bf3f04b52b6fedf1d5d790093aaef610

SHA1
00d159785608415e8329010a5eb61b7ea0cf28dd

SHA256
674bfa14a05ff74f3d0615f7574458765990f6150358ea11b06d4e76431e1bbd

SHA512
b34800dce7a21ad7f5eb0c6fc4da386206ec1e1353ed15d6687bfac92e4c9fe072275141a02f1cdcd648843ffe114ed1468c0ad487340d714f932bc24d19a039

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
1.7MB

MD5
ac766f8d3e1620dd0960d55667278c68

SHA1
f7b175aa1ce28a72b58949699db40802ef859807

SHA256
a93c7de1528025f9321bf7b7d014060f44593d4edc6985293b1d2708337b9471

SHA512
a2345ff28fbe562c45be8dc3b81cff1159975019ab870dd9ab42e049b38d4c2e67f27728dc43f440764f48e767e3b770c81d1a2ae28e3f6d66054e7389c09cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
Filesize
1.5MB

MD5
ce6edaeebe218df710c2195c62d05ccc

SHA1
19048f4316424c2cb277a3f25b3bed5be05ef1cc

SHA256
805a42a3777135749a1cc3e403acfe134cedd640a101b57d2aacc67ceeb46015

SHA512
bfd3440eb79d321c53e852e3aadb3a549275f5be6caf9208f1a5867a76aeebf0c27fb904b787ec206637c80ebde2a245b3637afbb8c6769204f3f6f1ee730ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
546KB

MD5
2ad24c41f9aec8a9aef6a3b04c4c41fc

SHA1
e3afe076c142ff368f6558693c3b22407130a0da

SHA256
10d556b3e1572736397c1f25c14e3c02aa04ffd7a7fc23d61eb017e2b214768f

SHA512
71fb4db57d2d56682500f175cc29a8f0c5e3b45f484198cab1e6aa924abed257e35f8e82ff128a98fc7cc8eb7752b376208b5f84990890ab7a82b0aadde58881

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
509KB

MD5
e661564f8710a881f89d33abbce3ae15

SHA1
780b3e907ba2f884d17cb80d17481e86ef849e07

SHA256
49f28c9cd2b58dad1b0263a4cf0d9cca9744f60bb5b643214ab2c72ca754d952

SHA512
48f39a8a77559b3ee2144ea05e80fac06934985fbe957fd81f8468b50fe5e5309ad51eb8dff951937a2f201da3e3da7cb689c2f0345398bffee465b5e59a6e9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
Filesize
340KB

MD5
cd09c003ae2cce9f6a92602247605377

SHA1
cc61f95b47019ed9c71af613401b5f29fd688ffa

SHA256
0c4b0c1d2a476d259db140d5dd5c5cf63a6ae89d885454f76af8681433559971

SHA512
19b9f066c274c2e0f4c36ef04f8560f6a5a8d909f43b2bceca88896d8b71a55518c93409ea8b3df63ec348f42334d097f3eb7fbcb16d4726e9420cd963019774

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xb5thseh.lfp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
85KB

MD5
aac3a535b8e14f01df697506c7571beb

SHA1
98d3b2c56b8986a34abe946c315aa85a55426e07

SHA256
a312731b34e7e8b1361e7f08028cf1583a75adbfaaf10db9bfd4d6af0353fad2

SHA512
d60cd3a3d49248835460abbe11707b5a844ae4fb50f98e42a4077a00451a70fe5ff82a2031aca2a49d3342fd289efe2343a85c6487dd68ddc5296c3c4960fc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Filesize
790KB

MD5
194d36596016f52a59cc6163a5cc1898

SHA1
db46517b2906cc7dbe9f3f477e009476b7fe951c

SHA256
a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c

SHA512
f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
Filesize
4KB

MD5
a5ce3aba68bdb438e98b1d0c70a3d95c

SHA1
013f5aa9057bf0b3c0c24824de9d075434501354

SHA256
9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a

SHA512
7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbA384.tmp\INetC.dll
Filesize
25KB

MD5
40d7eca32b2f4d29db98715dd45bfac5

SHA1
124df3f617f562e46095776454e1c0c7bb791cc7

SHA256
85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

SHA512
5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
Filesize
252KB

MD5
1769d29cc010993ffa6c7b9076be5ad8

SHA1
7aafa7b944ffa484c2ccf5dbfbce001fd5b18e9e

SHA256
0eb898675007a1265f326a6af3db61fc65009e976e6957d5243d76ab017ea029

SHA512
b79fb9dcf51031df0d709875870aaf0a1d25d3139d3a455acbac1dabcbda10be905380798674b78d38c6e29aecf979581401ac5b4eb8ce54b6b42c50baf96fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
304KB

MD5
ed1cc2b9e23caa2c32d3d6224dc5cd1c

SHA1
f757e4a7ecfb5fa666cf20d4e14e382336798732

SHA256
4ee3e97b96c267000617368a0fedb5b4456c4b8db9a2b72a7a9eddbf40827419

SHA512
e7e0520683f8c567a361478a94807e7e6c9318929cbce055d53d9e110cf1b87ed85f2d3e39f69d52a157b50540cc25f6387433c041c34320c9cde3e5bbae2716

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
224KB

MD5
ab0487b4e7ee0db4f0b5f629da1ada7b

SHA1
686c0f22f844f8cd11a073437f4a293036b61994

SHA256
ba141fe6196ddd543caccb3980bfb82b726c72242195e50fe5575a9f5e6b62b6

SHA512
d4c223b5237627e1125923c58e0dafd5c5f8b67035c7f230c06a045b89354ecd3d13f213b01b72036c82280f063aa7ddcdc02a0e1463233a6e5c57cccaba95c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\rty25.exe
Filesize
324KB

MD5
5eaaf2cedeb0a5086aaf35c4367a736e

SHA1
98a357c3dca7161b44ff55395127d0f212797dc6

SHA256
7093afea1144bfc7d4987386a08cbf7b644003c7eb5f5e18d6ccb3624391124d

SHA512
f1bdbc75cac2d3bb9c1bc50106a6f45c44a0d497b1046ec31fde66890fcce0c09c6f55b3bae81ff35ab079ff3d9380fdddf75472272ac67d1fa9b2f4911dbc0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
Filesize
224KB

MD5
4fe7bef521345515a1a3e94fa4a25c3a

SHA1
081fe1bedaabd9586b4c3af635814de71d41467d

SHA256
c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4

SHA512
3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
102KB

MD5
85af6c99d918757171d2d280e5ac61ef

SHA1
ba1426d0ecf89825f690adad0a9f3c8c528ed48e

SHA256
150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e

SHA512
12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
325KB

MD5
3058f10b2fe431d9f8a487a35cd89ba3

SHA1
adf31cfada940e96a02305177bea754d4ee41861

SHA256
73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30

SHA512
4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
Filesize
282KB

MD5
ca56674ef98b9a14d6b87018b1296a50

SHA1
7f2224e3439d338ea82d81d7d577eb5d3323d6fa

SHA256
dde58070181cd1cd74b712d4b3ffa1f82b105670e01a5d22b44177e820ee6146

SHA512
3b4df90268f213bf2a05d3568c93d92accb7dfa25971b690e82abf30d0275798314dd503ee998be4cd2e5560703d04a76391daecfadabc8eef886a7abb164f87

Download Submit
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
Filesize
313KB

MD5
5ea776e43112b097b024104d6319b6dc

SHA1
abd48a2ec2163a85fc71be96914b73f3abef994c

SHA256
cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341

SHA512
83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
\??\c:\users\admin\appdata\local\temp\F59E91F8
Filesize
14B

MD5
86dcf064474fd20f25006f96ab661f01

SHA1
69375b55e39c2bab40cc6da7896762a56d631d91

SHA256
d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc

SHA512
86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

Download Submit
memory/8-155-0x00007FFB3D9F0000-0x00007FFB3E4B1000-memory.dmp

Filesize
10.8MB

Download
memory/8-147-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/444-407-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-488-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-413-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-435-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-464-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-404-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-442-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-496-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-479-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-403-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-456-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/444-471-0x0000000002700000-0x000000000279F000-memory.dmp

Filesize
636KB

Download
memory/864-331-0x0000000000400000-0x0000000002B17000-memory.dmp

Filesize
39.1MB

Download
memory/864-310-0x0000000002BB0000-0x0000000002BCC000-memory.dmp

Filesize
112KB

Download
memory/864-436-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/1344-0-0x0000000000370000-0x0000000000778000-memory.dmp

Filesize
4.0MB

Download
memory/1344-16-0x0000000000370000-0x0000000000778000-memory.dmp

Filesize
4.0MB

Download
memory/1344-2-0x0000000000370000-0x0000000000778000-memory.dmp

Filesize
4.0MB

Download
memory/1344-1-0x0000000000370000-0x0000000000778000-memory.dmp

Filesize
4.0MB

Download
memory/2172-291-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2172-258-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-142-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/2172-125-0x0000000004F20000-0x0000000004F2A000-memory.dmp

Filesize
40KB

Download
memory/2172-124-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-119-0x0000000000460000-0x00000000004B2000-memory.dmp

Filesize
328KB

Download
memory/2316-332-0x00000000007E0000-0x0000000000834000-memory.dmp

Filesize
336KB

Download
memory/2480-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2480-220-0x00000000011A0000-0x000000000159A000-memory.dmp

Filesize
4.0MB

Download
memory/2480-437-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2480-234-0x0000000002E40000-0x000000000372B000-memory.dmp

Filesize
8.9MB

Download
memory/2512-275-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2512-261-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2512-276-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2512-263-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2512-288-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2512-244-0x0000000000690000-0x0000000000717000-memory.dmp

Filesize
540KB

Download
memory/3184-333-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3184-289-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3376-327-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3376-295-0x0000000000F00000-0x0000000000F56000-memory.dmp

Filesize
344KB

Download
memory/3572-72-0x00000000064B0000-0x0000000006542000-memory.dmp

Filesize
584KB

Download
memory/3572-68-0x0000000004C10000-0x0000000004C4C000-memory.dmp

Filesize
240KB

Download
memory/3572-58-0x0000000002410000-0x0000000002452000-memory.dmp

Filesize
264KB

Download
memory/3572-59-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3572-60-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3572-62-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3572-61-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

Filesize
64KB

Download
memory/3572-63-0x0000000004CD0000-0x0000000005274000-memory.dmp

Filesize
5.6MB

Download
memory/3572-64-0x0000000004B20000-0x0000000004B5E000-memory.dmp

Filesize
248KB

Download
memory/3572-65-0x0000000005280000-0x0000000005898000-memory.dmp

Filesize
6.1MB

Download
memory/3572-154-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3572-66-0x0000000004BF0000-0x0000000004C02000-memory.dmp

Filesize
72KB

Download
memory/3572-67-0x00000000058A0000-0x00000000059AA000-memory.dmp

Filesize
1.0MB

Download
memory/3572-127-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3572-69-0x00000000059B0000-0x00000000059FC000-memory.dmp

Filesize
304KB

Download
memory/3572-70-0x0000000005C00000-0x0000000005C66000-memory.dmp

Filesize
408KB

Download
memory/3572-71-0x00000000063F0000-0x0000000006466000-memory.dmp

Filesize
472KB

Download
memory/3572-73-0x00000000066F0000-0x000000000670E000-memory.dmp

Filesize
120KB

Download
memory/3572-74-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

Filesize
320KB

Download
memory/3572-75-0x0000000007940000-0x0000000007B02000-memory.dmp

Filesize
1.8MB

Download
memory/3572-76-0x00000000082E0000-0x000000000880C000-memory.dmp

Filesize
5.2MB

Download
memory/3700-379-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/3780-300-0x0000000002670000-0x0000000004670000-memory.dmp

Filesize
32.0MB

Download
memory/3780-249-0x0000000000480000-0x00000000004EC000-memory.dmp

Filesize
432KB

Download
memory/3780-256-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3780-259-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

Filesize
64KB

Download
memory/3780-297-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/3896-450-0x00000000002D0000-0x00000000007B0000-memory.dmp

Filesize
4.9MB

Download
memory/3896-36-0x00000000002D0000-0x00000000007B0000-memory.dmp

Filesize
4.9MB

Download
memory/3896-200-0x00000000002D0000-0x00000000007B0000-memory.dmp

Filesize
4.9MB

Download
memory/3896-122-0x00000000002D0000-0x00000000007B0000-memory.dmp

Filesize
4.9MB

Download
memory/3960-489-0x0000000005740000-0x00000000058E5000-memory.dmp

Filesize
1.6MB

Download
memory/3960-481-0x0000000005740000-0x00000000058E5000-memory.dmp

Filesize
1.6MB

Download
memory/3960-477-0x0000000005740000-0x00000000058E5000-memory.dmp

Filesize
1.6MB

Download
memory/3960-497-0x0000000005740000-0x00000000058E5000-memory.dmp

Filesize
1.6MB

Download
memory/4168-194-0x00000000005A0000-0x00000000005AB000-memory.dmp

Filesize
44KB

Download
memory/4168-196-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4168-193-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/4292-210-0x00007FF669140000-0x00007FF669196000-memory.dmp

Filesize
344KB

Download
memory/4440-97-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4440-98-0x0000000000860000-0x00000000011A8000-memory.dmp

Filesize
9.3MB

Download
memory/4440-243-0x0000000073720000-0x0000000073ED0000-memory.dmp

Filesize
7.7MB

Download
memory/4732-311-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4888-213-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/4888-425-0x0000000000400000-0x00000000008E2000-memory.dmp

Filesize
4.9MB

Download
memory/5004-108-0x00000000004B0000-0x00000000008B8000-memory.dmp

Filesize
4.0MB

Download
memory/5004-395-0x00000000004B0000-0x00000000008B8000-memory.dmp

Filesize
4.0MB

Download
memory/5004-88-0x00000000004B0000-0x00000000008B8000-memory.dmp

Filesize
4.0MB

Download
memory/5004-120-0x00000000004B0000-0x00000000008B8000-memory.dmp

Filesize
4.0MB

Download
memory/5004-17-0x00000000004B0000-0x00000000008B8000-memory.dmp

Filesize
4.0MB

Download
memory/5004-15-0x00000000004B0000-0x00000000008B8000-memory.dmp

Filesize
4.0MB

Download