Malware Analysis Report

2025-01-22 10:25

Sample ID 240126-s43g2aghh2
Target 194d36596016f52a59cc6163a5cc1898.exe
SHA256 a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
Tags
amadey djvu glupteba redline risepro smokeloader stealc zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan lumma @oleh_ps livetraffic
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c

Threat Level: Known bad

The file 194d36596016f52a59cc6163a5cc1898.exe was found to be: Known bad.

Malicious Activity Summary

amadey djvu glupteba redline risepro smokeloader stealc zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) pub1 backdoor discovery dropper evasion infostealer loader persistence ransomware rat spyware stealer trojan lumma @oleh_ps livetraffic

Glupteba

Detect ZGRat V1

Lumma Stealer

Djvu Ransomware

Glupteba payload

Stealc

SmokeLoader

RisePro

Amadey

RedLine payload

RedLine

ZGRat

Blocklisted process makes network request

Modifies Windows Firewall

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

Reads user/profile data of web browsers

.NET Reactor proctector

Reads data files stored by FTP clients

Checks computer location settings

Modifies file permissions

Checks BIOS information in registry

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Checks installed software on the system

Looks up external IP address via web service

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Delays execution with timeout.exe

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 15:41

Reported

2024-01-26 15:44

Platform

win7-20231215-en

Max time kernel

12s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2236 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2236 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2236 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2236 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2296 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2296 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2296 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2296 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2296 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2296 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2296 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2296 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2296 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2296 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
PID 2296 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
PID 2296 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
PID 2296 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

Processes

C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp

C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {70A10ACB-A3A3-4CC3-BFE9-E7E7ADC59A15} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 264

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 604

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\4D66.exe

C:\Users\Admin\AppData\Local\Temp\4D66.exe

C:\Users\Admin\AppData\Local\Temp\4D66.exe

C:\Users\Admin\AppData\Local\Temp\4D66.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\dee48eff-63e6-44f6-8169-a0404ff318a2" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4D66.exe

"C:\Users\Admin\AppData\Local\Temp\4D66.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\4D66.exe

"C:\Users\Admin\AppData\Local\Temp\4D66.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe

"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe"

C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe

"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe"

C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe

"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe"

C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe

"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe"

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240126154343.log C:\Windows\Logs\CBS\CbsPersist_20240126154343.cab

C:\Users\Admin\AppData\Local\Temp\604F.exe

C:\Users\Admin\AppData\Local\Temp\604F.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1452

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 80.79.4.61:18236 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
NL 195.20.16.103:20440 tcp
DE 141.95.211.148:46011 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
AT 5.42.64.33:80 tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 brusuax.com udp
MK 95.86.30.3:80 brusuax.com tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
FR 163.172.171.111:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 146.0.41.68:80 tcp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
US 104.21.65.24:443 api.2ip.ua tcp
NL 45.15.156.13:443 tcp
NL 45.15.156.13:443 tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
MK 95.86.30.3:80 brusuax.com tcp
US 8.8.8.8:53 habrafa.com udp
KR 123.140.161.243:80 habrafa.com tcp
KR 123.140.161.243:80 habrafa.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.103.202.103:443 steamcommunity.com tcp
FI 65.109.243.18:443 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
FI 65.109.243.18:443 tcp
FI 65.109.243.18:443 tcp
FI 65.109.243.18:443 tcp
US 8.8.8.8:53 ftsolutions.com.pk udp
US 64.31.22.34:80 ftsolutions.com.pk tcp
DE 20.79.30.95:33223 tcp
US 8.8.8.8:53 transfer.adttemp.com.br udp
US 104.196.109.209:443 transfer.adttemp.com.br tcp

Files

memory/2236-0-0x0000000000A80000-0x0000000000E88000-memory.dmp

memory/2236-1-0x0000000000A80000-0x0000000000E88000-memory.dmp

memory/2236-3-0x0000000000930000-0x0000000000931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 194d36596016f52a59cc6163a5cc1898
SHA1 db46517b2906cc7dbe9f3f477e009476b7fe951c
SHA256 a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
SHA512 f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09

memory/2296-12-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/2236-13-0x0000000000A80000-0x0000000000E88000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

memory/2296-16-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/2296-18-0x0000000000CE0000-0x00000000010E8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

MD5 49e1ba45dbfa0bb247ce9bf85fc30d79
SHA1 5c68ec8fdea0d71dc867e51883442a62d84c0bc6
SHA256 ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef
SHA512 b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da

memory/2296-33-0x0000000004920000-0x0000000004E00000-memory.dmp

memory/2584-34-0x0000000001100000-0x00000000015E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2300-51-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2300-52-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/2300-53-0x00000000021A0000-0x00000000021E2000-memory.dmp

memory/2300-54-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/2300-55-0x00000000021E0000-0x000000000221E000-memory.dmp

memory/2300-56-0x00000000048F0000-0x0000000004930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 b375aa0ecb891d8b398e5a31965cd6a2
SHA1 57f7967e86528b7728ade0ae54a247278e8d7c9f
SHA256 49578c2ac1ec496d8cb8d6df1062cde958b6564aef3222bc0681d4095fe99959
SHA512 b8bde0773726d458f91627e1d21a8f1dda589c4f77684c3280149bbcf6348eef2d3886400e9e8ccbbc63e4af2f906bd10e89a660025aa7d7bfd64b1042af90d1

memory/2296-66-0x0000000000CE0000-0x00000000010E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 f4ed184b1b3b67fdbe8d74ad74a52733
SHA1 7f632e0636b6a92494f05c4ae00947ce4ffb7ee3
SHA256 5658db8d350fe4930372777d73bec9ca19b9b068fe5eacad5298723fe8d1ce27
SHA512 8fb9c840fd52574778ef282ad26a248e6c95a698dd17c0d0ffa04b659d1c4607ed894150a8ae192290df74d7e34f944687048490c89bb929d9728d0a2fa48df7

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 67c60d994c3e3621731378b502e5a699
SHA1 3928d84f03f8a5c0eeb8207337b05f9812a7cff0
SHA256 acc8e8f300a72968e0033bf56f8b49cf2d63cf765d95b685f7e6fce5c072d963
SHA512 51ebc788cdf5d81d422a9224a55540001140ab7dee244b5db0402bc31057fcae5dcbd79346effb68f6d595a2a2ef97eaeef6ad81cd47653e04379971613fc77f

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 c398b9383b1c153d3b4ff1dff8f99fad
SHA1 e45d534b17c7b1a899474c57a06ac441d2c6459c
SHA256 5ea370b537806be37e95af3a481e7dc4979eb92ea606a0484c2f6a4c374fa2c3
SHA512 739ecc074cc19618e6671598a6e9c9ef3c8cda3f82aeea77a6216790c698eced318afac04c255ac0b55ce609c92f7c4158055cf5bdce4dffbf97e22d94328791

memory/2296-73-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/2296-74-0x0000000000CE0000-0x00000000010E8000-memory.dmp

memory/1568-76-0x0000000000810000-0x0000000001158000-memory.dmp

memory/2296-75-0x0000000004920000-0x0000000004E00000-memory.dmp

memory/1568-77-0x0000000073820000-0x0000000073F0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/368-105-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/368-108-0x0000000000360000-0x00000000003B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 e7079f105bc8238d833249dc08ca632a
SHA1 1e860ff513ce2ec0d8de30e900973b35f0e94445
SHA256 1dd7eb74c5ea7bdbec3f04b7ec78190dd76d720ec0f6c34e7456805fda49152e
SHA512 448a3dd607d344f148ee8a090fb5f6a7ad479b8b4ff8cf82161d4e6eb31935cbfbd9d3c8a22a70e043a9cddc8d2e93705da8f7ba28dadb2d1cba15a842466c8b

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 582800e6413b23d029171086c9226cff
SHA1 5f358f0b46bf971ce11d514a6f4047bdaf9f2423
SHA256 c506434c94d0d6a4db2c81823d17ddea03cf70b515e76dc82a32142b817745af
SHA512 fbf7a4ed660d54b419511bdcfd48ec28762345723cf47da653dde98750416ab779e1143cd9d9a2e4bf9c97f333a624b856c19f8ca5befc2d92410b2aa32a3c8b

memory/2584-109-0x0000000001100000-0x00000000015E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 33796c31ad6cdc1de1bf9fd0c6d98f46
SHA1 ac61d139a6d9fd626af56ab6af809dfdcfbce5aa
SHA256 5738137fe2333ee7be6f8d2f92907fe752a64738a1676398282a119ea64261c0
SHA512 865b61f9de2ac2cc5a9ba4fe81ca1902dff8d75caaadb197410fcefb9ae0e5c3e16b74f4d2da19019e436be76886abf3a02b85c469a57a00c29eac8355a04104

memory/368-112-0x0000000004F70000-0x0000000004FB0000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 81bb0aff5ba0741b87a7ea40a27b6a38
SHA1 0516df140445e16049c5a1c85e387f8adc641665
SHA256 29a1b40d4d6ec4301bc2a534af54042fa1d93ad9e87e0fb850d44a654431b9c4
SHA512 eba11d6cb5851c5d90d28165a8eb87333f7172e184564eeb9f0e810bba9860bea6d52f5e979633885a6a8114524546c8a8a4d2bc7763517bfeee108d7836bcd6

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 6fcd164a0c830cd051868d8b4e9cc681
SHA1 5863e06cac88b3e5bceda82874d29a29d4645d2e
SHA256 2d688766b47ac4633bcc4807a79c5e8cf9245e7e4aae285f3ca174427fd3a644
SHA512 c18a54139634abc4bd2791fce267877782260ec02041734ad87ce3aa2dd1ea48bb112b34171ba977f9b6706d9966061f1796bc2f401498fc0372f86f99ae4f93

\Users\Admin\AppData\Local\Temp\nsj94C2.tmp\INetC.dll

MD5 458fb4c78bee390bacf6dbf7c8d1cd3d
SHA1 93999300337e9256b0c887c527c959e82219e721
SHA256 5cf07dffcc0bf222cc4a6b82dab8edb158a088a461aca6fc490b0bf5c4d4fe1b
SHA512 9fce85a7f5b44b990fb5616cb5f6c4da7cab0ef2e60e874a0ebeeb6cfcc8c0a441ff191eeca58bd2f4fd8fd205e02f5d2e1847e8dad8814e841c911b995d3306

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 aeb0e303d2f73593cd0f219b5c5c854c
SHA1 ca81eae6e4e2fe7eacb2f72709d374cafc6a992d
SHA256 af76e442e0f54b6a39bebe8b5a83856f581524621805d9da9b852bd002718a99
SHA512 05c92da807d15e8b359b67bded6d9e7ddb1c65831da236a9c0fb9661490703fc2b75cc7b7449d0853b226a81cd979332cf87529679d959385b7dc814aea9aad6

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 554fcadd4d1e1024c3bd64efc9d08f30
SHA1 26fa54ccddbb442daed019eeb8e29833dc89a980
SHA256 7547d7ee218e79fcb3b63cd856c6490110ed54e59fbab2320db67644e4b22ad5
SHA512 9d749f13afb139c0f05433fef7ef51eb7eea061b1bae6875db6c6fc10029462ff7d19be4b8d7018cd4a43abee1bf93d0464b5d510f61f596e380ebb03cf5cfd0

memory/2300-146-0x0000000073820000-0x0000000073F0E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj94C2.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 9e465eabd199ac2120b6821b833578a1
SHA1 2ab29f03dd088258126e7d8ac2200240e14e9aea
SHA256 133be576602f02d11b7486772f9a4b2d8168d50f33bf4bdc530615e3c25d656a
SHA512 4d6b369f939e7549ac882754c5e686124f9883615677495a38447316457259224e4fbf77844470e65868fe346624a66a75cc223ce5bfbf536b16f9593c6418a9

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b3c7a90d2455690cef27a91227dd1cc2
SHA1 cae62b16d400ee9d9cb6de5b9f9ea2e2c989d328
SHA256 9b3727a11862fc1d43b098d7ab2b66a94d5898970dfe37b8982db9e6a9467e6c
SHA512 e55696aeffb9b8c337575b84473ebfb44660e01b10b26476d235f1210073bb6da05991739ffb43873a12645d916f82ebc009d71443aa934edca04bbbb96918fc

memory/440-166-0x0000000000400000-0x000000000043D000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 33581dc8c3a6df48893167c03b3fd543
SHA1 9c210a1d63420fa4c57b21a44ab89f6f1411e12d
SHA256 2e82d9a07ad0e3c2a682e5cd4e5867388cb3988a5622824557625829c3e0e269
SHA512 bb1cae29bb494dad24a96cc794265fed2d13a30a2ad31071bb687fc82b9aa1a5b12023b694c5d5d102af26c9b609b8c6e422ca3c69920e3d4925d8382e9ac375

memory/440-160-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 0168d7ae03603f01af0e26516a58a4e6
SHA1 520e94437cc30184ded2fc00eac5c4f64778c8c7
SHA256 75249cbfc8ee12a5d70b16c09116f05776071dcec8904628cd7ddf7683fbca43
SHA512 33ca9afc3fa515d300d8dc044ea2a4d9fd2a0777b84225273197c9a04ab56a8102bd77a3d06061be61b892f75d4910d269566bd3899f65325942c195a0702cf2

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 a5cfc9d1fb519f5d6087d40b6067352c
SHA1 0f4f0fae95f1762df6ee611c5baf1c12c32d449e
SHA256 8f92801c82a74b11e2905e80f3f84fc2f07af4a4ce992659db2763d74a079cec
SHA512 f4ef08ca1987df9ce1730703fb0809dd4114ce3abe601244b338f51650226ff27651de18fa2d665a92c211d6ae8cba2689e0a1e6e1a98fc8887746fd73c57044

C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp

MD5 54e7639778d48b046ea6be05ef5e34d9
SHA1 0c1c7d56419b57c957ca90fe86b147ce0a51fa2a
SHA256 71e3cf7649093536ee0f396f1c60d855d219c16f44b1f2681ba22a6912ff847c
SHA512 34b752220ad8fd36ec5ee187e824b9244b49b5c8dbbbcd99290c57db437e46c37e186b70f23b0bb51cd48fabbfb3405ef484d7d3154ccee7f5cabf8c7fceea6e

C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp

MD5 0b81c99a0098ddb7de3cf8e564db3f8f
SHA1 340f98665bff68d146140301a57f59f6e5c1c664
SHA256 f94355a707e0be6137860d6f033fec6fff11c19e325f8607bb159ddae8b1c2ca
SHA512 a50d61133ce37122226356a723df0b8735348877f8b4d660c39ead88886d62c0da867d51828ca535fdac746ec807ab7a0e6a12b0ab0499b0737ae305fb434603

memory/2300-170-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/2584-186-0x0000000001100000-0x00000000015E0000-memory.dmp

memory/2300-185-0x0000000073820000-0x0000000073F0E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso97EE.tmp

MD5 ad57638755a77d3bc0882064725b8d21
SHA1 33c5821d5ac66af22150c1062710b3a762147d82
SHA256 b58db59618cbb4cd115830236a89755803100ecaf6f494e4d5d15509260976a1
SHA512 9377f9cd3149e7040f87bfe26adb09d58919d6926ff2cdc1b3b269dd851c30a8762fe3e3df59ecc5d2b7ddf047be570a772a457329df6fdadb2e4132ad5f9ff4

\Users\Admin\AppData\Local\Temp\nso97EE.tmp

MD5 5f8291d8768d88f9868cf52e214b08f5
SHA1 8320e91a793d5ca4ba36be96c6adb0ed854c6266
SHA256 e4ee0e0e5627882e46547eae053bb6ff07805df9c69b37d27850f4161cc69cb4
SHA512 b1138e24ce6169f4a3b89b9b4c48b1822078a8b8445338776ee7917c75b56ff47cdc99897d22cbfd414922dfaaf4fccc481b94f3505d5b4746587e5336e977f3

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 698a1f2c2ff1a9e0d5c74fb554b98296
SHA1 827551631e98399420b3d158735784128eac12eb
SHA256 68a19332f227a30831a9b34ab2c43736cdacebcc22ea8156adc9bc0c3703275e
SHA512 c98e97e8d6554abc08b45146462724a9eec25cb4b6a068317b914ed8f5f4731db42de97748d5b8b8dfcf7777a8061cf78c3e9ac51631cbdc7ca0745f92d336e0

\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 ad7d12b7ffff373ec2a871566e1b5f02
SHA1 c4a6ad2ad633059f87d935783dcaa92eefddd9dc
SHA256 8f16a299dbfc95156b6add8fb549f718ae76408471a4f0c4bf519bf1fea4afc9
SHA512 703a245c335160cc4516a2b5fe8c9d0ffcb3dfd241465cf5153a1dd2ef8b6cc0f935c5bf4cfeb464d0df15ed5f7b2b845128dea5230d82bb2bcaabfb6ac95e73

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 3a03557975ee14af862567f798b0e42a
SHA1 d5c457d87efc3e66d57f995125472bfc2d7cdd5e
SHA256 e1c1f63ca6c4b11017e68a40ee5885b58606164dfc80af08b885476dd21a1d22
SHA512 7835e196cddcd35841156f00899925e588961ae4a4e4c5d84249573e44692af66127cb12bf41bc457cab12537395bf3469d9195e82d1c321e2a4470a94a64cdf

memory/2300-167-0x00000000048F0000-0x0000000004930000-memory.dmp

memory/816-199-0x0000000001310000-0x0000000001318000-memory.dmp

memory/1568-200-0x0000000073820000-0x0000000073F0E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 8ea424e9c92b90e74cb3d7e1fb66f2a0
SHA1 e3ba2589a91ce9ab19fa950d23e0eaf1180bcca8
SHA256 d3d5c67ddfb57b9071dd1dff9592cb334165647e556dd9ca1b8d45ea453db288
SHA512 85d70203d31dd728baa7e3c8adb2b8c842bc539976714ad6a6beb9e62a0fd2ecb812cf07fb427f885b98557ee4de4f6671b2581577c6f433461f9eddf3628b67

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 7193444c84b88fefba797d5c4e8a7968
SHA1 adbf1961d4fe9b2eca438c795bf9d13c63b00444
SHA256 eac3c398064f6d3cfa8df07118ed9456dd358d56f429b40906f8d8454286a9ae
SHA512 13f78263d4422a6920c2f2944eb20452a124df8a1ce2ce0fb546dd250ac230a7127b32d7e890ff98fc05c9f3a174e81b3f7f75013bc6e0c8245129e0918c0469

\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 3e4653c7a44efe2038d5829d14290f63
SHA1 b3db6a4552e45be991851de7bb7ed01a33b05166
SHA256 6fa9c9606e1086ef4aa59e37a669112f8fd781c90ad9e9c606f295fb3fe18fb6
SHA512 f0573077df7ec296444c6dbda12b612ad9a8cabf11821138cf787c6acf7ab3b9cdc3e81a339281e55f9967c08833ca10ab2a9ac5c84a6fdd7c08d30224515a4b

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 9df9bf36c91a147de0a8f7db802e5a8e
SHA1 068b89f9c6c22cde0e7431ac6c51021116d01848
SHA256 2940259eb1335080f7a2f8a12982a60ae841672ca767b9de39da3331e17575b8
SHA512 2486b86c4e562f744e6838ca9168b26a7f7a34791e80d00bba48acd7f284c1b80ebc73a7251819fb27c913442edd14330386b45151ec69fdd3271853cf089d77

\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 fa5ce14c82e4ab3aee7cca7416c9c106
SHA1 6883436202ce6c6748094d39a1d5f0cc94a507b5
SHA256 b90741299d26cffb0a457b5614565708114e9ac92971ce5aa91d738a87b8b911
SHA512 a926da59eae276bfd9d7657a934e0d75afcdc5abaede93c88ac7dd0c7eb1f152ac582232685881ae78f20f8195165bd301cef5e4ff4892c958c8d77f32d8c830

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d70f8f1a3d6845eda5be0789ecf0ede8
SHA1 5ad3b821a0c49c590488914cf7f2fb9084507283
SHA256 d4e1a1aeebc1c1e5aa4ac554bb902794c98616d9de051c17ca4cd452628c0a8c
SHA512 800d100d0931220fe986f8da77a470a920b6cd731958043eb4389a2f7a436745771204c4f08e3fcc0165e84d03f9445c5917e68c7fa3f873fc9361511c533d2c

memory/440-152-0x00000000004E0000-0x00000000005E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 2a4b8b1bb2998d25a450319180193e82
SHA1 661537f5920598070c2abeb92251cfef57488c24
SHA256 58f791f63da18bb11de3e97e5719b62d3c4a05a497858628e098dbce32bfad23
SHA512 da5ec2a6bf1b6306c860bb8ba9af92f1a4309deece80b0f1433a932c3d49a6202f84cfa595b79c3cabe6fba1923d27bcd94e2bca6830d9b1e9d016a909068156

memory/2908-217-0x0000000001380000-0x00000000013EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 a0fef664fc14b5d0c4d24d2cd5d03aaf
SHA1 0dadf1d32a9ab6538a5b039b357574bc2ab16f5a
SHA256 50f2c5c52b712c9eb4c917de9839b7a0c9cf06698e707dbca2e1d0787042b024
SHA512 e8659a19be11c977c4e01d8e27aa30ae8cc41e58c492501de7a82f1d7fed76d34f097706e832a7d61a838fd1d05d03f9ea46fd07113311454d968e36bfb80dc1

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 aff13f45338e4135daf70dd3a8d5c646
SHA1 c7232f86cdcfcfedee3dea91b172d90f33c1fa19
SHA256 ad50e9565c13e04eae95bc184ef2eccfb73f64dc0f88d7831320560d118696c9
SHA512 9607460a55306d05908063bbf144a0715d1d92d507b24d6a55a1bebb438859add61f423eefbc2b342eeb8f9cbe2392ef04ff2c5a8537c3a270920fb7642041ea

memory/2316-214-0x0000000000FB0000-0x00000000013A8000-memory.dmp

memory/1084-149-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 1e00482af9facb50bee911744c0db8ae
SHA1 45fdedb971c2ec4b54247a433ab46ea34e2bc86a
SHA256 8678a0ba662a09aa99a08fa5e721c244bd0dd84748e7df716cf1d3bd24f53e98
SHA512 4d199a94fa90872f9371af17a1e87cebfcaa3d1c7c66090a2c2e7a8fa22acddb2e54d16e78189cc1590b0abd580e8aa5ac4e873231ef8d89345ca2f655c977db

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 94b1bd642375c0ba6f8acfdf8e4a2549
SHA1 ffc188787e8ee33806fdd8ed65a5c08a707fdf16
SHA256 03fbe3a356e6b4a7fda655cebb7d4852a86692922de2b0e4d4b8ddbca3aa3f0b
SHA512 72015a306fae0c198353b2b6497f9fe1f4493e73580940c5431b61923be180d67b4dcdf362eee4d227e74042feccd7aa7287d9743847816b6846fb9c2a84b74e

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 520a61a23ea1870f71e48d3b37df84f3
SHA1 e452e1d95b05108b5e22b86cb91545aabd2438e0
SHA256 83e6382fb4a1fe66daa35fd1c3f7d943649b42bc238a05480eda55e2c38ab213
SHA512 34d1d4fa124cac0f5f1df53f865281882b3259cc94cf40a5b4a00f4b8b237c3a1a315c44ef9b827da6dc36b39ef9101433a8ee09546b9d9ea3725a77bd8d0830

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 921a3a76b5f1d438020d0105e9fddb0e
SHA1 cb65b73c08c099d0da6327e8e4511e15dc48aad7
SHA256 3f9ed04bb963228edd19539f0e16540892367fca9e3e8fa51d64194fcdfb7e8a
SHA512 253a576cba3dbc78560864ff719549c4c690d9f31afd5e3108c38dbcf7a2279cd4d760e4d311bfe6edfd5af8c2bc31dca920a33161580bbb339d603e19184b40

memory/812-231-0x00000000004B0000-0x0000000000537000-memory.dmp

memory/1732-243-0x00000000012A0000-0x00000000012F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 d1eed5cb23f4a43863d99765c6f517b7
SHA1 13b53fb02a0864c8d76ef9f3ed55f3904e940eaf
SHA256 49d1cd8f9823955bfe219b7a90ffbfad97171c9594e22a74bd578b01f529c932
SHA512 41df824e109ce01e91b6e290e3f0fab7b355db231c6ab6abd42e7ef58e57f4d118dab011d1fc48382c6e4142ca56a4c3bf3a741a4701adb4fdf86d324fde3d9c

\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 1e9c198053227c0c2a3bbf1778396e45
SHA1 d279fade27f46ea99cce04e4125aef5b20546efb
SHA256 065d6d633f8e030d6a8d3a8ef75556a7b7fac3372a503ae05e33d0f4818ef627
SHA512 1552dc93cbba06392d6eb594610421ebd072896dcbccb62a591cf824d9c5bcfa014622cd9faf92190b788bcd24a82e4ac2b705fe153e84061926581ffbb43181

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 1c26cb11f4b49db755cc30bf9ba75b41
SHA1 ee8b15085783fd7bc9ba9aaf62484b2f87c461df
SHA256 d788e54832239bb6a4abe5a3c4ff4fd3d3b9e60e4805420d1dd315a687bbb025
SHA512 f17e02b984f39e92a2d96b57bfdbdadd33fb5947fc2277c59886711adc7b11e4d4429e653668374ee7423e999f411a37b64f04aa6b3f2eb61543e9cbac3b2f67

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 1f5fdc4919d6ac5e7546baa69630c319
SHA1 946f300d404d6325407908d7c862011a7d31186d
SHA256 710aa19fed6dca2ca92083012ba59d3f9d2decca63de003780a1163fc6c203d9
SHA512 1c026ad87b492c67079b35dd7dfba8ac6e34e74d6ac6545ef65683bdf074f4eb475d60acff573dadd91f95d71d1fff37d92443fa4d6c4c70aaaa4d6dcdd2e872

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 b4756c39409ceeea273075285f52a344
SHA1 20a32b83ed02ca985894f059f180bae51e50cc15
SHA256 4a8c0add41860fad3a1ad8a63a323781e11def21d5de0e421719cf791d6d554b
SHA512 64129dd12057b8a55e29378c0d699e07daf0e14264ead13499d2fb8bb8de0226e71e7bcf113d06d267d87e814816d7430c436fc4110ca599ed594c83815dcc26

memory/1196-262-0x0000000002B20000-0x0000000002B36000-memory.dmp

memory/440-263-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 b2f3f214e959043b7a6b623b82c95946
SHA1 4924ee55c541809f9ba20fd508f2dd98168ffdc7
SHA256 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29
SHA512 c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 4f4b7680ed13999231427cea3f793198
SHA1 7f264d388f83bc0e7a9edb3d48c9c0d4c88435ae
SHA256 4013f37485f696e8201a3a2e15968798547a0bfa6cd038fb3ccbaf58474bc03c
SHA512 fec7d1caa79247b74052c4e844b6cacb5f1c912b4b8a0980ba1ed3bef6cad4bd96b9bddcf1506abf724639fe598583fdc8d3abefc29e2c91b438c37f7f81137b

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 a9dff1a1423ae6493390c04c399539ca
SHA1 5ff793d128413d28e7de6b35299e3b03490ac8e9
SHA256 d7f382b853f918acb42721e644733aca6819e46e6c21847a64b39025f8ca5a60
SHA512 228405d82b6b019bb2f1bfa3ec7648a8f680221665fa766b1d563ac4c312b07fe7132c76e20256083b8bdcc8dfd947345b9497d4ddd5ee3153897ca908724721

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2060-290-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 34e354b4c5f69dba58afc45c63ad939e
SHA1 3aec077c014f1334d2b6fe955902926199c05163
SHA256 37cabfaef1b6129cc78331e9edff9277a06577dd090153c948d785f63f38bf6d
SHA512 8ef7330fee9304a1872c9d287e431b71d1d424b46f9598a406f3c236377df606f7a7d7959c85cb72fdf87e9540f4b4b948e667c4eeae6c6b38b6ddbb206a5928

\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 e80ca3d4650fab4da3e98c43ae980b5e
SHA1 0f6fa4d528daafac126037f8c962812bd7137372
SHA256 90ece43702cb188dfd09f3039cfd1e35d469438e0d4a7548009b2295a161c57c
SHA512 fb5778a815bdc83010ee75f1ed9ec47211e3fc13cb08ff844429d7a7852c1da4112ce606dc332ead31712d1dc576b5911b4646b0b9461e369e1a67318e8ac2aa

memory/1028-309-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2588-320-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1028-324-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2588-327-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1028-329-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1028-337-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2588-355-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/2588-330-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2588-323-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1028-358-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2588-362-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBC11.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2588-376-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 a81c6ca18ca7edce0e41588254f6be83
SHA1 f54f8a43bf8950cf76ab907e1bc0112e1dac9131
SHA256 70e526013fb6547ffeb07988d5d151cf3251c5ca8d2102f5582143a35033f720
SHA512 fc717a4c98c898c1be958b15009ee44efbbf174950653cff3a45151da7de2ef03320d13ccb45ad1c16d3700ba879617cd161a1e7d2f7b76b7c62e1f5dec53abf

memory/1028-322-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1028-319-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 e7ae9a7b83d455d9a44ae490ea8823c3
SHA1 a4cc4e38964aef2117e138f893cbcb75948b1c64
SHA256 bbeef622006f6beaf0e66eb2120125fd95403dccfaa0f5d2034b9a952265aeb5
SHA512 277c39b235b39663036e4fb683157685bc206a0b113011f097c8e8eb5c7ccd3b3f04e55d37491c761313bcd2818f08794bb12eccf53d50cf59e5d38b0faaa7e9

memory/2588-307-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2032-306-0x00000000008E0000-0x0000000000962000-memory.dmp

memory/2904-382-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1028-304-0x0000000000400000-0x0000000000452000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 06f974b6d05eefe7a20e7606e787366f
SHA1 317897c9df71fb03588ec3dd89cb959b89b33710
SHA256 84ef950325d904547ffb2190e577e94c77eb33009b88ae938dcbbe1afd6f5a8d
SHA512 54d1df1a7e90b2d2905cdcd0762cc8852f9c2cab3c0599ebe03ed47a5f64413bc5aa922827e0123a696c2c468dde8aa79f01df3c9e3de662d0678aa8500e6d58

memory/1732-392-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2224-394-0x0000000004890000-0x0000000004936000-memory.dmp

memory/2224-397-0x00000000047E0000-0x0000000004886000-memory.dmp

memory/2908-395-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/1792-396-0x0000000000D50000-0x0000000000DA4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TarC4CA.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 2bb6f0cd6b4e0ad586abbd37efefe67d
SHA1 67ae8a0e617ff15fd2d8a0cc7465b23b3dd13210
SHA256 7f87095854866d4843fd7db306b26a6b315b6d4940960bcffdc22aea8afc4e09
SHA512 fc8104a54db962b18c27eca9ae529a39cd851141f2af3d588302a3b4d3c9bafbffb6e170e4dd0a7ec8b9a18a94d8abc7980f64f9dfb915ad17c10d79917ff7a5

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 0a32add9aa623abde31582670a849ce5
SHA1 925e5141a97e3d00c05285a5f6225994ddb6c585
SHA256 e64b84ce61a59477947878df12f160d5a22e8be929f1af21659c6a809e3293de
SHA512 4bf1b41c7c938679777cb60f738207f8fd1f2af39ae57231562b71c1b0e8c50d107461aeff30671ff2cbf673fad78293f42a41b3dea1e7c4467ea6f94b2e295e

memory/2224-417-0x00000000047E0000-0x000000000487F000-memory.dmp

memory/2224-418-0x00000000047E0000-0x000000000487F000-memory.dmp

memory/2224-420-0x00000000047E0000-0x000000000487F000-memory.dmp

memory/2144-422-0x0000000004C90000-0x0000000004E3C000-memory.dmp

memory/2144-423-0x0000000004AE0000-0x0000000004C8C000-memory.dmp

memory/2144-427-0x0000000004AE0000-0x0000000004C85000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 d6f4c54a8e914ae86edfaa673b4ae096
SHA1 8e44a5c87b187f5c7eebceb8146ab8690e159e5d
SHA256 55124a60f20f12ce7941434b33cdbf779d50096eebbc3a46c1d81825259b10f6
SHA512 0dc57ae9acf1581aa5aa017381ae435fed8346ea74ef2fe5bd69e2dca576176f916a59cd68b30972e5ffc1667fd83d920c8fb99b5d93f38475a3dc39e4ad51d2

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2872-554-0x000000013F780000-0x00000001401BD000-memory.dmp

memory/816-565-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp

memory/2980-568-0x000000013F140000-0x000000013FB7D000-memory.dmp

memory/2060-576-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2060-582-0x00000000001B0000-0x00000000001CC000-memory.dmp

memory/2060-583-0x0000000000400000-0x0000000002B17000-memory.dmp

memory/2224-584-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2316-585-0x0000000000FB0000-0x00000000013A8000-memory.dmp

memory/2032-586-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2032-587-0x0000000004300000-0x0000000004340000-memory.dmp

memory/2316-588-0x0000000002AD0000-0x00000000033BB000-memory.dmp

memory/2316-589-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/1792-590-0x0000000004F10000-0x0000000004F50000-memory.dmp

memory/2224-591-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/1792-593-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2224-597-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/2032-598-0x00000000021B0000-0x00000000041B0000-memory.dmp

memory/2224-599-0x00000000047A0000-0x00000000047E0000-memory.dmp

memory/2144-600-0x0000000073820000-0x0000000073F0E000-memory.dmp

memory/2144-601-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2144-602-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2144-603-0x0000000004AA0000-0x0000000004AE0000-memory.dmp

memory/2144-604-0x0000000002670000-0x0000000004670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1CA5.exe

MD5 051acd118e84612a34e8ef3ecc44a4a4
SHA1 ba50cc48379f01d9c737e4f4df60e8907374e0d9
SHA256 53968e0ae6a491e5bb03ee4d7d40b318c4c5c6a375a9d517b547152c4d721422
SHA512 fc52da4f2d29b8779c36a3a5894a1f19f138d24efd78e8ca9cc412c08d0e3c4de7152c4db429a70ed2f447f1d77c023d5494748a4b555b384212ed3c55f34851

C:\Users\Admin\AppData\Local\Temp\4D66.exe

MD5 0a3303d13df2f74ca52000b263bdd8a1
SHA1 a8a2e3fdc4271a05e2507f0a1ed049cde51e1b20
SHA256 36b4f3f2ff55a415b7765444690832201b714938bbd37ef0c86e7a09d3cde517
SHA512 652df8074d3e17107a81ebdc98f29df8c460e4707a7f6f0fc48c88065e72d1defecc680d7424e81a873890daf000e1eac0834ec755b291ecd41b3822a31a8938

C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe

MD5 2824ace80efdab9d69642dff9629fdfb
SHA1 e6e28b68c89e38948d87558dba6e10de2c9b6905
SHA256 f8707344c2b8b65be686bac216aa4fa3bfd7e37eb809b4675169cf50d1d0ac89
SHA512 7599ddd5dc941e8b7656c2bad4a8d00a8708f258733a61234ead8d1665c5b58d693696dceeb62b373e3246bf2c0bc2c916dc4aba1f32d7f670682d6ecfa3c628

C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe

MD5 5c883ef6d1ad03173f30db4fc691d0a7
SHA1 4007444885a94ad3092e287a196249bc6c1301ef
SHA256 b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e
SHA512 125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 e1a9749628f80c7c6a037ed3cafc18fb
SHA1 cdd5b3ccfdc3e44ec69609850b46ae25068981e2
SHA256 5b78318d2eaaab94f3c7724070b503db4e111e0716daeab8214803dd534b97e7
SHA512 d62391301ddeffcdd0d704b36e22ac32e24770112a107a349b238fcba88070ac18ab361dd01363e48fa278fdf191f89cfdf490fe7b6ce38c43c07c3e8a0b81c6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 15:41

Reported

2024-01-26 15:44

Platform

win10v2004-20231215-en

Max time kernel

102s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FirstZ.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\ProgramData\wikombernizc\reakuqnanrkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\wikombernizc\reakuqnanrkn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\wikombernizc\reakuqnanrkn.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\system32\wusa.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\FirstZ.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wusa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\wikombernizc\reakuqnanrkn.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\sc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\schtasks.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1344 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1344 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1344 wrote to memory of 5004 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 5004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5004 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 5004 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 5004 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 5004 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 5004 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\explorer.exe
PID 5004 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\explorer.exe
PID 5004 wrote to memory of 3572 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\explorer.exe
PID 5004 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\sc.exe
PID 5004 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\sc.exe
PID 5004 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\sc.exe
PID 5004 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\wusa.exe
PID 5004 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\wusa.exe
PID 5004 wrote to memory of 2172 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\wusa.exe
PID 3572 wrote to memory of 8 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 3572 wrote to memory of 8 N/A C:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4440 wrote to memory of 2688 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4440 wrote to memory of 2688 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4440 wrote to memory of 2688 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 4440 wrote to memory of 4168 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 4440 wrote to memory of 4168 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 4440 wrote to memory of 4168 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 5004 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
PID 5004 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
PID 5004 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
PID 2688 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2688 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 2688 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 4440 wrote to memory of 2480 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 2480 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 2480 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 4440 wrote to memory of 4292 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 4440 wrote to memory of 4292 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 4440 wrote to memory of 2900 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 4440 wrote to memory of 2900 N/A C:\Windows\system32\sc.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 5004 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
PID 5004 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
PID 5004 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
PID 3780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\System32\Conhost.exe
PID 3780 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\System32\Conhost.exe
PID 3780 wrote to memory of 4364 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\System32\Conhost.exe
PID 2688 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
PID 2688 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
PID 2688 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 3780 wrote to memory of 3184 N/A C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe C:\Windows\SysWOW64\WerFault.exe
PID 5004 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 5004 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 5004 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3376 wrote to memory of 4732 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\system32\sc.exe
PID 3376 wrote to memory of 4732 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\system32\sc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4168 -ip 4168

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2480 -ip 2480

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 372

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2480 -ip 2480

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"

C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp

C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 680

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 716

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 772

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2480 -ip 2480

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 864 -ip 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 712

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 768

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2512 -ip 2512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 644

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2480 -ip 2480

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 788

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2392 -ip 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2392 -ip 2392

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 808

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1184

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 988

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5564 -ip 5564

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 988

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
NL 195.20.16.103:20440 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 103.16.20.195.in-addr.arpa udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 consciouosoepewmausj.site udp
US 104.21.71.8:443 consciouosoepewmausj.site tcp
DE 185.172.128.79:80 185.172.128.79 tcp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 8.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 udp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
US 8.8.8.8:53 willpoweragreebokkskiew.site udp
US 188.114.96.2:443 willpoweragreebokkskiew.site tcp
DE 20.79.30.95:33223 tcp
RU 5.42.65.31:48396 tcp
DE 185.172.128.33:8924 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
IE 20.166.126.56:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 braidfadefriendklypk.site udp
US 188.114.96.2:443 braidfadefriendklypk.site tcp
US 188.114.96.2:443 braidfadefriendklypk.site tcp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
NL 51.15.61.114:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 167.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
RU 185.215.113.68:80 tcp
US 8.8.8.8:53 59dd5eeb-7df3-4803-8527-d70029accc34.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server3.thestatsfiles.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun4.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
IL 142.251.125.127:19302 stun4.l.google.com udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 127.125.251.142.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server3.thestatsfiles.ru tcp

Files

memory/1344-0-0x0000000000370000-0x0000000000778000-memory.dmp

memory/1344-1-0x0000000000370000-0x0000000000778000-memory.dmp

memory/1344-2-0x0000000000370000-0x0000000000778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 194d36596016f52a59cc6163a5cc1898
SHA1 db46517b2906cc7dbe9f3f477e009476b7fe951c
SHA256 a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
SHA512 f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09

memory/5004-15-0x00000000004B0000-0x00000000008B8000-memory.dmp

memory/1344-16-0x0000000000370000-0x0000000000778000-memory.dmp

memory/5004-17-0x00000000004B0000-0x00000000008B8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

MD5 49e1ba45dbfa0bb247ce9bf85fc30d79
SHA1 5c68ec8fdea0d71dc867e51883442a62d84c0bc6
SHA256 ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef
SHA512 b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

MD5 8b38ce5d69aaed7ceece2df6657dc095
SHA1 404cb2f078a2023aec716fde7c8200d980aa672c
SHA256 eeefc030af324476406a587e6b5b48362e7f447775922ea89db7b380501596af
SHA512 fa963710b2816ede0cdaa0596fbac518e7990f2c1c6c60180581d25af2b80a9dfd1318c86059b96d7775e5410a93d77e2a452210c9fda079ab523c656a9cbcf2

memory/3896-36-0x00000000002D0000-0x00000000007B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/3572-58-0x0000000002410000-0x0000000002452000-memory.dmp

memory/3572-59-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/3572-60-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/3572-62-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/3572-61-0x0000000004CC0000-0x0000000004CD0000-memory.dmp

memory/3572-63-0x0000000004CD0000-0x0000000005274000-memory.dmp

memory/3572-64-0x0000000004B20000-0x0000000004B5E000-memory.dmp

memory/3572-65-0x0000000005280000-0x0000000005898000-memory.dmp

memory/3572-66-0x0000000004BF0000-0x0000000004C02000-memory.dmp

memory/3572-67-0x00000000058A0000-0x00000000059AA000-memory.dmp

memory/3572-68-0x0000000004C10000-0x0000000004C4C000-memory.dmp

memory/3572-69-0x00000000059B0000-0x00000000059FC000-memory.dmp

memory/3572-70-0x0000000005C00000-0x0000000005C66000-memory.dmp

memory/3572-71-0x00000000063F0000-0x0000000006466000-memory.dmp

memory/3572-72-0x00000000064B0000-0x0000000006542000-memory.dmp

memory/3572-73-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/3572-74-0x0000000006CA0000-0x0000000006CF0000-memory.dmp

memory/3572-75-0x0000000007940000-0x0000000007B02000-memory.dmp

memory/3572-76-0x00000000082E0000-0x000000000880C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 563c5c4aa752e3fbc728ea52352518d1
SHA1 27e849ce87cb1e9040a58cc28d091a9321bf3a57
SHA256 656bbfee84c6575802891ee72640b62de2380ba51644c749eb21c5800d7220e8
SHA512 be5ee2e5979b511a71970ec1cd1ca299fa7ee62fd31d1db4daece21eff4ed191e6295d02b878b579e5dc6ce4a653f1e66724b3a53f95c4bd32e122b8d16d09ee

memory/5004-88-0x00000000004B0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 f3875d6f19b5f12b7e3bc32857e6a50d
SHA1 71bc67caef843199cc58e5d204b4c7a29576e14b
SHA256 02c72811356bb0bb2f6a2d71d55d298c74710a49666ade764bb5e630ee961fb0
SHA512 1454655e390b1c6075b572485aa7f85aacb914d534c85866f8f6ddb7cb69c92187a44a37cf917db63660b565c5c8ddb970bfe42ac4d4847b63aec0a672b95615

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 b255a3ad56bc289d43b7e0df1adac70b
SHA1 49827334acdfff15ea61ef67d62ca5e99f894006
SHA256 5382fcab6a657c916622ed9f685a36ca1138ec4dbaae929d2ec2e49b131d51b3
SHA512 3ab21c70790d18134e40dba02718a3c107bbe8888018d1362ba21f0341681667e364194c3d7b3c246a8bd3e1ee0b898666da6cf425491bc2bd024ff6de2b3e4d

memory/4440-97-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/4440-98-0x0000000000860000-0x00000000011A8000-memory.dmp

memory/5004-108-0x00000000004B0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

memory/2172-119-0x0000000000460000-0x00000000004B2000-memory.dmp

memory/5004-120-0x00000000004B0000-0x00000000008B8000-memory.dmp

memory/3896-122-0x00000000002D0000-0x00000000007B0000-memory.dmp

memory/2172-124-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/2172-125-0x0000000004F20000-0x0000000004F2A000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2172-142-0x0000000004F30000-0x0000000004F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/8-147-0x0000000000E60000-0x0000000000E68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 2ad24c41f9aec8a9aef6a3b04c4c41fc
SHA1 e3afe076c142ff368f6558693c3b22407130a0da
SHA256 10d556b3e1572736397c1f25c14e3c02aa04ffd7a7fc23d61eb017e2b214768f
SHA512 71fb4db57d2d56682500f175cc29a8f0c5e3b45f484198cab1e6aa924abed257e35f8e82ff128a98fc7cc8eb7752b376208b5f84990890ab7a82b0aadde58881

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 e661564f8710a881f89d33abbce3ae15
SHA1 780b3e907ba2f884d17cb80d17481e86ef849e07
SHA256 49f28c9cd2b58dad1b0263a4cf0d9cca9744f60bb5b643214ab2c72ca754d952
SHA512 48f39a8a77559b3ee2144ea05e80fac06934985fbe957fd81f8468b50fe5e5309ad51eb8dff951937a2f201da3e3da7cb689c2f0345398bffee465b5e59a6e9e

memory/3572-154-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/8-155-0x00007FFB3D9F0000-0x00007FFB3E4B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 5e48b243f8d075260f80a968ab068ba3
SHA1 8a2229e7ead4bef2710f19f9031cc683911e05fe
SHA256 4b6ed37234e1417585d0f135407b14564d45352ea53c0f5477d3a5b359dfc1d3
SHA512 daacd17dceaf1fd056c7ad7714417a5be1069c4470cbea8959091ebe0c18bbda6226b500b70113878506d1095f9176c265b770057c50fe2ae0b19536efc0ea51

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 cd09c003ae2cce9f6a92602247605377
SHA1 cc61f95b47019ed9c71af613401b5f29fd688ffa
SHA256 0c4b0c1d2a476d259db140d5dd5c5cf63a6ae89d885454f76af8681433559971
SHA512 19b9f066c274c2e0f4c36ef04f8560f6a5a8d909f43b2bceca88896d8b71a55518c93409ea8b3df63ec348f42334d097f3eb7fbcb16d4726e9420cd963019774

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 86cc0d98f51d57e482d6da67d7993b3d
SHA1 b2d7dfa85f586e273e7e103019d09c565c1b555c
SHA256 976c95b971f9593ec8ceeb64d52aa122fe09e42cb05356c826f7cf2d817f4bcf
SHA512 bbfebff74a2bdf638303fdf4b55445ff371b641bad284424725f1f9505d488641c40ee9409d3cf40828b5381d32f146d490eb8a2449bd2e323734d9246fbcc42

memory/4168-193-0x00000000005C0000-0x00000000006C0000-memory.dmp

memory/4168-194-0x00000000005A0000-0x00000000005AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 92a80884170d6839356624824b19cebc
SHA1 f5fe29396c7243484a0d0bc2e3e5efe81946ae7d
SHA256 fd0c5f25298d52fb8d054609a5b710cd81a1b236b84556f145ad1bd8276e0bcb
SHA512 7e391cb80b2d88ec00e43b9d99d12c3a0960f377c21df4c30ea768957f7a9c25323177c17cb38942ec7b003b3a06834ae0b6fa43dcd9ccda9e2335328f923140

memory/3896-200-0x00000000002D0000-0x00000000007B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 ed1cc2b9e23caa2c32d3d6224dc5cd1c
SHA1 f757e4a7ecfb5fa666cf20d4e14e382336798732
SHA256 4ee3e97b96c267000617368a0fedb5b4456c4b8db9a2b72a7a9eddbf40827419
SHA512 e7e0520683f8c567a361478a94807e7e6c9318929cbce055d53d9e110cf1b87ed85f2d3e39f69d52a157b50540cc25f6387433c041c34320c9cde3e5bbae2716

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 5eaaf2cedeb0a5086aaf35c4367a736e
SHA1 98a357c3dca7161b44ff55395127d0f212797dc6
SHA256 7093afea1144bfc7d4987386a08cbf7b644003c7eb5f5e18d6ccb3624391124d
SHA512 f1bdbc75cac2d3bb9c1bc50106a6f45c44a0d497b1046ec31fde66890fcce0c09c6f55b3bae81ff35ab079ff3d9380fdddf75472272ac67d1fa9b2f4911dbc0b

memory/4292-210-0x00007FF669140000-0x00007FF669196000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 ab0487b4e7ee0db4f0b5f629da1ada7b
SHA1 686c0f22f844f8cd11a073437f4a293036b61994
SHA256 ba141fe6196ddd543caccb3980bfb82b726c72242195e50fe5575a9f5e6b62b6
SHA512 d4c223b5237627e1125923c58e0dafd5c5f8b67035c7f230c06a045b89354ecd3d13f213b01b72036c82280f063aa7ddcdc02a0e1463233a6e5c57cccaba95c0

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 714010684bb8c238399057863b51e5f4
SHA1 8648933967f47aebea8aaa21e3b4dd9ccfcc140a
SHA256 817a6d824010c50781a732104292c8be13e3536e36179fdc835a8706884d538b
SHA512 7309fa881449d6432e1a5f0ad9882050e4f74b167021347ad7fa6852bf06ec54f558531d018acd07d599fde2a1072f5425c314dc97e953c72a4e9128a4410bf5

memory/2480-220-0x00000000011A0000-0x000000000159A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 d50db07295b910049dc44b9c037e7121
SHA1 ead74f4e3864b2c4c9e70162fea7238110598b5e
SHA256 1ae31f8f7ab325275b0d1940be5d412f5527d7100e68eeaa09f294759ddf73b4
SHA512 c634080ae1cb412835d35866bbc20bd218828fecdfadcd2ecde6b0aac2a19ce9e52757ab46b2c45f8a1bb462bffd10400ac2de2d36ff1fee541df1e936e9ad4d

memory/2512-244-0x0000000000690000-0x0000000000717000-memory.dmp

memory/2480-234-0x0000000002E40000-0x000000000372B000-memory.dmp

memory/4440-243-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/3780-249-0x0000000000480000-0x00000000004EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 072de8d94a4d621a7d8f60e4440c857c
SHA1 ce0fe6ca32e031cafcb7780518d177d2fc657818
SHA256 9ddf67e475061ce4403c4eb9f1c14006fe1a0064aefe5ce2e0031b8ba07681d8
SHA512 c3983a505f0c0ba3d0e7f3513fc96622fd9dad5303bcd2e104eb3f74bd5a3481893970a8b02e314eee9a158278aaf1e730eaa5fc7924d6d0f13dbb0030fc7376

memory/3780-256-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/2172-258-0x0000000073720000-0x0000000073ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsbA384.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3780-259-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

memory/2512-261-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/2512-263-0x00000000005C0000-0x00000000005C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 7e6f2c004143489bddf998e178447600
SHA1 54fdcce9f5313903efb1602925f6245665b7b8c5
SHA256 3fb780457739f0e6a78a6789d33df49b06380ea464b4671b92fc188a8aaacf3a
SHA512 4b6140519e9ac264f65c70f136a6ee95c4e556e9f25d6f044a0fa1976656c9671abf252f0fb0c9e9e55c822eac2c54cc6f6a51da2813cd38432999bccf9180eb

memory/3184-289-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2172-291-0x0000000004F30000-0x0000000004F40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 a0d45b92755377100edf894ce6bc5b73
SHA1 a9cdeb7299d1f9822daffb5705f8e1abcc8180f9
SHA256 1a82f76c3466ed5ace3bf1d7a06a578cdaf56f24f4959913b7211231666d0cfe
SHA512 fd2e291b98a05e284227dc54aa79944b5f178ec4b4154b23b04f5254c08c91b953debbc291bdaf2b5c73b5365f5f49c8ad611b8d191963d886284e4a8906bc96

memory/3376-295-0x0000000000F00000-0x0000000000F56000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

memory/3780-297-0x0000000073720000-0x0000000073ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

memory/2512-288-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/4732-311-0x0000000000400000-0x0000000000452000-memory.dmp

memory/864-310-0x0000000002BB0000-0x0000000002BCC000-memory.dmp

memory/3780-300-0x0000000002670000-0x0000000004670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp

MD5 1769d29cc010993ffa6c7b9076be5ad8
SHA1 7aafa7b944ffa484c2ccf5dbfbce001fd5b18e9e
SHA256 0eb898675007a1265f326a6af3db61fc65009e976e6957d5243d76ab017ea029
SHA512 b79fb9dcf51031df0d709875870aaf0a1d25d3139d3a455acbac1dabcbda10be905380798674b78d38c6e29aecf979581401ac5b4eb8ce54b6b42c50baf96fad

memory/2512-276-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/3376-327-0x0000000073720000-0x0000000073ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 dacb28af383f7c34ffa1c892e8215cb1
SHA1 75436bc6206d2ec8c5efae8be76d66b9aa46c0a5
SHA256 47342507c73f2004230f5f27049fb29a50176c1d74b9453182dc88ec89f079b3
SHA512 112482790c2e75fe481283979e27388ef08e52ad8523ac94dbe40ae891427996ee2a485c91579a7e9a538d979596b4dca56a86f78673e18fd4060031301dba52

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 6c0d16360d0718dc3e5594701af73039
SHA1 428d8b40394e9890268bdb72b0e33db89a246072
SHA256 da4f305c0cfd7cabf148cdd500d852ded2ba2912e8c52e7edecd6a916cf9986d
SHA512 37fdec437c6f86b904f6213c78462ad479ffbb1be2b481a21c522207e4a5b8ab8def4be697132f9596ecc70648450e6955ca7fb59a5d0a71ef7a3b4a19808db5

memory/2316-332-0x00000000007E0000-0x0000000000834000-memory.dmp

memory/864-331-0x0000000000400000-0x0000000002B17000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 d0d9d9aa8b3ad5853b760eb3aa892b6d
SHA1 35943c7ae7bbdb4ed9130fa468ae8910ad1297b3
SHA256 30fb90d175f358fc72830629c7dbd109459919e436532c48ca3353a2bd990a53
SHA512 8d1344fab192ab7e695a9bed4f992e1ae0e7824815308b553787b75a826977abb8798cb05aa6eceb9608e1c9d46b20a2bfbd349f85ab1be5a653dfd6df463fa4

memory/3184-333-0x0000000073720000-0x0000000073ED0000-memory.dmp

memory/2512-275-0x00000000005C0000-0x00000000005C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 b96d6aac94f719546c676e761120714e
SHA1 347b53aaf7bbec3a5b150c2681a1df5e417af7b3
SHA256 fae9071b9f0d3e54eda0ddb1c26ba00a717ba5c1aea30ae761f134382bae0e55
SHA512 b831b718e78a4e75a07eab8dd36a1e8ece046a12251190b5df081b5fe52e0fe95138ed06de20414feef48f375ba0be35bb5cd7402a1dcae5c0392ae08bd03d5e

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 d9c61ab04e9c3a3b967f35fe7868c65f
SHA1 d9e0000b8c50075dd895601a7eafc83819cbb40a
SHA256 38dc653663c987f32a8a8ab7f63790791f39d1fc0b1d345bb31c444be3206606
SHA512 ab5b2788515aff917e285e1b387b96cc7b9fad76686971073f7195f3825e7d741136e5305e00c8046870e274a1abf5ab58933ee5a484b2a454ad63152d458a91

memory/2480-245-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 ce6edaeebe218df710c2195c62d05ccc
SHA1 19048f4316424c2cb277a3f25b3bed5be05ef1cc
SHA256 805a42a3777135749a1cc3e403acfe134cedd640a101b57d2aacc67ceeb46015
SHA512 bfd3440eb79d321c53e852e3aadb3a549275f5be6caf9208f1a5867a76aeebf0c27fb904b787ec206637c80ebde2a245b3637afbb8c6769204f3f6f1ee730ed2

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 ac766f8d3e1620dd0960d55667278c68
SHA1 f7b175aa1ce28a72b58949699db40802ef859807
SHA256 a93c7de1528025f9321bf7b7d014060f44593d4edc6985293b1d2708337b9471
SHA512 a2345ff28fbe562c45be8dc3b81cff1159975019ab870dd9ab42e049b38d4c2e67f27728dc43f440764f48e767e3b770c81d1a2ae28e3f6d66054e7389c09cce

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 aac3a535b8e14f01df697506c7571beb
SHA1 98d3b2c56b8986a34abe946c315aa85a55426e07
SHA256 a312731b34e7e8b1361e7f08028cf1583a75adbfaaf10db9bfd4d6af0353fad2
SHA512 d60cd3a3d49248835460abbe11707b5a844ae4fb50f98e42a4077a00451a70fe5ff82a2031aca2a49d3342fd289efe2343a85c6487dd68ddc5296c3c4960fc10

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 bf3f04b52b6fedf1d5d790093aaef610
SHA1 00d159785608415e8329010a5eb61b7ea0cf28dd
SHA256 674bfa14a05ff74f3d0615f7574458765990f6150358ea11b06d4e76431e1bbd
SHA512 b34800dce7a21ad7f5eb0c6fc4da386206ec1e1353ed15d6687bfac92e4c9fe072275141a02f1cdcd648843ffe114ed1468c0ad487340d714f932bc24d19a039

memory/4888-213-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/4168-196-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 fcf4a98b7c566ab43a2ee56c2a7e5f7b
SHA1 72acf205516d117b1e92e741774e58ce1bbf93e2
SHA256 af1d0090e6a96b3cbdd42d9147484bd3bc4795d2fbfa51f432fc1337b922403e
SHA512 c294f9d7c8d0578e1d1c7eee3df85ba8748ec10cf355ba9d7699031cb8ab8a78ec46cfcad3bdf3a561f1ac5d0e61daa95d3da5d04fcbe01744705cecce8ad6c1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2a4fe2818d6078f3ff111be2354c2482
SHA1 4a797d116ea6b428b36d48d20e922a5631aab6af
SHA256 fd8388624f20c7ae95ff8c71154e53461a695226219a1227c936abdeecd4cfca
SHA512 d89aec9f819476c37e306fa817da0080fdbbca457a6b1e323e5f4cd65d7aa806ccf051ca6734dda9dccb7ae067054b6917ff80b0b1894b4b080f2a47e7c8300e

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 9e7f5469b45458d39c5d9c6520af465e
SHA1 6fc950c5b70fd8423c52b0b97b1b3f9d7c6d381f
SHA256 0cc61c8953b078f886104d03fd33c3f2ad8f4250e4a9e6c8fa5e0bae4c4f5ab1
SHA512 bebcd4ce71e3dcb5f4ba42b0f110379ec9e7b47c59967ba11e8b2c5ea5f49cf51683de137e3856b26ecd525b01d1d931ad709a354fa467ba6672ba4ec3a95496

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 5be4a96754663f10f7871197875a4fed
SHA1 9cd0d1cb82ef80a9c3042a3192b58d2a7e09f0a0
SHA256 9a0f22819b6c026112266ad5d306239843b3cc30c26cc2c8d74272f4824b31fe
SHA512 d27d20aff1b863b61d451d8e2de8cbcde0acdb2cdef475895a3dbd91134374cb3fa7ee6432a6714fb747c1270b354319f19aef468b86228e78b5b82f358a7c14

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3700-379-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 a83a4df54471201cd5a8673c1dfb1bba
SHA1 4efb4e7281b0809d54751b053f3de6cd99b1f932
SHA256 db96c4050fe77fc266731c8870dfa75c8e26026d1433691c186e29d5e506ecd3
SHA512 86aa530a209ce70affd4ad0ac43887cb8f655b149536f4ed90ac191c5fc83930c809d3f7a772477c082525549a86c2190228a921e3c767895e07f661026756c5

memory/5004-395-0x00000000004B0000-0x00000000008B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 0d7af60b7914857675cbaf88a3c5ff2d
SHA1 d36b0dc5f028c3a7db336d28da4d1fc8f77add0c
SHA256 1b04c0858f3eb92c62cfcdff5b8bd6f8ba20f4ac1aae3b12a2e376064b1804b8
SHA512 12f05adeb08e01187ebf4c15d308095da962effc4cc3759ada764abd9d6bb62249b3973e7b89fa533bc365e58f5c2b314d4aeeac57216c6ab1cb1ab5c6799732

memory/444-403-0x0000000002700000-0x000000000279F000-memory.dmp

memory/444-404-0x0000000002700000-0x000000000279F000-memory.dmp

memory/444-407-0x0000000002700000-0x000000000279F000-memory.dmp

memory/3572-127-0x0000000073720000-0x0000000073ED0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 0e6e0443a9bd40df436c0a2cfb99c313
SHA1 d318aa7fa2bbff826f16e4f52dcf0ace2dfd6ff6
SHA256 5c2aaeed01e56a734b43233946e94beb66bb1f0cd018bd907847d9cc53c26594
SHA512 1f8c224089153bf05450c1bd4da0b2b35200547d0fa6abe494ac5915c7aa6785d3fff65273db55c75f78b44210e52df80b7f44492389fb60bb6757efa6d527b0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/864-436-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 1abd6eae26a304c260e949e4d87bb007
SHA1 ed4c90d0a7480d0973474364fff42b54a8e2abb1
SHA256 0d1931ab34d9160e9204ef3d61e413786378e2d5dcc01965d07449c782f7502b
SHA512 688f3776ad84cd62ad941baad8e557b3d7fa2de41c86131a1c93146ca60fe6a48c686bd28cdf5cfe114acea155a060eaaaf0aa989c963e8d20480052388dc1a8

memory/444-442-0x0000000002700000-0x000000000279F000-memory.dmp

memory/444-456-0x0000000002700000-0x000000000279F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 874115437d0241018bc86184fb6b456a
SHA1 f7b2339fae03c8ac2b273c83fbb59d1d1d6bfb1f
SHA256 975562a70a6685f6bf8913ef2f7b8bcbcdb0797eef619fed0a2ea32630267710
SHA512 15fe2ac3d848756232edd6e74384a0591c66e2ee491f4a8404aadb167993c5883da930d6848a965603f8950034a05229b57bcf76641d68e2daa839ee28f15235

memory/444-464-0x0000000002700000-0x000000000279F000-memory.dmp

memory/3896-450-0x00000000002D0000-0x00000000007B0000-memory.dmp

memory/3960-477-0x0000000005740000-0x00000000058E5000-memory.dmp

memory/444-471-0x0000000002700000-0x000000000279F000-memory.dmp

memory/444-479-0x0000000002700000-0x000000000279F000-memory.dmp

memory/3960-481-0x0000000005740000-0x00000000058E5000-memory.dmp

memory/444-488-0x0000000002700000-0x000000000279F000-memory.dmp

memory/3960-489-0x0000000005740000-0x00000000058E5000-memory.dmp

memory/444-496-0x0000000002700000-0x000000000279F000-memory.dmp

memory/3960-497-0x0000000005740000-0x00000000058E5000-memory.dmp

memory/2480-437-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/444-435-0x0000000002700000-0x000000000279F000-memory.dmp

memory/4888-425-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/444-413-0x0000000002700000-0x000000000279F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 37d12febec1f204c2e0b56f2d50ad5d6
SHA1 2ad748e3097bd56340ed1a39784341aafd97ab73
SHA256 b9d2970bd33ab730574cdfbd7bf7949571d28044955adc68cfe1d82d5bbccf00
SHA512 2cdf9c3892e5751e5030291af26aef7968f64f9d2a53bb265a691876dfcfdcd40911530afcd6c23169288bb23628f1246eaa24de96430111785119fafaa2ead1

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1dfbfa155719f83b510b162d53402188
SHA1 5b77bb156fff78643da4c559ca920f760075906c
SHA256 b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831
SHA512 be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 4bb74fc03fc3432cab36fc92c6a587bb
SHA1 5c234f504b137cae2e65c82ad0d82bb2241953aa
SHA256 e707c249eb71388182738032e18906f64fb9ca1da5c18920e4b4b0e30802ae98
SHA512 cc77c19154dba39bdff8af819ee73af2c0e4314d9bde312fb8fea3b9e1c7e39154e01a5c279093e0d077da8717389089eb930651df4f9d6e5acc188f6ef8b881

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 1def7c36d4f6d89a0140fe7f087d8ccc
SHA1 e8fc0b5b7c9f882ed62e1f5e69d659276fd5218d
SHA256 e90bfa1740d0418ce551670183f5d7b790dba0a5d4c8fe29820d3dc7229fdd0d
SHA512 6017a394c59820a361ff1557ef7c4422adfc22419c6d756196c9f59266db03eb1200b32c978238621119c9586e650e576fc4cc527f821df5e32026c4730067ea

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 3058f10b2fe431d9f8a487a35cd89ba3
SHA1 adf31cfada940e96a02305177bea754d4ee41861
SHA256 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30
SHA512 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 ca56674ef98b9a14d6b87018b1296a50
SHA1 7f2224e3439d338ea82d81d7d577eb5d3323d6fa
SHA256 dde58070181cd1cd74b712d4b3ffa1f82b105670e01a5d22b44177e820ee6146
SHA512 3b4df90268f213bf2a05d3568c93d92accb7dfa25971b690e82abf30d0275798314dd503ee998be4cd2e5560703d04a76391daecfadabc8eef886a7abb164f87

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 5ea776e43112b097b024104d6319b6dc
SHA1 abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256 cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA512 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

C:\ProgramData\nss3.dll

MD5 108ae188533e72b9c3c60586391ba324
SHA1 c2b728e5464f326ceef079ccbf4985946933ad95
SHA256 6f7dfc5a107b0195bfbf12e62dae6d86f6b7192e1a3d85dc86eda50af7efbc52
SHA512 1956c51b5a43b9d0c53819451a762562570f69112bed3b4fa0d402acd2e8d3c8e2452b16f5ed538635f5b9757f61a0eadc1ad9b987d22725cd7285d79c241533

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 175a6c1f47c9c62ccf9eada2a8f2dc7e
SHA1 7446f8bebf48c682654d7c4793904555b7500a79
SHA256 82ac4d146c3107d854645e7a77b912ac38ae68240a4a5c7dd6aa0a3be6b4ac39
SHA512 619cb31d29206433749c59f22ad2ecf91584801085053ba928c6e712b528a9ed78ea82dcd7c58429189356154109736aec4f66fd16b1b45c563a19927e8f7f46

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 e38d2389ebc4194ced166dc29b7d8829
SHA1 04ee969be16932f35f90890807f61125bc5d6caf
SHA256 b6c9956f3f0477b4ebc018f81e8c4eef28073242c9dd7890a163151252faff92
SHA512 9c86cc10e7eaedc035c347f82976eccf059db24bec5524bc5d8a12e7e61b64ea0e83fd47c57c34dcbf8db29db32dda46e408087b087d4bf8e71b03efb9dbc404

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xb5thseh.lfp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 ffada57f998ed6a72b6ba2f072d2690a
SHA1 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f
SHA256 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12
SHA512 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 e9045a8ddcc8490aa44de4dc4b64f72f
SHA1 408294567482116ef89a2ac7795f5a1ae77d0551
SHA256 55d73cd58a381cef3e5fd68b8e084e93a95872a6dee7c0b763f45c49c55f8dea
SHA512 5864f7ed18501424f93f7e9ce7bb5897d873a505c80ba26e9b22a94cbeb9d6f1825e61fb49ea159f79899a764555cee8a4642e27874611c818188b1d8fda8fed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd