Analysis Overview
SHA256
a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
Threat Level: Known bad
The file 194d36596016f52a59cc6163a5cc1898.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba
Detect ZGRat V1
Lumma Stealer
Djvu Ransomware
Glupteba payload
Stealc
SmokeLoader
RisePro
Amadey
RedLine payload
RedLine
ZGRat
Blocklisted process makes network request
Modifies Windows Firewall
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
Reads user/profile data of web browsers
.NET Reactor proctector
Reads data files stored by FTP clients
Checks computer location settings
Modifies file permissions
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Looks up external IP address via web service
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: LoadsDriver
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Delays execution with timeout.exe
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 15:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 15:41
Reported
2024-01-26 15:44
Platform
win7-20231215-en
Max time kernel
12s
Max time network
153s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe
"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp
C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {70A10ACB-A3A3-4CC3-BFE9-E7E7ADC59A15} S-1-5-21-2444714103-3190537498-3629098939-1000:DJLAPDMX\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 812 -s 264
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2144 -s 604
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\1CA5.exe
C:\Users\Admin\AppData\Local\Temp\1CA5.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\4D66.exe
C:\Users\Admin\AppData\Local\Temp\4D66.exe
C:\Users\Admin\AppData\Local\Temp\4D66.exe
C:\Users\Admin\AppData\Local\Temp\4D66.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\dee48eff-63e6-44f6-8169-a0404ff318a2" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\4D66.exe
"C:\Users\Admin\AppData\Local\Temp\4D66.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\4D66.exe
"C:\Users\Admin\AppData\Local\Temp\4D66.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe
"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe"
C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe
"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe"
C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe
"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe"
C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe
"C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe"
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240126154343.log C:\Windows\Logs\CBS\CbsPersist_20240126154343.cab
C:\Users\Admin\AppData\Local\Temp\604F.exe
C:\Users\Admin\AppData\Local\Temp\604F.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2572 -s 1452
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| NL | 195.20.16.103:20440 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| AT | 5.42.64.33:80 | tcp | |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | brusuax.com | udp |
| MK | 95.86.30.3:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| FR | 163.172.171.111:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 146.0.41.68:80 | tcp | |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| NL | 45.15.156.13:443 | tcp | |
| NL | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| MK | 95.86.30.3:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | habrafa.com | udp |
| KR | 123.140.161.243:80 | habrafa.com | tcp |
| KR | 123.140.161.243:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.103.202.103:443 | steamcommunity.com | tcp |
| FI | 65.109.243.18:443 | tcp | |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| FI | 65.109.243.18:443 | tcp | |
| FI | 65.109.243.18:443 | tcp | |
| FI | 65.109.243.18:443 | tcp | |
| US | 8.8.8.8:53 | ftsolutions.com.pk | udp |
| US | 64.31.22.34:80 | ftsolutions.com.pk | tcp |
| DE | 20.79.30.95:33223 | tcp | |
| US | 8.8.8.8:53 | transfer.adttemp.com.br | udp |
| US | 104.196.109.209:443 | transfer.adttemp.com.br | tcp |
Files
memory/2236-0-0x0000000000A80000-0x0000000000E88000-memory.dmp
memory/2236-1-0x0000000000A80000-0x0000000000E88000-memory.dmp
memory/2236-3-0x0000000000930000-0x0000000000931000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 194d36596016f52a59cc6163a5cc1898 |
| SHA1 | db46517b2906cc7dbe9f3f477e009476b7fe951c |
| SHA256 | a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c |
| SHA512 | f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09 |
memory/2296-12-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/2236-13-0x0000000000A80000-0x0000000000E88000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
memory/2296-16-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/2296-18-0x0000000000CE0000-0x00000000010E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
| MD5 | 49e1ba45dbfa0bb247ce9bf85fc30d79 |
| SHA1 | 5c68ec8fdea0d71dc867e51883442a62d84c0bc6 |
| SHA256 | ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef |
| SHA512 | b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da |
memory/2296-33-0x0000000004920000-0x0000000004E00000-memory.dmp
memory/2584-34-0x0000000001100000-0x00000000015E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2300-51-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2300-52-0x00000000048F0000-0x0000000004930000-memory.dmp
memory/2300-53-0x00000000021A0000-0x00000000021E2000-memory.dmp
memory/2300-54-0x00000000048F0000-0x0000000004930000-memory.dmp
memory/2300-55-0x00000000021E0000-0x000000000221E000-memory.dmp
memory/2300-56-0x00000000048F0000-0x0000000004930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | b375aa0ecb891d8b398e5a31965cd6a2 |
| SHA1 | 57f7967e86528b7728ade0ae54a247278e8d7c9f |
| SHA256 | 49578c2ac1ec496d8cb8d6df1062cde958b6564aef3222bc0681d4095fe99959 |
| SHA512 | b8bde0773726d458f91627e1d21a8f1dda589c4f77684c3280149bbcf6348eef2d3886400e9e8ccbbc63e4af2f906bd10e89a660025aa7d7bfd64b1042af90d1 |
memory/2296-66-0x0000000000CE0000-0x00000000010E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | f4ed184b1b3b67fdbe8d74ad74a52733 |
| SHA1 | 7f632e0636b6a92494f05c4ae00947ce4ffb7ee3 |
| SHA256 | 5658db8d350fe4930372777d73bec9ca19b9b068fe5eacad5298723fe8d1ce27 |
| SHA512 | 8fb9c840fd52574778ef282ad26a248e6c95a698dd17c0d0ffa04b659d1c4607ed894150a8ae192290df74d7e34f944687048490c89bb929d9728d0a2fa48df7 |
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | 67c60d994c3e3621731378b502e5a699 |
| SHA1 | 3928d84f03f8a5c0eeb8207337b05f9812a7cff0 |
| SHA256 | acc8e8f300a72968e0033bf56f8b49cf2d63cf765d95b685f7e6fce5c072d963 |
| SHA512 | 51ebc788cdf5d81d422a9224a55540001140ab7dee244b5db0402bc31057fcae5dcbd79346effb68f6d595a2a2ef97eaeef6ad81cd47653e04379971613fc77f |
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | c398b9383b1c153d3b4ff1dff8f99fad |
| SHA1 | e45d534b17c7b1a899474c57a06ac441d2c6459c |
| SHA256 | 5ea370b537806be37e95af3a481e7dc4979eb92ea606a0484c2f6a4c374fa2c3 |
| SHA512 | 739ecc074cc19618e6671598a6e9c9ef3c8cda3f82aeea77a6216790c698eced318afac04c255ac0b55ce609c92f7c4158055cf5bdce4dffbf97e22d94328791 |
memory/2296-73-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/2296-74-0x0000000000CE0000-0x00000000010E8000-memory.dmp
memory/1568-76-0x0000000000810000-0x0000000001158000-memory.dmp
memory/2296-75-0x0000000004920000-0x0000000004E00000-memory.dmp
memory/1568-77-0x0000000073820000-0x0000000073F0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/368-105-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/368-108-0x0000000000360000-0x00000000003B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | e7079f105bc8238d833249dc08ca632a |
| SHA1 | 1e860ff513ce2ec0d8de30e900973b35f0e94445 |
| SHA256 | 1dd7eb74c5ea7bdbec3f04b7ec78190dd76d720ec0f6c34e7456805fda49152e |
| SHA512 | 448a3dd607d344f148ee8a090fb5f6a7ad479b8b4ff8cf82161d4e6eb31935cbfbd9d3c8a22a70e043a9cddc8d2e93705da8f7ba28dadb2d1cba15a842466c8b |
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 582800e6413b23d029171086c9226cff |
| SHA1 | 5f358f0b46bf971ce11d514a6f4047bdaf9f2423 |
| SHA256 | c506434c94d0d6a4db2c81823d17ddea03cf70b515e76dc82a32142b817745af |
| SHA512 | fbf7a4ed660d54b419511bdcfd48ec28762345723cf47da653dde98750416ab779e1143cd9d9a2e4bf9c97f333a624b856c19f8ca5befc2d92410b2aa32a3c8b |
memory/2584-109-0x0000000001100000-0x00000000015E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 33796c31ad6cdc1de1bf9fd0c6d98f46 |
| SHA1 | ac61d139a6d9fd626af56ab6af809dfdcfbce5aa |
| SHA256 | 5738137fe2333ee7be6f8d2f92907fe752a64738a1676398282a119ea64261c0 |
| SHA512 | 865b61f9de2ac2cc5a9ba4fe81ca1902dff8d75caaadb197410fcefb9ae0e5c3e16b74f4d2da19019e436be76886abf3a02b85c469a57a00c29eac8355a04104 |
memory/368-112-0x0000000004F70000-0x0000000004FB0000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 81bb0aff5ba0741b87a7ea40a27b6a38 |
| SHA1 | 0516df140445e16049c5a1c85e387f8adc641665 |
| SHA256 | 29a1b40d4d6ec4301bc2a534af54042fa1d93ad9e87e0fb850d44a654431b9c4 |
| SHA512 | eba11d6cb5851c5d90d28165a8eb87333f7172e184564eeb9f0e810bba9860bea6d52f5e979633885a6a8114524546c8a8a4d2bc7763517bfeee108d7836bcd6 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 6fcd164a0c830cd051868d8b4e9cc681 |
| SHA1 | 5863e06cac88b3e5bceda82874d29a29d4645d2e |
| SHA256 | 2d688766b47ac4633bcc4807a79c5e8cf9245e7e4aae285f3ca174427fd3a644 |
| SHA512 | c18a54139634abc4bd2791fce267877782260ec02041734ad87ce3aa2dd1ea48bb112b34171ba977f9b6706d9966061f1796bc2f401498fc0372f86f99ae4f93 |
\Users\Admin\AppData\Local\Temp\nsj94C2.tmp\INetC.dll
| MD5 | 458fb4c78bee390bacf6dbf7c8d1cd3d |
| SHA1 | 93999300337e9256b0c887c527c959e82219e721 |
| SHA256 | 5cf07dffcc0bf222cc4a6b82dab8edb158a088a461aca6fc490b0bf5c4d4fe1b |
| SHA512 | 9fce85a7f5b44b990fb5616cb5f6c4da7cab0ef2e60e874a0ebeeb6cfcc8c0a441ff191eeca58bd2f4fd8fd205e02f5d2e1847e8dad8814e841c911b995d3306 |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | aeb0e303d2f73593cd0f219b5c5c854c |
| SHA1 | ca81eae6e4e2fe7eacb2f72709d374cafc6a992d |
| SHA256 | af76e442e0f54b6a39bebe8b5a83856f581524621805d9da9b852bd002718a99 |
| SHA512 | 05c92da807d15e8b359b67bded6d9e7ddb1c65831da236a9c0fb9661490703fc2b75cc7b7449d0853b226a81cd979332cf87529679d959385b7dc814aea9aad6 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 554fcadd4d1e1024c3bd64efc9d08f30 |
| SHA1 | 26fa54ccddbb442daed019eeb8e29833dc89a980 |
| SHA256 | 7547d7ee218e79fcb3b63cd856c6490110ed54e59fbab2320db67644e4b22ad5 |
| SHA512 | 9d749f13afb139c0f05433fef7ef51eb7eea061b1bae6875db6c6fc10029462ff7d19be4b8d7018cd4a43abee1bf93d0464b5d510f61f596e380ebb03cf5cfd0 |
memory/2300-146-0x0000000073820000-0x0000000073F0E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsj94C2.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 9e465eabd199ac2120b6821b833578a1 |
| SHA1 | 2ab29f03dd088258126e7d8ac2200240e14e9aea |
| SHA256 | 133be576602f02d11b7486772f9a4b2d8168d50f33bf4bdc530615e3c25d656a |
| SHA512 | 4d6b369f939e7549ac882754c5e686124f9883615677495a38447316457259224e4fbf77844470e65868fe346624a66a75cc223ce5bfbf536b16f9593c6418a9 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b3c7a90d2455690cef27a91227dd1cc2 |
| SHA1 | cae62b16d400ee9d9cb6de5b9f9ea2e2c989d328 |
| SHA256 | 9b3727a11862fc1d43b098d7ab2b66a94d5898970dfe37b8982db9e6a9467e6c |
| SHA512 | e55696aeffb9b8c337575b84473ebfb44660e01b10b26476d235f1210073bb6da05991739ffb43873a12645d916f82ebc009d71443aa934edca04bbbb96918fc |
memory/440-166-0x0000000000400000-0x000000000043D000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 33581dc8c3a6df48893167c03b3fd543 |
| SHA1 | 9c210a1d63420fa4c57b21a44ab89f6f1411e12d |
| SHA256 | 2e82d9a07ad0e3c2a682e5cd4e5867388cb3988a5622824557625829c3e0e269 |
| SHA512 | bb1cae29bb494dad24a96cc794265fed2d13a30a2ad31071bb687fc82b9aa1a5b12023b694c5d5d102af26c9b609b8c6e422ca3c69920e3d4925d8382e9ac375 |
memory/440-160-0x0000000000220000-0x000000000022B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 0168d7ae03603f01af0e26516a58a4e6 |
| SHA1 | 520e94437cc30184ded2fc00eac5c4f64778c8c7 |
| SHA256 | 75249cbfc8ee12a5d70b16c09116f05776071dcec8904628cd7ddf7683fbca43 |
| SHA512 | 33ca9afc3fa515d300d8dc044ea2a4d9fd2a0777b84225273197c9a04ab56a8102bd77a3d06061be61b892f75d4910d269566bd3899f65325942c195a0702cf2 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | a5cfc9d1fb519f5d6087d40b6067352c |
| SHA1 | 0f4f0fae95f1762df6ee611c5baf1c12c32d449e |
| SHA256 | 8f92801c82a74b11e2905e80f3f84fc2f07af4a4ce992659db2763d74a079cec |
| SHA512 | f4ef08ca1987df9ce1730703fb0809dd4114ce3abe601244b338f51650226ff27651de18fa2d665a92c211d6ae8cba2689e0a1e6e1a98fc8887746fd73c57044 |
C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp
| MD5 | 54e7639778d48b046ea6be05ef5e34d9 |
| SHA1 | 0c1c7d56419b57c957ca90fe86b147ce0a51fa2a |
| SHA256 | 71e3cf7649093536ee0f396f1c60d855d219c16f44b1f2681ba22a6912ff847c |
| SHA512 | 34b752220ad8fd36ec5ee187e824b9244b49b5c8dbbbcd99290c57db437e46c37e186b70f23b0bb51cd48fabbfb3405ef484d7d3154ccee7f5cabf8c7fceea6e |
C:\Users\Admin\AppData\Local\Temp\nso97EE.tmp
| MD5 | 0b81c99a0098ddb7de3cf8e564db3f8f |
| SHA1 | 340f98665bff68d146140301a57f59f6e5c1c664 |
| SHA256 | f94355a707e0be6137860d6f033fec6fff11c19e325f8607bb159ddae8b1c2ca |
| SHA512 | a50d61133ce37122226356a723df0b8735348877f8b4d660c39ead88886d62c0da867d51828ca535fdac746ec807ab7a0e6a12b0ab0499b0737ae305fb434603 |
memory/2300-170-0x00000000048F0000-0x0000000004930000-memory.dmp
memory/2584-186-0x0000000001100000-0x00000000015E0000-memory.dmp
memory/2300-185-0x0000000073820000-0x0000000073F0E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso97EE.tmp
| MD5 | ad57638755a77d3bc0882064725b8d21 |
| SHA1 | 33c5821d5ac66af22150c1062710b3a762147d82 |
| SHA256 | b58db59618cbb4cd115830236a89755803100ecaf6f494e4d5d15509260976a1 |
| SHA512 | 9377f9cd3149e7040f87bfe26adb09d58919d6926ff2cdc1b3b269dd851c30a8762fe3e3df59ecc5d2b7ddf047be570a772a457329df6fdadb2e4132ad5f9ff4 |
\Users\Admin\AppData\Local\Temp\nso97EE.tmp
| MD5 | 5f8291d8768d88f9868cf52e214b08f5 |
| SHA1 | 8320e91a793d5ca4ba36be96c6adb0ed854c6266 |
| SHA256 | e4ee0e0e5627882e46547eae053bb6ff07805df9c69b37d27850f4161cc69cb4 |
| SHA512 | b1138e24ce6169f4a3b89b9b4c48b1822078a8b8445338776ee7917c75b56ff47cdc99897d22cbfd414922dfaaf4fccc481b94f3505d5b4746587e5336e977f3 |
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 698a1f2c2ff1a9e0d5c74fb554b98296 |
| SHA1 | 827551631e98399420b3d158735784128eac12eb |
| SHA256 | 68a19332f227a30831a9b34ab2c43736cdacebcc22ea8156adc9bc0c3703275e |
| SHA512 | c98e97e8d6554abc08b45146462724a9eec25cb4b6a068317b914ed8f5f4731db42de97748d5b8b8dfcf7777a8061cf78c3e9ac51631cbdc7ca0745f92d336e0 |
\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | ad7d12b7ffff373ec2a871566e1b5f02 |
| SHA1 | c4a6ad2ad633059f87d935783dcaa92eefddd9dc |
| SHA256 | 8f16a299dbfc95156b6add8fb549f718ae76408471a4f0c4bf519bf1fea4afc9 |
| SHA512 | 703a245c335160cc4516a2b5fe8c9d0ffcb3dfd241465cf5153a1dd2ef8b6cc0f935c5bf4cfeb464d0df15ed5f7b2b845128dea5230d82bb2bcaabfb6ac95e73 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 3a03557975ee14af862567f798b0e42a |
| SHA1 | d5c457d87efc3e66d57f995125472bfc2d7cdd5e |
| SHA256 | e1c1f63ca6c4b11017e68a40ee5885b58606164dfc80af08b885476dd21a1d22 |
| SHA512 | 7835e196cddcd35841156f00899925e588961ae4a4e4c5d84249573e44692af66127cb12bf41bc457cab12537395bf3469d9195e82d1c321e2a4470a94a64cdf |
memory/2300-167-0x00000000048F0000-0x0000000004930000-memory.dmp
memory/816-199-0x0000000001310000-0x0000000001318000-memory.dmp
memory/1568-200-0x0000000073820000-0x0000000073F0E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 8ea424e9c92b90e74cb3d7e1fb66f2a0 |
| SHA1 | e3ba2589a91ce9ab19fa950d23e0eaf1180bcca8 |
| SHA256 | d3d5c67ddfb57b9071dd1dff9592cb334165647e556dd9ca1b8d45ea453db288 |
| SHA512 | 85d70203d31dd728baa7e3c8adb2b8c842bc539976714ad6a6beb9e62a0fd2ecb812cf07fb427f885b98557ee4de4f6671b2581577c6f433461f9eddf3628b67 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 7193444c84b88fefba797d5c4e8a7968 |
| SHA1 | adbf1961d4fe9b2eca438c795bf9d13c63b00444 |
| SHA256 | eac3c398064f6d3cfa8df07118ed9456dd358d56f429b40906f8d8454286a9ae |
| SHA512 | 13f78263d4422a6920c2f2944eb20452a124df8a1ce2ce0fb546dd250ac230a7127b32d7e890ff98fc05c9f3a174e81b3f7f75013bc6e0c8245129e0918c0469 |
\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 3e4653c7a44efe2038d5829d14290f63 |
| SHA1 | b3db6a4552e45be991851de7bb7ed01a33b05166 |
| SHA256 | 6fa9c9606e1086ef4aa59e37a669112f8fd781c90ad9e9c606f295fb3fe18fb6 |
| SHA512 | f0573077df7ec296444c6dbda12b612ad9a8cabf11821138cf787c6acf7ab3b9cdc3e81a339281e55f9967c08833ca10ab2a9ac5c84a6fdd7c08d30224515a4b |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 9df9bf36c91a147de0a8f7db802e5a8e |
| SHA1 | 068b89f9c6c22cde0e7431ac6c51021116d01848 |
| SHA256 | 2940259eb1335080f7a2f8a12982a60ae841672ca767b9de39da3331e17575b8 |
| SHA512 | 2486b86c4e562f744e6838ca9168b26a7f7a34791e80d00bba48acd7f284c1b80ebc73a7251819fb27c913442edd14330386b45151ec69fdd3271853cf089d77 |
\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | fa5ce14c82e4ab3aee7cca7416c9c106 |
| SHA1 | 6883436202ce6c6748094d39a1d5f0cc94a507b5 |
| SHA256 | b90741299d26cffb0a457b5614565708114e9ac92971ce5aa91d738a87b8b911 |
| SHA512 | a926da59eae276bfd9d7657a934e0d75afcdc5abaede93c88ac7dd0c7eb1f152ac582232685881ae78f20f8195165bd301cef5e4ff4892c958c8d77f32d8c830 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d70f8f1a3d6845eda5be0789ecf0ede8 |
| SHA1 | 5ad3b821a0c49c590488914cf7f2fb9084507283 |
| SHA256 | d4e1a1aeebc1c1e5aa4ac554bb902794c98616d9de051c17ca4cd452628c0a8c |
| SHA512 | 800d100d0931220fe986f8da77a470a920b6cd731958043eb4389a2f7a436745771204c4f08e3fcc0165e84d03f9445c5917e68c7fa3f873fc9361511c533d2c |
memory/440-152-0x00000000004E0000-0x00000000005E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 2a4b8b1bb2998d25a450319180193e82 |
| SHA1 | 661537f5920598070c2abeb92251cfef57488c24 |
| SHA256 | 58f791f63da18bb11de3e97e5719b62d3c4a05a497858628e098dbce32bfad23 |
| SHA512 | da5ec2a6bf1b6306c860bb8ba9af92f1a4309deece80b0f1433a932c3d49a6202f84cfa595b79c3cabe6fba1923d27bcd94e2bca6830d9b1e9d016a909068156 |
memory/2908-217-0x0000000001380000-0x00000000013EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | a0fef664fc14b5d0c4d24d2cd5d03aaf |
| SHA1 | 0dadf1d32a9ab6538a5b039b357574bc2ab16f5a |
| SHA256 | 50f2c5c52b712c9eb4c917de9839b7a0c9cf06698e707dbca2e1d0787042b024 |
| SHA512 | e8659a19be11c977c4e01d8e27aa30ae8cc41e58c492501de7a82f1d7fed76d34f097706e832a7d61a838fd1d05d03f9ea46fd07113311454d968e36bfb80dc1 |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | aff13f45338e4135daf70dd3a8d5c646 |
| SHA1 | c7232f86cdcfcfedee3dea91b172d90f33c1fa19 |
| SHA256 | ad50e9565c13e04eae95bc184ef2eccfb73f64dc0f88d7831320560d118696c9 |
| SHA512 | 9607460a55306d05908063bbf144a0715d1d92d507b24d6a55a1bebb438859add61f423eefbc2b342eeb8f9cbe2392ef04ff2c5a8537c3a270920fb7642041ea |
memory/2316-214-0x0000000000FB0000-0x00000000013A8000-memory.dmp
memory/1084-149-0x00000000001D0000-0x00000000001D1000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 1e00482af9facb50bee911744c0db8ae |
| SHA1 | 45fdedb971c2ec4b54247a433ab46ea34e2bc86a |
| SHA256 | 8678a0ba662a09aa99a08fa5e721c244bd0dd84748e7df716cf1d3bd24f53e98 |
| SHA512 | 4d199a94fa90872f9371af17a1e87cebfcaa3d1c7c66090a2c2e7a8fa22acddb2e54d16e78189cc1590b0abd580e8aa5ac4e873231ef8d89345ca2f655c977db |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 94b1bd642375c0ba6f8acfdf8e4a2549 |
| SHA1 | ffc188787e8ee33806fdd8ed65a5c08a707fdf16 |
| SHA256 | 03fbe3a356e6b4a7fda655cebb7d4852a86692922de2b0e4d4b8ddbca3aa3f0b |
| SHA512 | 72015a306fae0c198353b2b6497f9fe1f4493e73580940c5431b61923be180d67b4dcdf362eee4d227e74042feccd7aa7287d9743847816b6846fb9c2a84b74e |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 520a61a23ea1870f71e48d3b37df84f3 |
| SHA1 | e452e1d95b05108b5e22b86cb91545aabd2438e0 |
| SHA256 | 83e6382fb4a1fe66daa35fd1c3f7d943649b42bc238a05480eda55e2c38ab213 |
| SHA512 | 34d1d4fa124cac0f5f1df53f865281882b3259cc94cf40a5b4a00f4b8b237c3a1a315c44ef9b827da6dc36b39ef9101433a8ee09546b9d9ea3725a77bd8d0830 |
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 921a3a76b5f1d438020d0105e9fddb0e |
| SHA1 | cb65b73c08c099d0da6327e8e4511e15dc48aad7 |
| SHA256 | 3f9ed04bb963228edd19539f0e16540892367fca9e3e8fa51d64194fcdfb7e8a |
| SHA512 | 253a576cba3dbc78560864ff719549c4c690d9f31afd5e3108c38dbcf7a2279cd4d760e4d311bfe6edfd5af8c2bc31dca920a33161580bbb339d603e19184b40 |
memory/812-231-0x00000000004B0000-0x0000000000537000-memory.dmp
memory/1732-243-0x00000000012A0000-0x00000000012F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | d1eed5cb23f4a43863d99765c6f517b7 |
| SHA1 | 13b53fb02a0864c8d76ef9f3ed55f3904e940eaf |
| SHA256 | 49d1cd8f9823955bfe219b7a90ffbfad97171c9594e22a74bd578b01f529c932 |
| SHA512 | 41df824e109ce01e91b6e290e3f0fab7b355db231c6ab6abd42e7ef58e57f4d118dab011d1fc48382c6e4142ca56a4c3bf3a741a4701adb4fdf86d324fde3d9c |
\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 1e9c198053227c0c2a3bbf1778396e45 |
| SHA1 | d279fade27f46ea99cce04e4125aef5b20546efb |
| SHA256 | 065d6d633f8e030d6a8d3a8ef75556a7b7fac3372a503ae05e33d0f4818ef627 |
| SHA512 | 1552dc93cbba06392d6eb594610421ebd072896dcbccb62a591cf824d9c5bcfa014622cd9faf92190b788bcd24a82e4ac2b705fe153e84061926581ffbb43181 |
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 1c26cb11f4b49db755cc30bf9ba75b41 |
| SHA1 | ee8b15085783fd7bc9ba9aaf62484b2f87c461df |
| SHA256 | d788e54832239bb6a4abe5a3c4ff4fd3d3b9e60e4805420d1dd315a687bbb025 |
| SHA512 | f17e02b984f39e92a2d96b57bfdbdadd33fb5947fc2277c59886711adc7b11e4d4429e653668374ee7423e999f411a37b64f04aa6b3f2eb61543e9cbac3b2f67 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 1f5fdc4919d6ac5e7546baa69630c319 |
| SHA1 | 946f300d404d6325407908d7c862011a7d31186d |
| SHA256 | 710aa19fed6dca2ca92083012ba59d3f9d2decca63de003780a1163fc6c203d9 |
| SHA512 | 1c026ad87b492c67079b35dd7dfba8ac6e34e74d6ac6545ef65683bdf074f4eb475d60acff573dadd91f95d71d1fff37d92443fa4d6c4c70aaaa4d6dcdd2e872 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | b4756c39409ceeea273075285f52a344 |
| SHA1 | 20a32b83ed02ca985894f059f180bae51e50cc15 |
| SHA256 | 4a8c0add41860fad3a1ad8a63a323781e11def21d5de0e421719cf791d6d554b |
| SHA512 | 64129dd12057b8a55e29378c0d699e07daf0e14264ead13499d2fb8bb8de0226e71e7bcf113d06d267d87e814816d7430c436fc4110ca599ed594c83815dcc26 |
memory/1196-262-0x0000000002B20000-0x0000000002B36000-memory.dmp
memory/440-263-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | b2f3f214e959043b7a6b623b82c95946 |
| SHA1 | 4924ee55c541809f9ba20fd508f2dd98168ffdc7 |
| SHA256 | 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29 |
| SHA512 | c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67 |
\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | 4f4b7680ed13999231427cea3f793198 |
| SHA1 | 7f264d388f83bc0e7a9edb3d48c9c0d4c88435ae |
| SHA256 | 4013f37485f696e8201a3a2e15968798547a0bfa6cd038fb3ccbaf58474bc03c |
| SHA512 | fec7d1caa79247b74052c4e844b6cacb5f1c912b4b8a0980ba1ed3bef6cad4bd96b9bddcf1506abf724639fe598583fdc8d3abefc29e2c91b438c37f7f81137b |
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | a9dff1a1423ae6493390c04c399539ca |
| SHA1 | 5ff793d128413d28e7de6b35299e3b03490ac8e9 |
| SHA256 | d7f382b853f918acb42721e644733aca6819e46e6c21847a64b39025f8ca5a60 |
| SHA512 | 228405d82b6b019bb2f1bfa3ec7648a8f680221665fa766b1d563ac4c312b07fe7132c76e20256083b8bdcc8dfd947345b9497d4ddd5ee3153897ca908724721 |
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2060-290-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | 34e354b4c5f69dba58afc45c63ad939e |
| SHA1 | 3aec077c014f1334d2b6fe955902926199c05163 |
| SHA256 | 37cabfaef1b6129cc78331e9edff9277a06577dd090153c948d785f63f38bf6d |
| SHA512 | 8ef7330fee9304a1872c9d287e431b71d1d424b46f9598a406f3c236377df606f7a7d7959c85cb72fdf87e9540f4b4b948e667c4eeae6c6b38b6ddbb206a5928 |
\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | e80ca3d4650fab4da3e98c43ae980b5e |
| SHA1 | 0f6fa4d528daafac126037f8c962812bd7137372 |
| SHA256 | 90ece43702cb188dfd09f3039cfd1e35d469438e0d4a7548009b2295a161c57c |
| SHA512 | fb5778a815bdc83010ee75f1ed9ec47211e3fc13cb08ff844429d7a7852c1da4112ce606dc332ead31712d1dc576b5911b4646b0b9461e369e1a67318e8ac2aa |
memory/1028-309-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2588-320-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1028-324-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2588-327-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1028-329-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1028-337-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2588-355-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/2588-330-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2588-323-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1028-358-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2588-362-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabBC11.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2588-376-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | a81c6ca18ca7edce0e41588254f6be83 |
| SHA1 | f54f8a43bf8950cf76ab907e1bc0112e1dac9131 |
| SHA256 | 70e526013fb6547ffeb07988d5d151cf3251c5ca8d2102f5582143a35033f720 |
| SHA512 | fc717a4c98c898c1be958b15009ee44efbbf174950653cff3a45151da7de2ef03320d13ccb45ad1c16d3700ba879617cd161a1e7d2f7b76b7c62e1f5dec53abf |
memory/1028-322-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1028-319-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | e7ae9a7b83d455d9a44ae490ea8823c3 |
| SHA1 | a4cc4e38964aef2117e138f893cbcb75948b1c64 |
| SHA256 | bbeef622006f6beaf0e66eb2120125fd95403dccfaa0f5d2034b9a952265aeb5 |
| SHA512 | 277c39b235b39663036e4fb683157685bc206a0b113011f097c8e8eb5c7ccd3b3f04e55d37491c761313bcd2818f08794bb12eccf53d50cf59e5d38b0faaa7e9 |
memory/2588-307-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2032-306-0x00000000008E0000-0x0000000000962000-memory.dmp
memory/2904-382-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1028-304-0x0000000000400000-0x0000000000452000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 06f974b6d05eefe7a20e7606e787366f |
| SHA1 | 317897c9df71fb03588ec3dd89cb959b89b33710 |
| SHA256 | 84ef950325d904547ffb2190e577e94c77eb33009b88ae938dcbbe1afd6f5a8d |
| SHA512 | 54d1df1a7e90b2d2905cdcd0762cc8852f9c2cab3c0599ebe03ed47a5f64413bc5aa922827e0123a696c2c468dde8aa79f01df3c9e3de662d0678aa8500e6d58 |
memory/1732-392-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2224-394-0x0000000004890000-0x0000000004936000-memory.dmp
memory/2224-397-0x00000000047E0000-0x0000000004886000-memory.dmp
memory/2908-395-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/1792-396-0x0000000000D50000-0x0000000000DA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TarC4CA.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 2bb6f0cd6b4e0ad586abbd37efefe67d |
| SHA1 | 67ae8a0e617ff15fd2d8a0cc7465b23b3dd13210 |
| SHA256 | 7f87095854866d4843fd7db306b26a6b315b6d4940960bcffdc22aea8afc4e09 |
| SHA512 | fc8104a54db962b18c27eca9ae529a39cd851141f2af3d588302a3b4d3c9bafbffb6e170e4dd0a7ec8b9a18a94d8abc7980f64f9dfb915ad17c10d79917ff7a5 |
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 0a32add9aa623abde31582670a849ce5 |
| SHA1 | 925e5141a97e3d00c05285a5f6225994ddb6c585 |
| SHA256 | e64b84ce61a59477947878df12f160d5a22e8be929f1af21659c6a809e3293de |
| SHA512 | 4bf1b41c7c938679777cb60f738207f8fd1f2af39ae57231562b71c1b0e8c50d107461aeff30671ff2cbf673fad78293f42a41b3dea1e7c4467ea6f94b2e295e |
memory/2224-417-0x00000000047E0000-0x000000000487F000-memory.dmp
memory/2224-418-0x00000000047E0000-0x000000000487F000-memory.dmp
memory/2224-420-0x00000000047E0000-0x000000000487F000-memory.dmp
memory/2144-422-0x0000000004C90000-0x0000000004E3C000-memory.dmp
memory/2144-423-0x0000000004AE0000-0x0000000004C8C000-memory.dmp
memory/2144-427-0x0000000004AE0000-0x0000000004C85000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | d6f4c54a8e914ae86edfaa673b4ae096 |
| SHA1 | 8e44a5c87b187f5c7eebceb8146ab8690e159e5d |
| SHA256 | 55124a60f20f12ce7941434b33cdbf779d50096eebbc3a46c1d81825259b10f6 |
| SHA512 | 0dc57ae9acf1581aa5aa017381ae435fed8346ea74ef2fe5bd69e2dca576176f916a59cd68b30972e5ffc1667fd83d920c8fb99b5d93f38475a3dc39e4ad51d2 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/2872-554-0x000000013F780000-0x00000001401BD000-memory.dmp
memory/816-565-0x000007FEF5080000-0x000007FEF5A6C000-memory.dmp
memory/2980-568-0x000000013F140000-0x000000013FB7D000-memory.dmp
memory/2060-576-0x0000000000290000-0x0000000000390000-memory.dmp
memory/2060-582-0x00000000001B0000-0x00000000001CC000-memory.dmp
memory/2060-583-0x0000000000400000-0x0000000002B17000-memory.dmp
memory/2224-584-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2316-585-0x0000000000FB0000-0x00000000013A8000-memory.dmp
memory/2032-586-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2032-587-0x0000000004300000-0x0000000004340000-memory.dmp
memory/2316-588-0x0000000002AD0000-0x00000000033BB000-memory.dmp
memory/2316-589-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1792-590-0x0000000004F10000-0x0000000004F50000-memory.dmp
memory/2224-591-0x00000000047A0000-0x00000000047E0000-memory.dmp
memory/1792-593-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2224-597-0x00000000047A0000-0x00000000047E0000-memory.dmp
memory/2032-598-0x00000000021B0000-0x00000000041B0000-memory.dmp
memory/2224-599-0x00000000047A0000-0x00000000047E0000-memory.dmp
memory/2144-600-0x0000000073820000-0x0000000073F0E000-memory.dmp
memory/2144-601-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
memory/2144-602-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
memory/2144-603-0x0000000004AA0000-0x0000000004AE0000-memory.dmp
memory/2144-604-0x0000000002670000-0x0000000004670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1CA5.exe
| MD5 | 051acd118e84612a34e8ef3ecc44a4a4 |
| SHA1 | ba50cc48379f01d9c737e4f4df60e8907374e0d9 |
| SHA256 | 53968e0ae6a491e5bb03ee4d7d40b318c4c5c6a375a9d517b547152c4d721422 |
| SHA512 | fc52da4f2d29b8779c36a3a5894a1f19f138d24efd78e8ca9cc412c08d0e3c4de7152c4db429a70ed2f447f1d77c023d5494748a4b555b384212ed3c55f34851 |
C:\Users\Admin\AppData\Local\Temp\4D66.exe
| MD5 | 0a3303d13df2f74ca52000b263bdd8a1 |
| SHA1 | a8a2e3fdc4271a05e2507f0a1ed049cde51e1b20 |
| SHA256 | 36b4f3f2ff55a415b7765444690832201b714938bbd37ef0c86e7a09d3cde517 |
| SHA512 | 652df8074d3e17107a81ebdc98f29df8c460e4707a7f6f0fc48c88065e72d1defecc680d7424e81a873890daf000e1eac0834ec755b291ecd41b3822a31a8938 |
C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build2.exe
| MD5 | 2824ace80efdab9d69642dff9629fdfb |
| SHA1 | e6e28b68c89e38948d87558dba6e10de2c9b6905 |
| SHA256 | f8707344c2b8b65be686bac216aa4fa3bfd7e37eb809b4675169cf50d1d0ac89 |
| SHA512 | 7599ddd5dc941e8b7656c2bad4a8d00a8708f258733a61234ead8d1665c5b58d693696dceeb62b373e3246bf2c0bc2c916dc4aba1f32d7f670682d6ecfa3c628 |
C:\Users\Admin\AppData\Local\83b660ef-c71b-4525-b660-ca40047ed695\build3.exe
| MD5 | 5c883ef6d1ad03173f30db4fc691d0a7 |
| SHA1 | 4007444885a94ad3092e287a196249bc6c1301ef |
| SHA256 | b1e0b896d1cdbe0cfe16d1d6f604640e2b22aeb144eb411086fa31d2073f316e |
| SHA512 | 125b18de452ee08cc42806f15864bb5429403ca696e385d5fb32d87cde841629e12f0d64c308c8ff7444d36c5da71e75fdc66733418bc886cad6a6e9ba7eb816 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | e1a9749628f80c7c6a037ed3cafc18fb |
| SHA1 | cdd5b3ccfdc3e44ec69609850b46ae25068981e2 |
| SHA256 | 5b78318d2eaaab94f3c7724070b503db4e111e0716daeab8214803dd534b97e7 |
| SHA512 | d62391301ddeffcdd0d704b36e22ac32e24770112a107a349b238fcba88070ac18ab361dd01363e48fa278fdf191f89cfdf490fe7b6ce38c43c07c3e8a0b81c6 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 15:41
Reported
2024-01-26 15:44
Platform
win10v2004-20231215-en
Max time kernel
102s
Max time network
154s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\Users\Admin\AppData\Local\Temp\FirstZ.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\MRT.exe | C:\ProgramData\wikombernizc\reakuqnanrkn.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-251 = "Dateline Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-411 = "E. Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2511 = "Lord Howe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-891 = "Morocco Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-751 = "Tonga Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\explorer.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2061 = "North Korea Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-171 = "Central Daylight Time (Mexico)" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe
"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4168 -ip 4168
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2480 -ip 2480
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 372
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2480 -ip 2480
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 408
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"
C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4168 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 680
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 716
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 732
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 772
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2480 -ip 2480
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 864 -ip 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 864 -s 2368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 712
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 768
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 884
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2512 -ip 2512
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 1076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 644
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2480 -ip 2480
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 788
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 2392 -ip 2392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 2392 -ip 2392
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 808
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 1184
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 716
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2856 -ip 2856
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 716
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 776
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 700
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 888
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 988
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5564 -ip 5564
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 988
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | 61.4.79.80.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| NL | 195.20.16.103:20440 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.16.20.195.in-addr.arpa | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 189.15.92.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | consciouosoepewmausj.site | udp |
| US | 104.21.71.8:443 | consciouosoepewmausj.site | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 8.71.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.179.17.96.in-addr.arpa | udp |
| DE | 141.95.211.148:46011 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | udp | |
| HK | 154.92.15.189:80 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | willpoweragreebokkskiew.site | udp |
| US | 188.114.96.2:443 | willpoweragreebokkskiew.site | tcp |
| DE | 20.79.30.95:33223 | tcp | |
| RU | 5.42.65.31:48396 | tcp | |
| DE | 185.172.128.33:8924 | tcp | |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| IE | 20.166.126.56:443 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | braidfadefriendklypk.site | udp |
| US | 188.114.96.2:443 | braidfadefriendklypk.site | tcp |
| US | 188.114.96.2:443 | braidfadefriendklypk.site | tcp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| NL | 51.15.61.114:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.166.122.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | tcp | |
| US | 8.8.8.8:53 | 59dd5eeb-7df3-4803-8527-d70029accc34.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | server3.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| IL | 142.251.125.127:19302 | stun4.l.google.com | udp |
| BG | 185.82.216.96:443 | server3.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 104.21.23.184:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.125.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.23.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.96:443 | server3.thestatsfiles.ru | tcp |
Files
memory/1344-0-0x0000000000370000-0x0000000000778000-memory.dmp
memory/1344-1-0x0000000000370000-0x0000000000778000-memory.dmp
memory/1344-2-0x0000000000370000-0x0000000000778000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 194d36596016f52a59cc6163a5cc1898 |
| SHA1 | db46517b2906cc7dbe9f3f477e009476b7fe951c |
| SHA256 | a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c |
| SHA512 | f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09 |
memory/5004-15-0x00000000004B0000-0x00000000008B8000-memory.dmp
memory/1344-16-0x0000000000370000-0x0000000000778000-memory.dmp
memory/5004-17-0x00000000004B0000-0x00000000008B8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
| MD5 | 49e1ba45dbfa0bb247ce9bf85fc30d79 |
| SHA1 | 5c68ec8fdea0d71dc867e51883442a62d84c0bc6 |
| SHA256 | ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef |
| SHA512 | b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da |
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
| MD5 | 8b38ce5d69aaed7ceece2df6657dc095 |
| SHA1 | 404cb2f078a2023aec716fde7c8200d980aa672c |
| SHA256 | eeefc030af324476406a587e6b5b48362e7f447775922ea89db7b380501596af |
| SHA512 | fa963710b2816ede0cdaa0596fbac518e7990f2c1c6c60180581d25af2b80a9dfd1318c86059b96d7775e5410a93d77e2a452210c9fda079ab523c656a9cbcf2 |
memory/3896-36-0x00000000002D0000-0x00000000007B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/3572-58-0x0000000002410000-0x0000000002452000-memory.dmp
memory/3572-59-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/3572-60-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
memory/3572-62-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
memory/3572-61-0x0000000004CC0000-0x0000000004CD0000-memory.dmp
memory/3572-63-0x0000000004CD0000-0x0000000005274000-memory.dmp
memory/3572-64-0x0000000004B20000-0x0000000004B5E000-memory.dmp
memory/3572-65-0x0000000005280000-0x0000000005898000-memory.dmp
memory/3572-66-0x0000000004BF0000-0x0000000004C02000-memory.dmp
memory/3572-67-0x00000000058A0000-0x00000000059AA000-memory.dmp
memory/3572-68-0x0000000004C10000-0x0000000004C4C000-memory.dmp
memory/3572-69-0x00000000059B0000-0x00000000059FC000-memory.dmp
memory/3572-70-0x0000000005C00000-0x0000000005C66000-memory.dmp
memory/3572-71-0x00000000063F0000-0x0000000006466000-memory.dmp
memory/3572-72-0x00000000064B0000-0x0000000006542000-memory.dmp
memory/3572-73-0x00000000066F0000-0x000000000670E000-memory.dmp
memory/3572-74-0x0000000006CA0000-0x0000000006CF0000-memory.dmp
memory/3572-75-0x0000000007940000-0x0000000007B02000-memory.dmp
memory/3572-76-0x00000000082E0000-0x000000000880C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | 563c5c4aa752e3fbc728ea52352518d1 |
| SHA1 | 27e849ce87cb1e9040a58cc28d091a9321bf3a57 |
| SHA256 | 656bbfee84c6575802891ee72640b62de2380ba51644c749eb21c5800d7220e8 |
| SHA512 | be5ee2e5979b511a71970ec1cd1ca299fa7ee62fd31d1db4daece21eff4ed191e6295d02b878b579e5dc6ce4a653f1e66724b3a53f95c4bd32e122b8d16d09ee |
memory/5004-88-0x00000000004B0000-0x00000000008B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | f3875d6f19b5f12b7e3bc32857e6a50d |
| SHA1 | 71bc67caef843199cc58e5d204b4c7a29576e14b |
| SHA256 | 02c72811356bb0bb2f6a2d71d55d298c74710a49666ade764bb5e630ee961fb0 |
| SHA512 | 1454655e390b1c6075b572485aa7f85aacb914d534c85866f8f6ddb7cb69c92187a44a37cf917db63660b565c5c8ddb970bfe42ac4d4847b63aec0a672b95615 |
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | b255a3ad56bc289d43b7e0df1adac70b |
| SHA1 | 49827334acdfff15ea61ef67d62ca5e99f894006 |
| SHA256 | 5382fcab6a657c916622ed9f685a36ca1138ec4dbaae929d2ec2e49b131d51b3 |
| SHA512 | 3ab21c70790d18134e40dba02718a3c107bbe8888018d1362ba21f0341681667e364194c3d7b3c246a8bd3e1ee0b898666da6cf425491bc2bd024ff6de2b3e4d |
memory/4440-97-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/4440-98-0x0000000000860000-0x00000000011A8000-memory.dmp
memory/5004-108-0x00000000004B0000-0x00000000008B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
memory/2172-119-0x0000000000460000-0x00000000004B2000-memory.dmp
memory/5004-120-0x00000000004B0000-0x00000000008B8000-memory.dmp
memory/3896-122-0x00000000002D0000-0x00000000007B0000-memory.dmp
memory/2172-124-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/2172-125-0x0000000004F20000-0x0000000004F2A000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2172-142-0x0000000004F30000-0x0000000004F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/8-147-0x0000000000E60000-0x0000000000E68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 2ad24c41f9aec8a9aef6a3b04c4c41fc |
| SHA1 | e3afe076c142ff368f6558693c3b22407130a0da |
| SHA256 | 10d556b3e1572736397c1f25c14e3c02aa04ffd7a7fc23d61eb017e2b214768f |
| SHA512 | 71fb4db57d2d56682500f175cc29a8f0c5e3b45f484198cab1e6aa924abed257e35f8e82ff128a98fc7cc8eb7752b376208b5f84990890ab7a82b0aadde58881 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | e661564f8710a881f89d33abbce3ae15 |
| SHA1 | 780b3e907ba2f884d17cb80d17481e86ef849e07 |
| SHA256 | 49f28c9cd2b58dad1b0263a4cf0d9cca9744f60bb5b643214ab2c72ca754d952 |
| SHA512 | 48f39a8a77559b3ee2144ea05e80fac06934985fbe957fd81f8468b50fe5e5309ad51eb8dff951937a2f201da3e3da7cb689c2f0345398bffee465b5e59a6e9e |
memory/3572-154-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/8-155-0x00007FFB3D9F0000-0x00007FFB3E4B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 5e48b243f8d075260f80a968ab068ba3 |
| SHA1 | 8a2229e7ead4bef2710f19f9031cc683911e05fe |
| SHA256 | 4b6ed37234e1417585d0f135407b14564d45352ea53c0f5477d3a5b359dfc1d3 |
| SHA512 | daacd17dceaf1fd056c7ad7714417a5be1069c4470cbea8959091ebe0c18bbda6226b500b70113878506d1095f9176c265b770057c50fe2ae0b19536efc0ea51 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | cd09c003ae2cce9f6a92602247605377 |
| SHA1 | cc61f95b47019ed9c71af613401b5f29fd688ffa |
| SHA256 | 0c4b0c1d2a476d259db140d5dd5c5cf63a6ae89d885454f76af8681433559971 |
| SHA512 | 19b9f066c274c2e0f4c36ef04f8560f6a5a8d909f43b2bceca88896d8b71a55518c93409ea8b3df63ec348f42334d097f3eb7fbcb16d4726e9420cd963019774 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 86cc0d98f51d57e482d6da67d7993b3d |
| SHA1 | b2d7dfa85f586e273e7e103019d09c565c1b555c |
| SHA256 | 976c95b971f9593ec8ceeb64d52aa122fe09e42cb05356c826f7cf2d817f4bcf |
| SHA512 | bbfebff74a2bdf638303fdf4b55445ff371b641bad284424725f1f9505d488641c40ee9409d3cf40828b5381d32f146d490eb8a2449bd2e323734d9246fbcc42 |
memory/4168-193-0x00000000005C0000-0x00000000006C0000-memory.dmp
memory/4168-194-0x00000000005A0000-0x00000000005AB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 92a80884170d6839356624824b19cebc |
| SHA1 | f5fe29396c7243484a0d0bc2e3e5efe81946ae7d |
| SHA256 | fd0c5f25298d52fb8d054609a5b710cd81a1b236b84556f145ad1bd8276e0bcb |
| SHA512 | 7e391cb80b2d88ec00e43b9d99d12c3a0960f377c21df4c30ea768957f7a9c25323177c17cb38942ec7b003b3a06834ae0b6fa43dcd9ccda9e2335328f923140 |
memory/3896-200-0x00000000002D0000-0x00000000007B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | ed1cc2b9e23caa2c32d3d6224dc5cd1c |
| SHA1 | f757e4a7ecfb5fa666cf20d4e14e382336798732 |
| SHA256 | 4ee3e97b96c267000617368a0fedb5b4456c4b8db9a2b72a7a9eddbf40827419 |
| SHA512 | e7e0520683f8c567a361478a94807e7e6c9318929cbce055d53d9e110cf1b87ed85f2d3e39f69d52a157b50540cc25f6387433c041c34320c9cde3e5bbae2716 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 5eaaf2cedeb0a5086aaf35c4367a736e |
| SHA1 | 98a357c3dca7161b44ff55395127d0f212797dc6 |
| SHA256 | 7093afea1144bfc7d4987386a08cbf7b644003c7eb5f5e18d6ccb3624391124d |
| SHA512 | f1bdbc75cac2d3bb9c1bc50106a6f45c44a0d497b1046ec31fde66890fcce0c09c6f55b3bae81ff35ab079ff3d9380fdddf75472272ac67d1fa9b2f4911dbc0b |
memory/4292-210-0x00007FF669140000-0x00007FF669196000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | ab0487b4e7ee0db4f0b5f629da1ada7b |
| SHA1 | 686c0f22f844f8cd11a073437f4a293036b61994 |
| SHA256 | ba141fe6196ddd543caccb3980bfb82b726c72242195e50fe5575a9f5e6b62b6 |
| SHA512 | d4c223b5237627e1125923c58e0dafd5c5f8b67035c7f230c06a045b89354ecd3d13f213b01b72036c82280f063aa7ddcdc02a0e1463233a6e5c57cccaba95c0 |
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 714010684bb8c238399057863b51e5f4 |
| SHA1 | 8648933967f47aebea8aaa21e3b4dd9ccfcc140a |
| SHA256 | 817a6d824010c50781a732104292c8be13e3536e36179fdc835a8706884d538b |
| SHA512 | 7309fa881449d6432e1a5f0ad9882050e4f74b167021347ad7fa6852bf06ec54f558531d018acd07d599fde2a1072f5425c314dc97e953c72a4e9128a4410bf5 |
memory/2480-220-0x00000000011A0000-0x000000000159A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | d50db07295b910049dc44b9c037e7121 |
| SHA1 | ead74f4e3864b2c4c9e70162fea7238110598b5e |
| SHA256 | 1ae31f8f7ab325275b0d1940be5d412f5527d7100e68eeaa09f294759ddf73b4 |
| SHA512 | c634080ae1cb412835d35866bbc20bd218828fecdfadcd2ecde6b0aac2a19ce9e52757ab46b2c45f8a1bb462bffd10400ac2de2d36ff1fee541df1e936e9ad4d |
memory/2512-244-0x0000000000690000-0x0000000000717000-memory.dmp
memory/2480-234-0x0000000002E40000-0x000000000372B000-memory.dmp
memory/4440-243-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/3780-249-0x0000000000480000-0x00000000004EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 072de8d94a4d621a7d8f60e4440c857c |
| SHA1 | ce0fe6ca32e031cafcb7780518d177d2fc657818 |
| SHA256 | 9ddf67e475061ce4403c4eb9f1c14006fe1a0064aefe5ce2e0031b8ba07681d8 |
| SHA512 | c3983a505f0c0ba3d0e7f3513fc96622fd9dad5303bcd2e104eb3f74bd5a3481893970a8b02e314eee9a158278aaf1e730eaa5fc7924d6d0f13dbb0030fc7376 |
memory/3780-256-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/2172-258-0x0000000073720000-0x0000000073ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsbA384.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/3780-259-0x0000000004CE0000-0x0000000004CF0000-memory.dmp
memory/2512-261-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/2512-263-0x00000000005C0000-0x00000000005C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 7e6f2c004143489bddf998e178447600 |
| SHA1 | 54fdcce9f5313903efb1602925f6245665b7b8c5 |
| SHA256 | 3fb780457739f0e6a78a6789d33df49b06380ea464b4671b92fc188a8aaacf3a |
| SHA512 | 4b6140519e9ac264f65c70f136a6ee95c4e556e9f25d6f044a0fa1976656c9671abf252f0fb0c9e9e55c822eac2c54cc6f6a51da2813cd38432999bccf9180eb |
memory/3184-289-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2172-291-0x0000000004F30000-0x0000000004F40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | a0d45b92755377100edf894ce6bc5b73 |
| SHA1 | a9cdeb7299d1f9822daffb5705f8e1abcc8180f9 |
| SHA256 | 1a82f76c3466ed5ace3bf1d7a06a578cdaf56f24f4959913b7211231666d0cfe |
| SHA512 | fd2e291b98a05e284227dc54aa79944b5f178ec4b4154b23b04f5254c08c91b953debbc291bdaf2b5c73b5365f5f49c8ad611b8d191963d886284e4a8906bc96 |
memory/3376-295-0x0000000000F00000-0x0000000000F56000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
memory/3780-297-0x0000000073720000-0x0000000073ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 5a6358bb95f251ab50b99305958a4c98 |
| SHA1 | c7efa3847114e6fa410c5b2d3056c052a69cda01 |
| SHA256 | 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5 |
| SHA512 | 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0 |
memory/2512-288-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/4732-311-0x0000000000400000-0x0000000000452000-memory.dmp
memory/864-310-0x0000000002BB0000-0x0000000002BCC000-memory.dmp
memory/3780-300-0x0000000002670000-0x0000000004670000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nspAB65.tmp
| MD5 | 1769d29cc010993ffa6c7b9076be5ad8 |
| SHA1 | 7aafa7b944ffa484c2ccf5dbfbce001fd5b18e9e |
| SHA256 | 0eb898675007a1265f326a6af3db61fc65009e976e6957d5243d76ab017ea029 |
| SHA512 | b79fb9dcf51031df0d709875870aaf0a1d25d3139d3a455acbac1dabcbda10be905380798674b78d38c6e29aecf979581401ac5b4eb8ce54b6b42c50baf96fad |
memory/2512-276-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/3376-327-0x0000000073720000-0x0000000073ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | dacb28af383f7c34ffa1c892e8215cb1 |
| SHA1 | 75436bc6206d2ec8c5efae8be76d66b9aa46c0a5 |
| SHA256 | 47342507c73f2004230f5f27049fb29a50176c1d74b9453182dc88ec89f079b3 |
| SHA512 | 112482790c2e75fe481283979e27388ef08e52ad8523ac94dbe40ae891427996ee2a485c91579a7e9a538d979596b4dca56a86f78673e18fd4060031301dba52 |
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 6c0d16360d0718dc3e5594701af73039 |
| SHA1 | 428d8b40394e9890268bdb72b0e33db89a246072 |
| SHA256 | da4f305c0cfd7cabf148cdd500d852ded2ba2912e8c52e7edecd6a916cf9986d |
| SHA512 | 37fdec437c6f86b904f6213c78462ad479ffbb1be2b481a21c522207e4a5b8ab8def4be697132f9596ecc70648450e6955ca7fb59a5d0a71ef7a3b4a19808db5 |
memory/2316-332-0x00000000007E0000-0x0000000000834000-memory.dmp
memory/864-331-0x0000000000400000-0x0000000002B17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | d0d9d9aa8b3ad5853b760eb3aa892b6d |
| SHA1 | 35943c7ae7bbdb4ed9130fa468ae8910ad1297b3 |
| SHA256 | 30fb90d175f358fc72830629c7dbd109459919e436532c48ca3353a2bd990a53 |
| SHA512 | 8d1344fab192ab7e695a9bed4f992e1ae0e7824815308b553787b75a826977abb8798cb05aa6eceb9608e1c9d46b20a2bfbd349f85ab1be5a653dfd6df463fa4 |
memory/3184-333-0x0000000073720000-0x0000000073ED0000-memory.dmp
memory/2512-275-0x00000000005C0000-0x00000000005C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | b96d6aac94f719546c676e761120714e |
| SHA1 | 347b53aaf7bbec3a5b150c2681a1df5e417af7b3 |
| SHA256 | fae9071b9f0d3e54eda0ddb1c26ba00a717ba5c1aea30ae761f134382bae0e55 |
| SHA512 | b831b718e78a4e75a07eab8dd36a1e8ece046a12251190b5df081b5fe52e0fe95138ed06de20414feef48f375ba0be35bb5cd7402a1dcae5c0392ae08bd03d5e |
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | d9c61ab04e9c3a3b967f35fe7868c65f |
| SHA1 | d9e0000b8c50075dd895601a7eafc83819cbb40a |
| SHA256 | 38dc653663c987f32a8a8ab7f63790791f39d1fc0b1d345bb31c444be3206606 |
| SHA512 | ab5b2788515aff917e285e1b387b96cc7b9fad76686971073f7195f3825e7d741136e5305e00c8046870e274a1abf5ab58933ee5a484b2a454ad63152d458a91 |
memory/2480-245-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | ce6edaeebe218df710c2195c62d05ccc |
| SHA1 | 19048f4316424c2cb277a3f25b3bed5be05ef1cc |
| SHA256 | 805a42a3777135749a1cc3e403acfe134cedd640a101b57d2aacc67ceeb46015 |
| SHA512 | bfd3440eb79d321c53e852e3aadb3a549275f5be6caf9208f1a5867a76aeebf0c27fb904b787ec206637c80ebde2a245b3637afbb8c6769204f3f6f1ee730ed2 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | ac766f8d3e1620dd0960d55667278c68 |
| SHA1 | f7b175aa1ce28a72b58949699db40802ef859807 |
| SHA256 | a93c7de1528025f9321bf7b7d014060f44593d4edc6985293b1d2708337b9471 |
| SHA512 | a2345ff28fbe562c45be8dc3b81cff1159975019ab870dd9ab42e049b38d4c2e67f27728dc43f440764f48e767e3b770c81d1a2ae28e3f6d66054e7389c09cce |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | aac3a535b8e14f01df697506c7571beb |
| SHA1 | 98d3b2c56b8986a34abe946c315aa85a55426e07 |
| SHA256 | a312731b34e7e8b1361e7f08028cf1583a75adbfaaf10db9bfd4d6af0353fad2 |
| SHA512 | d60cd3a3d49248835460abbe11707b5a844ae4fb50f98e42a4077a00451a70fe5ff82a2031aca2a49d3342fd289efe2343a85c6487dd68ddc5296c3c4960fc10 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | bf3f04b52b6fedf1d5d790093aaef610 |
| SHA1 | 00d159785608415e8329010a5eb61b7ea0cf28dd |
| SHA256 | 674bfa14a05ff74f3d0615f7574458765990f6150358ea11b06d4e76431e1bbd |
| SHA512 | b34800dce7a21ad7f5eb0c6fc4da386206ec1e1353ed15d6687bfac92e4c9fe072275141a02f1cdcd648843ffe114ed1468c0ad487340d714f932bc24d19a039 |
memory/4888-213-0x0000000000AD0000-0x0000000000AD1000-memory.dmp
memory/4168-196-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | fcf4a98b7c566ab43a2ee56c2a7e5f7b |
| SHA1 | 72acf205516d117b1e92e741774e58ce1bbf93e2 |
| SHA256 | af1d0090e6a96b3cbdd42d9147484bd3bc4795d2fbfa51f432fc1337b922403e |
| SHA512 | c294f9d7c8d0578e1d1c7eee3df85ba8748ec10cf355ba9d7699031cb8ab8a78ec46cfcad3bdf3a561f1ac5d0e61daa95d3da5d04fcbe01744705cecce8ad6c1 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2a4fe2818d6078f3ff111be2354c2482 |
| SHA1 | 4a797d116ea6b428b36d48d20e922a5631aab6af |
| SHA256 | fd8388624f20c7ae95ff8c71154e53461a695226219a1227c936abdeecd4cfca |
| SHA512 | d89aec9f819476c37e306fa817da0080fdbbca457a6b1e323e5f4cd65d7aa806ccf051ca6734dda9dccb7ae067054b6917ff80b0b1894b4b080f2a47e7c8300e |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 9e7f5469b45458d39c5d9c6520af465e |
| SHA1 | 6fc950c5b70fd8423c52b0b97b1b3f9d7c6d381f |
| SHA256 | 0cc61c8953b078f886104d03fd33c3f2ad8f4250e4a9e6c8fa5e0bae4c4f5ab1 |
| SHA512 | bebcd4ce71e3dcb5f4ba42b0f110379ec9e7b47c59967ba11e8b2c5ea5f49cf51683de137e3856b26ecd525b01d1d931ad709a354fa467ba6672ba4ec3a95496 |
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | 5be4a96754663f10f7871197875a4fed |
| SHA1 | 9cd0d1cb82ef80a9c3042a3192b58d2a7e09f0a0 |
| SHA256 | 9a0f22819b6c026112266ad5d306239843b3cc30c26cc2c8d74272f4824b31fe |
| SHA512 | d27d20aff1b863b61d451d8e2de8cbcde0acdb2cdef475895a3dbd91134374cb3fa7ee6432a6714fb747c1270b354319f19aef468b86228e78b5b82f358a7c14 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/3700-379-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | a83a4df54471201cd5a8673c1dfb1bba |
| SHA1 | 4efb4e7281b0809d54751b053f3de6cd99b1f932 |
| SHA256 | db96c4050fe77fc266731c8870dfa75c8e26026d1433691c186e29d5e506ecd3 |
| SHA512 | 86aa530a209ce70affd4ad0ac43887cb8f655b149536f4ed90ac191c5fc83930c809d3f7a772477c082525549a86c2190228a921e3c767895e07f661026756c5 |
memory/5004-395-0x00000000004B0000-0x00000000008B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | 0d7af60b7914857675cbaf88a3c5ff2d |
| SHA1 | d36b0dc5f028c3a7db336d28da4d1fc8f77add0c |
| SHA256 | 1b04c0858f3eb92c62cfcdff5b8bd6f8ba20f4ac1aae3b12a2e376064b1804b8 |
| SHA512 | 12f05adeb08e01187ebf4c15d308095da962effc4cc3759ada764abd9d6bb62249b3973e7b89fa533bc365e58f5c2b314d4aeeac57216c6ab1cb1ab5c6799732 |
memory/444-403-0x0000000002700000-0x000000000279F000-memory.dmp
memory/444-404-0x0000000002700000-0x000000000279F000-memory.dmp
memory/444-407-0x0000000002700000-0x000000000279F000-memory.dmp
memory/3572-127-0x0000000073720000-0x0000000073ED0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 0e6e0443a9bd40df436c0a2cfb99c313 |
| SHA1 | d318aa7fa2bbff826f16e4f52dcf0ace2dfd6ff6 |
| SHA256 | 5c2aaeed01e56a734b43233946e94beb66bb1f0cd018bd907847d9cc53c26594 |
| SHA512 | 1f8c224089153bf05450c1bd4da0b2b35200547d0fa6abe494ac5915c7aa6785d3fff65273db55c75f78b44210e52df80b7f44492389fb60bb6757efa6d527b0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/864-436-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 1abd6eae26a304c260e949e4d87bb007 |
| SHA1 | ed4c90d0a7480d0973474364fff42b54a8e2abb1 |
| SHA256 | 0d1931ab34d9160e9204ef3d61e413786378e2d5dcc01965d07449c782f7502b |
| SHA512 | 688f3776ad84cd62ad941baad8e557b3d7fa2de41c86131a1c93146ca60fe6a48c686bd28cdf5cfe114acea155a060eaaaf0aa989c963e8d20480052388dc1a8 |
memory/444-442-0x0000000002700000-0x000000000279F000-memory.dmp
memory/444-456-0x0000000002700000-0x000000000279F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 874115437d0241018bc86184fb6b456a |
| SHA1 | f7b2339fae03c8ac2b273c83fbb59d1d1d6bfb1f |
| SHA256 | 975562a70a6685f6bf8913ef2f7b8bcbcdb0797eef619fed0a2ea32630267710 |
| SHA512 | 15fe2ac3d848756232edd6e74384a0591c66e2ee491f4a8404aadb167993c5883da930d6848a965603f8950034a05229b57bcf76641d68e2daa839ee28f15235 |
memory/444-464-0x0000000002700000-0x000000000279F000-memory.dmp
memory/3896-450-0x00000000002D0000-0x00000000007B0000-memory.dmp
memory/3960-477-0x0000000005740000-0x00000000058E5000-memory.dmp
memory/444-471-0x0000000002700000-0x000000000279F000-memory.dmp
memory/444-479-0x0000000002700000-0x000000000279F000-memory.dmp
memory/3960-481-0x0000000005740000-0x00000000058E5000-memory.dmp
memory/444-488-0x0000000002700000-0x000000000279F000-memory.dmp
memory/3960-489-0x0000000005740000-0x00000000058E5000-memory.dmp
memory/444-496-0x0000000002700000-0x000000000279F000-memory.dmp
memory/3960-497-0x0000000005740000-0x00000000058E5000-memory.dmp
memory/2480-437-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/444-435-0x0000000002700000-0x000000000279F000-memory.dmp
memory/4888-425-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/444-413-0x0000000002700000-0x000000000279F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | 37d12febec1f204c2e0b56f2d50ad5d6 |
| SHA1 | 2ad748e3097bd56340ed1a39784341aafd97ab73 |
| SHA256 | b9d2970bd33ab730574cdfbd7bf7949571d28044955adc68cfe1d82d5bbccf00 |
| SHA512 | 2cdf9c3892e5751e5030291af26aef7968f64f9d2a53bb265a691876dfcfdcd40911530afcd6c23169288bb23628f1246eaa24de96430111785119fafaa2ead1 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1dfbfa155719f83b510b162d53402188 |
| SHA1 | 5b77bb156fff78643da4c559ca920f760075906c |
| SHA256 | b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831 |
| SHA512 | be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad |
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | 4bb74fc03fc3432cab36fc92c6a587bb |
| SHA1 | 5c234f504b137cae2e65c82ad0d82bb2241953aa |
| SHA256 | e707c249eb71388182738032e18906f64fb9ca1da5c18920e4b4b0e30802ae98 |
| SHA512 | cc77c19154dba39bdff8af819ee73af2c0e4314d9bde312fb8fea3b9e1c7e39154e01a5c279093e0d077da8717389089eb930651df4f9d6e5acc188f6ef8b881 |
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | 1def7c36d4f6d89a0140fe7f087d8ccc |
| SHA1 | e8fc0b5b7c9f882ed62e1f5e69d659276fd5218d |
| SHA256 | e90bfa1740d0418ce551670183f5d7b790dba0a5d4c8fe29820d3dc7229fdd0d |
| SHA512 | 6017a394c59820a361ff1557ef7c4422adfc22419c6d756196c9f59266db03eb1200b32c978238621119c9586e650e576fc4cc527f821df5e32026c4730067ea |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 3058f10b2fe431d9f8a487a35cd89ba3 |
| SHA1 | adf31cfada940e96a02305177bea754d4ee41861 |
| SHA256 | 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30 |
| SHA512 | 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | ca56674ef98b9a14d6b87018b1296a50 |
| SHA1 | 7f2224e3439d338ea82d81d7d577eb5d3323d6fa |
| SHA256 | dde58070181cd1cd74b712d4b3ffa1f82b105670e01a5d22b44177e820ee6146 |
| SHA512 | 3b4df90268f213bf2a05d3568c93d92accb7dfa25971b690e82abf30d0275798314dd503ee998be4cd2e5560703d04a76391daecfadabc8eef886a7abb164f87 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 5ea776e43112b097b024104d6319b6dc |
| SHA1 | abd48a2ec2163a85fc71be96914b73f3abef994c |
| SHA256 | cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341 |
| SHA512 | 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2 |
C:\ProgramData\nss3.dll
| MD5 | 108ae188533e72b9c3c60586391ba324 |
| SHA1 | c2b728e5464f326ceef079ccbf4985946933ad95 |
| SHA256 | 6f7dfc5a107b0195bfbf12e62dae6d86f6b7192e1a3d85dc86eda50af7efbc52 |
| SHA512 | 1956c51b5a43b9d0c53819451a762562570f69112bed3b4fa0d402acd2e8d3c8e2452b16f5ed538635f5b9757f61a0eadc1ad9b987d22725cd7285d79c241533 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 175a6c1f47c9c62ccf9eada2a8f2dc7e |
| SHA1 | 7446f8bebf48c682654d7c4793904555b7500a79 |
| SHA256 | 82ac4d146c3107d854645e7a77b912ac38ae68240a4a5c7dd6aa0a3be6b4ac39 |
| SHA512 | 619cb31d29206433749c59f22ad2ecf91584801085053ba928c6e712b528a9ed78ea82dcd7c58429189356154109736aec4f66fd16b1b45c563a19927e8f7f46 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | e38d2389ebc4194ced166dc29b7d8829 |
| SHA1 | 04ee969be16932f35f90890807f61125bc5d6caf |
| SHA256 | b6c9956f3f0477b4ebc018f81e8c4eef28073242c9dd7890a163151252faff92 |
| SHA512 | 9c86cc10e7eaedc035c347f82976eccf059db24bec5524bc5d8a12e7e61b64ea0e83fd47c57c34dcbf8db29db32dda46e408087b087d4bf8e71b03efb9dbc404 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xb5thseh.lfp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | ffada57f998ed6a72b6ba2f072d2690a |
| SHA1 | 6857b5f0c40a1cdb0411eb34aa9fe5029bcdb84f |
| SHA256 | 677f393462e24fb6dba1a47b39e674f485450f91deee6076ccbad9fd5e05bd12 |
| SHA512 | 1de77f83a89935bb3fc3772d5190c3827d76a998785d451e2c0d11a0061cfd28f1b96eccb41b012c76ddda2021e3333a0a647489ae3c6dac10cfb8302abdf33f |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e9045a8ddcc8490aa44de4dc4b64f72f |
| SHA1 | 408294567482116ef89a2ac7795f5a1ae77d0551 |
| SHA256 | 55d73cd58a381cef3e5fd68b8e084e93a95872a6dee7c0b763f45c49c55f8dea |
| SHA512 | 5864f7ed18501424f93f7e9ce7bb5897d873a505c80ba26e9b22a94cbeb9d6f1825e61fb49ea159f79899a764555cee8a4642e27874611c818188b1d8fda8fed |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |