Malware Analysis Report

2025-01-22 10:25

Sample ID 240126-s4rqjaghg7
Target 194d36596016f52a59cc6163a5cc1898.exe
SHA256 a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
Tags
amadey glupteba redline risepro smokeloader stealc zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic pub1 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan @oleh_ps themida
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c

Threat Level: Known bad

The file 194d36596016f52a59cc6163a5cc1898.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline risepro smokeloader stealc zgrat 2024 @pixelscloud @rlreborn cloud tg: @fatherofcarders) livetraffic pub1 backdoor discovery dropper evasion infostealer loader persistence rat spyware stealer trojan @oleh_ps themida

Detect ZGRat V1

RedLine

RedLine payload

RisePro

Glupteba

Stealc

Glupteba payload

SmokeLoader

ZGRat

Amadey

Modifies Windows Firewall

Downloads MZ/PE file

Creates new service(s)

Stops running service(s)

.NET Reactor proctector

Themida packer

Checks computer location settings

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Checks installed software on the system

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-26 15:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-26 15:41

Reported

2024-01-26 15:43

Platform

win7-20231215-en

Max time kernel

9s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2932 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2932 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2932 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2188 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2188 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2188 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2188 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2188 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 2188 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2188 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp

C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 604

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\EA11.exe

C:\Users\Admin\AppData\Local\Temp\EA11.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\taskeng.exe

taskeng.exe {39B83679-C223-4096-BC83-BC5C645FEDAB} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\AEA.exe

C:\Users\Admin\AppData\Local\Temp\AEA.exe

C:\Users\Admin\AppData\Local\Temp\AEA.exe

C:\Users\Admin\AppData\Local\Temp\AEA.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\07409a7f-582a-4181-b608-d561902c8b2e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Users\Admin\AppData\Local\Temp\AEA.exe

"C:\Users\Admin\AppData\Local\Temp\AEA.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\DC90.exe

C:\Users\Admin\AppData\Local\Temp\DC90.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"

C:\Users\Admin\AppData\Local\Temp\4FFF.exe

C:\Users\Admin\AppData\Local\Temp\4FFF.exe

C:\Users\Admin\AppData\Local\Temp\onefile_2616_133507574065918000\stub.exe

C:\Users\Admin\AppData\Local\Temp\4FFF.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 80.79.4.61:18236 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
NL 94.156.67.230:13781 tcp
NL 195.20.16.103:20440 tcp
DE 144.76.1.85:25894 tcp
DE 20.79.30.95:33223 tcp
DE 141.95.211.148:46011 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 8.8.8.8:53 pool.hashvault.pro udp
US 188.114.96.2:443 api.2ip.ua tcp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 www.microsoft.com udp
DE 146.0.41.68:80 tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
PT 194.38.133.167:443 racingcycle.net tcp
NL 45.15.156.13:443 tcp
NL 45.15.156.13:443 tcp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
NL 51.15.61.114:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
AT 5.42.64.33:80 tcp
US 8.8.8.8:53 ftsolutions.com.pk udp
US 64.31.22.34:80 ftsolutions.com.pk tcp
US 8.8.8.8:53 transfer.adttemp.com.br udp
US 104.196.109.209:443 transfer.adttemp.com.br tcp

Files

memory/2932-1-0x0000000000ED0000-0x00000000012D8000-memory.dmp

memory/2932-2-0x0000000000ED0000-0x00000000012D8000-memory.dmp

memory/2932-4-0x0000000000570000-0x0000000000571000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 1fc72b024e9c5502c8b1e4e7c9e1f153
SHA1 25ec7e190d726ecb233d06d43f71b96755d406f7
SHA256 39dd09713cab559e516450617f8ca6ada02fd9baf4e53f20c556f26cbce0f4df
SHA512 dff598fc33d3dc93d2caf88673a50769fc4efe11dabe0eb5810da789d65751ccc0712d4fd9fe311bb2ced772429ca868e9f264d9d04469d630799e5c466f4a4d

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fe7d1c028934e80307fba09167c376bc
SHA1 87f5e1abba596eb21847eb287a6917863f5890db
SHA256 29dec279cd6d9a5209368c46d989c3bc824a993810713f980dec9aeb8f59ce72
SHA512 afbe72001409c8b83e51459c3485e715cf5f502d83264a0729a9bf49dac347e09d155f5a50b92091fde1e8b3e7511875c8736276032d12516372f14b77f54b87

memory/2932-13-0x0000000000ED0000-0x00000000012D8000-memory.dmp

memory/2188-14-0x0000000000B80000-0x0000000000F88000-memory.dmp

memory/2932-15-0x0000000004B70000-0x0000000004F78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 5cf302f0d472282eba66c97780873007
SHA1 8ffb0debafc5b9b2bd4e5bbcc6e63902bd96a67c
SHA256 ba8f7ae614ded7625cfc5d5dc49ab78fd2e0e9709214891b70775f0338b4f0ca
SHA512 7a2d4b0939343f4bcda19cbe930960010468269712fe474c6c43966d38f1365d0d473c12b6ac2327f8e7a37c257ca7ca3dbbd2678c006f82daee7499af6fd5ff

memory/2188-18-0x0000000000B80000-0x0000000000F88000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

memory/2188-19-0x0000000000B80000-0x0000000000F88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 ea9bbdb07537c910b4f371cce9eedc00
SHA1 88966ddea866ffcf707cc4f66e62af2ee5d2c51b
SHA256 aeb79e24508eac6edc0d47d7fe6101f6ff524205c13e8614151d286c1021e8e9
SHA512 d0bccac5565e5573fb4ff6f564c1cecde970b0a17c8c756128f47b3571385e6795903e931682089d33943bc93efd6f216b05ef61f85f340be63335589cf603bf

C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

MD5 e269fcd91d171f9be2a9d6da88b78478
SHA1 d161f5449071b121bcff64ad936f4cf0a9f79296
SHA256 92b3703629645e41b106393954f930a0431c82d3975a6eb9c1b158bc99826387
SHA512 45e635d9d809554c1cdd33d4f3af7828cb7ade461ba0f2a7f24b6dc1671e3074ea986c9e6b9530cba7494aa5b61713d28f4453e6b356fb7808e482d34db42181

\Users\Admin\AppData\Local\Temp\1000650001\stan.exe

MD5 49e1ba45dbfa0bb247ce9bf85fc30d79
SHA1 5c68ec8fdea0d71dc867e51883442a62d84c0bc6
SHA256 ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef
SHA512 b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da

memory/2188-35-0x00000000048E0000-0x0000000004DC0000-memory.dmp

memory/2880-36-0x0000000000330000-0x0000000000810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/2580-53-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2580-54-0x00000000046C0000-0x0000000004700000-memory.dmp

memory/2580-55-0x0000000001F70000-0x0000000001FB2000-memory.dmp

memory/2580-56-0x00000000046C0000-0x0000000004700000-memory.dmp

memory/2580-57-0x0000000004700000-0x000000000473E000-memory.dmp

memory/2580-58-0x00000000046C0000-0x0000000004700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 7a8326661fcd62926073a0954ccd62c8
SHA1 b1a2146d22e58541bebf33aa1e61aebb756c6c27
SHA256 4c76636fcb0aadf6830a43a80ec922566a30e164485f67e8ac97f066e1adc573
SHA512 d9aa9c04cb9b5e46a85436504a1ef6bfdc98ef92912f1f534678e05543a3dbb6b0be22cbb53f239d1ab20a441705b273a80e3c6e55a8519a0c8c1de59ecf8300

\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 7c2b2783af1a8c7f77f4bc4e76d8b71e
SHA1 1bc2ffa3e793ef7ae36c70d7674d3c9b24602853
SHA256 99243c526dd8becd54960d9b6cac909826ba99ebd5c034a6cf2cef3512cc8da4
SHA512 db4eb9082e25922e36c46e928a53182c7ec8a5980abe7f6b5cbe85cedc5311b9501b019c0331db0e5fb8ae0506f0c4b5c90101e0ed15e1538d5e3b355aac122e

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 4069cda7d2b8d301cee4d16234f0144c
SHA1 4347e24d01e42462a2677041a53bc60e5eb54a98
SHA256 374d9c36f7925644e9da7ae43b59d670e645952f42c166f52604679a920740d2
SHA512 30df5bdf6ff3d5448d654566ac9924e6805c944c593c22c7d0fe6faf288c16935d3697067783418d6899121216db87687451cd0aacd2a1601877a40ff19ef971

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 aac0996f94a00f3e777469af73b91700
SHA1 14721d0f2af49148563541fc4928b16684c409ed
SHA256 b1851c4ea2a8d3b341f780b88d0a928a8fc4dbe7e677c88637663d5c2c49eefb
SHA512 78a4f054d2afb90858d44da50edb0030835929807abc5e111ccb2e5c5f92c9142e284625a8eb98fc2cd1ce0b1b487a708c9d18dcd1fe63d262f2a1ffb7f33609

memory/2188-74-0x0000000000B80000-0x0000000000F88000-memory.dmp

memory/1476-75-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/1476-76-0x00000000009F0000-0x0000000001338000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 18b0c4846dc1495c22788fbb9daa72ae
SHA1 fe4c57e670c30cdd1f51674a83bcf786e19faf36
SHA256 5cf72a2004a29fc0d0b4e782a7463cefe00851569f55a2efa9f5418a2accf411
SHA512 460c66615f86fc6dc7d58c38590b21eb8065896fa5bc788933278ce7929f59dde0ae58b5b934f09bcf6d862f12b1510aaea28bb81a7e072b25eb47f537c8cfc1

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 6f1345dc62e46658b6ab8005546d9a8a
SHA1 4fd3f14f8c955548cf971507ac0899dbeb873b29
SHA256 6d607b4ed0777747f9592558bbeb51719bb8b135c7959a22868ca0d35c2e4d09
SHA512 b0205731919d7977c45797511fe5ce7175c7fee00b680023e9c0bbea35f08edbf9ff8131cf574ff21b01d5433a77be9dae2d513ebbec30128f849df742e95dca

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 f497061270032f19d17db5c21364cbe0
SHA1 46f563ed84d591dc33fecfbcb5d34483e158a6ca
SHA256 c92e3785d9bbdfcc58e58f73f8617be52ed81fccca79bbbf08eec3d74a17299d
SHA512 7ddbd49bcf4c6410eca6fd1a1756dd0f137c2e68cd7f3a0c79943381948a03fb1ee3ea7e079cd4ef1dd56647b10f1b9fcefaffb60899e04a4eafde619a652e12

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 e8917b00e7dc77ff5c9d43ae09dd36cc
SHA1 bd9188cb1abdb577e32e60083cd11b5702a65ebc
SHA256 b0d91c00eb83ed56f2446a7256a8061f6e4e3dd6c1b267fcd52c87dfca0e9bb6
SHA512 c9baaf6483e5c31b4d74002727ed7cef71b5ceaafe1ee7f172d1cf0f13e767ecdf2cab37e7c1d273814c3804746eaacbb69c4e4f5cb4dcf6d25300af49c423ca

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 d058a9af26e79a6bc9205aa16be1d5a0
SHA1 4699767799b706280f342a30ffe7b129dcc70fd5
SHA256 bf0e66a4428765a24002ebf6d8c72b25d7fe7d247acc44d57122327d4f22130c
SHA512 5166507f083c75fe1480f232c08bfadde640109a09a3ca4c6b8174abcf61c8aa5c662cc902851e15a514b0d8812dd62b64525f8467eb090f74a21be7203340f4

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 c52af49982bb0789f421313bcb75fee0
SHA1 644d60ba07988a4f34f0f5b38b43113eee7772c1
SHA256 18ed9a7375b92c3b4c857ff0061109e4b36f46579abdc8a264e3f540ff97010f
SHA512 6060a82b0427ef345c39f3be1f22b3b0bf655ec1c6a48e8b54bf0e2dec996644b2b853abed2aaf234e29ad51cd33fff7a091f68d2c04728c297b2a6c00289eab

memory/2188-121-0x0000000000B80000-0x0000000000F88000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd60D6.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2188-123-0x00000000048E0000-0x0000000004DC0000-memory.dmp

memory/1752-124-0x0000000000230000-0x0000000000330000-memory.dmp

memory/1752-125-0x00000000003A0000-0x00000000003AB000-memory.dmp

memory/2816-126-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2816-122-0x00000000009B0000-0x0000000000A02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 443cf179a6164e5aefd3fbbea9709c80
SHA1 dc022536f35683e7e087b2c4087b40ecbf87df19
SHA256 d8803f7fd7f5f465b372ca39e091510c2e46111837192574ddb701d78b8f611c
SHA512 66030341151dc1a66dce0e9b0d6c4ed2c2954ea55c61d952027bb3c6bee4a17f21686812d8eb0ee034488d9ef368ffc54bc6b773df8131b5d846690828af1c30

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 099c0f986bad25faf4cbcb6b7e161f34
SHA1 8b48390aa412a36ff0aa8b74ad27b6a5e2454380
SHA256 e533a5b78f8a0185bfc1c76ffdee008a76ca5649ac57d85f6ab343515e9be1e4
SHA512 41285652eb3e5cf8f7562473fa55a6af0bd9bade64f939deea64d2b0da517b17a353fcc472219f75124da23ba065841f22e69d23047888b3048e7c78b734c565

memory/2188-137-0x0000000000B80000-0x0000000000F88000-memory.dmp

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 1c385cf14c01cd3a17f8d570aefdcad5
SHA1 f9055ac245ae434dad1b43832a54f74bc5a8c101
SHA256 907ac2bf3005f13a1c4068184221beecf3237db7952138ccc3808dec1fb24f4f
SHA512 e4da12b598fba7fc39f30dfbb3384519d6abb0f998c07c6a90aa6e854902c28eb9897e3a11b6c4721befe16b25f72e483e1d78f213b5d03d06c2463e9673f2fc

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 704ea6029bc145481783af2a4dff02f1
SHA1 aaed860dd55c74fae8d11e2663240a32429b7bf4
SHA256 9526af5ed228075da74a32f801df5ea04966410c589d4892c185dc0a7c2d2ea6
SHA512 0b67198bd1bcbb748898604b4b2a0a724f6852a5e6f00da19c072e386367fa5123c0ed0af49d629abcf55b2315d70972b0ac53feccc47488971fec05303a2b0f

\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 2a48ff85aabccc1b7af4e64801f85d70
SHA1 2d3bd23f52e59306888197dcd68c45f270c0b455
SHA256 eb9a8679b8f1efa6f705dfbd60c739aeb06f0bd6773756f551ad6b2b93ca3000
SHA512 b6c25e8a876570cdfb1d75fd9c1b65995c1911611a912c47926ce41333d1031c201a74315ef65a4ec87b26a14a1f5f9263adb07293336b8c0ba513a783ea3643

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 9c98d287b85fd3f6c0d3da750e84b894
SHA1 3e54df60668ff6216ab3a4b51a91c376371b05e0
SHA256 ddf6fe5fde91c2133ead2e81d90ac4460f68c2b421c76e10e1a0f57c22a9ab2d
SHA512 af5deaec948b31f7f47cfe2d70bb5d6be01f9ff07cf0277d1be81d30d86df2ea8ad9effe2ddf8dfad1eb49aaf3a215b2679e00975138c8d44e8c81fbf2b2f5c9

memory/2880-127-0x0000000000330000-0x0000000000810000-memory.dmp

memory/1752-143-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2580-144-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2816-138-0x0000000000580000-0x00000000005C0000-memory.dmp

memory/944-145-0x000000013FA30000-0x000000013FA86000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 dee63473a06ba61e8c176166609f3dbc
SHA1 40d399b25974e5d969a1f97604b35e93e19b82d3
SHA256 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b
SHA512 416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 247b4f319d00bf7e1c3dc76616df031e
SHA1 001eacb1f709aa4c632810d159921559d424a0c4
SHA256 8407766007129be61de4e13cf98ae45c3f8adb3e2537a16249a7e32cd3f33e77
SHA512 ee8542712fe73665171a1affdb9bc1e8b2fcfadb1dcd4754f84ae6d2792f5354354afe3e71a95c561b448c1c792dedc2c4dedd59b027f3605392fbe0518bf919

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 2f107b5aadce0240cc675777e7123635
SHA1 77e7c7092b9f4e7b3bc066d3f14093ed7b31050c
SHA256 043cea94c31c06612c799d19bee5314a4a660300015cbdc652b03b297987b60d
SHA512 f8da0105a65140ef77cbc850c76e8abdeeb36d5b0ed2d3a7ce2683d9eed5a08dae7018f08e457508f53111fe301f76b0113441bf8ace2c3d71e310f87ececb6f

memory/1476-168-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2480-167-0x0000000000FD0000-0x00000000013C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 b4afbb483de02f4443da834cb38fe78f
SHA1 a1427c5cd4d0a32de2eb926ae59d096b74b38499
SHA256 6916edc11f74643a9f67df6444ac78a2381265e20da73b167caf933060c7d382
SHA512 a0ba6a196dd93b16fcb06b319a59db31d4a767a8b22448e5db88358e8f2821a512ccab81b8e111900809a5d17e2bed066c85e90e2492cd878a7a2869d7c72eac

\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 592720d5a214a71a133385120fcdbc26
SHA1 164f60b37ffd9d61613904877d475973409677de
SHA256 9cd590f8d9afa9ec830c099c79a8e4589b40db84b24cc87a61d55cf5ba7f4ffd
SHA512 ca13b5fcd96370efd15e834ad2100dd33b0bdd9b00ad7f6d6825ee4526b554a502fc24108460478625a606c7861a3edb51b39c2f8194c63c8037c1b533c69978

\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 f46d1cf6198904d3fa120df4b1ea311e
SHA1 c63c5ea45d01128bab06182f1917dc8edd2bf24a
SHA256 0781e3bb3d535e7b125c7e3ddcd9f569db9635dd5c0d8a125b6813804ea5e8a7
SHA512 650adc1cf091054cda620b3082e71e2ca496f802aee120fc58be7be7f65bbff4563e35cd734372f5cc478feb04852093b492a9e656602d58f9e9cd6528672c81

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 a1c5973174eac846a9c80f3fe66450da
SHA1 aa181d9e11f10f3427763dd4f94a5713295b8d4b
SHA256 8ac5e98cca62faa396d3189fd13a95104c19deb0afdff2370fb559c2805fb2e6
SHA512 2c5ce9fdcac9ae1d7fb77f12b4fb6c9e4fe4dfa88c566d6712fa8b7af922d7328e096d7aae4068bd4f47518ddcdc14ac80ee826492dffebabdd4fc98a7ac5dc3

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 fa0e48fc537abc54c91e44f3bf486f43
SHA1 1daffa43118ec92e9217f99e0feda6af6794d1a3
SHA256 f86633c86d827c826ac30b920e179720356d18ea86841250ca7ef005eb94e333
SHA512 dc8e1c320ab3bfc96c0a78aacb00a33e780d1f09d71bcf6cc4c1e0d8e394cc83ed8d35853e3e5ee9afb281430c2297fc0372ea77e67cb4d477bcc8aaecda4e07

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 2825b0f9684d5993736f4c93fa68b8bc
SHA1 3e43cf5bc8f20f1f32e00e82c7449383a01e2aed
SHA256 02e31aef9630a3942b5f619ee2ced1a8b7ab31c54598000ed033988c808563b6
SHA512 b1f785997ca5308f41d3b9153ab813ec79bec5878caa337adc993b4f79c77bf6e5143daf6df6dd01572f115e0487cbe397c4b5020311355a198e9448afca4293

\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 bfa865777650c9d233387ddcc968f5b1
SHA1 7468370cab2f49612af95b63ed8cb0a88e410f40
SHA256 55c85bb3741fad4ebb25f9d6006e566f43c5ba29c75c6ed0fd74662f16674c99
SHA512 e36dd191d4c29d6d7cfc0442bd58f02ec8226656e7cebb79ce6a4801ee23f81163ddc9050d13c7b48d8c76c3d8bbff546ee3e8e76fcb8e842d3bb08b3490d684

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 44d2729c1e33025f0bc5b12c644b8d3b
SHA1 e61c8c26b706c0b5f9b1a4d23f802d20fba168b9
SHA256 2be347a0ed5a8f71a5aeb34243b8c95e7eb5d6ace9feabbe784b911623f6ba95
SHA512 7666807152cde994477081a7623a329ef1bcc2b6068fadc08a3f777b0d37985c8ad1fa499540a508f62651c9093c28f2bc56cc2b70215106b48a7e0bc842558d

memory/2996-173-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/2580-182-0x00000000046C0000-0x0000000004700000-memory.dmp

memory/2480-188-0x0000000000FD0000-0x00000000013C8000-memory.dmp

memory/2880-200-0x0000000000330000-0x0000000000810000-memory.dmp

memory/2480-202-0x0000000002960000-0x000000000324B000-memory.dmp

memory/2080-203-0x00000000002F0000-0x0000000000377000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst6E01.tmp

MD5 3319137a786fa4ca341c0198c37717e0
SHA1 413ecc6781b11d39e26f3681d4102e5a49011cec
SHA256 96e293c1cba699fb64559aadf11b00dc84f11f677fe32153cb4a659788a5d88c
SHA512 162a2b01de935f79b586cc76dbf756b08d76681873d7301bb7c4d1b000e9d0d47e2b1fa855fb9017f2bf28b71b33531c916abbfd7e078ce4774bdc62d84ac8f4

C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp

MD5 7f082ecbe630a82618ec53db3b3d8bd8
SHA1 3e808773d92addecc7e274b3236a0f1091b2ab77
SHA256 987db118fd3797fadeb0b17e39857262bc05145f3ce1a186d29af885fa67a8a2
SHA512 5ba2e2feb0535d0f56446617b888e49c463296f599ef9b720cc2be450193b626a294b7b4a49c99b498f930ca1f925a2e2f055aab53841b72444f3eae3a9704ef

memory/2480-204-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp

MD5 bf381654a9e776ba87a0ed614d42f4df
SHA1 6d4ae60de53b4b0aa326906553a3f43e863af18d
SHA256 b3471bc531afa59eb34d278e4666108f7f7f60dddfaa26d37aeab88c769333d3
SHA512 5e0e7d62d16eedf4fbb6d04b867abdf0b080168b8dec424b67c52b03262fe2af2c711150294561f29b02a0227d8c7a20d7f79ac262e6bf4469cfe68e552e595a

\Users\Admin\AppData\Local\Temp\nst6E01.tmp

MD5 d8e7281c5aed633be3f0d4994b9a2ad2
SHA1 8dd89930eae68db645b0241686bb170a1d2c6ee5
SHA256 12181f82cb3af7f8d06e1b5c9797669569cefadf4b5e8f39c1e6b058abe834ba
SHA512 5cccd6ebfce7ef1f586d1375e8f79d7748c545f63cc57d139b1df42d383980f3a761a8afc0773362d36755b45137b9324b77968805815b2f32f03ae61231ca33

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 b997a60a8f9ff398425ef90879c1bd85
SHA1 08190d3f9e38470498e8cdfbdf9152364b40ae90
SHA256 412da46b6875c1fe96653aa415c3358e7c1643e6f011282390ed3e9b3c3fa067
SHA512 c23d6e2121cbd7b99e62b55f9600e7113bde0e2edd76a1cd4118e9134424564832db5224c6994600683c3a7570d51c5d9e769e826c986ab73b454a1d65616811

memory/2580-217-0x00000000046C0000-0x0000000004700000-memory.dmp

memory/2100-232-0x0000000000220000-0x000000000023C000-memory.dmp

memory/2200-245-0x00000000010A0000-0x000000000110C000-memory.dmp

memory/1244-247-0x0000000002960000-0x0000000002976000-memory.dmp

memory/1752-260-0x00000000003A0000-0x00000000003AB000-memory.dmp

memory/1752-257-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

memory/2100-265-0x0000000000400000-0x0000000002B17000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 c92ab6e6788af797bcd8cd95102238c5
SHA1 049ac77cb84327a1529e4265aa39573dff9277e7
SHA256 9057d67f2a67f4a4ba906fc641f73ec46321d2a8de370c8d60833c5340a729ca
SHA512 2fad09051c6b48e3c54beeb781b5940b5020cd46785798e44416f4067ce743a5f51ffacf0cf3bbc7feec7161db8353b19c30d1d8a661d6cc3db145e7e28bed52

memory/2200-272-0x00000000744F0000-0x0000000074BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 708b707d8b9127c4589cf90422dd6ae9
SHA1 1cb9e3ce2d17d2fc66ec98af3c458a1d8f767a86
SHA256 d84c25ad2ace1777d065d890f090dadbefc354483da66b4110187767fea73163
SHA512 4fe58adbc42558d3a77d863ec0fc6ca0114c49bc32598d637262da9996dbe29954e766c725b8b2b0a2b6a1619fdd15ba43d49ba5aa937e5042f0387937cd265c

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 6d4d5f1fb740bffbc12d686ae4796a20
SHA1 44e74e85f17d4308a550353d7cfa8c4144dcfb71
SHA256 0ff18587844a40f3b264da11fb928ac7b21fec5ae422130af9225e746f4939b3
SHA512 e2c133e3fd0110a1366731f3c86c3cfae8b31da454345d30b0307d768d34af3b500720549371de2c56b532e1b5e00c7618c94af9a1710351b9e8d8b48b0f267d

memory/2376-273-0x0000000001390000-0x00000000013E4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 9eb1dfa1454ae0f0e3754542d2465fe0
SHA1 556a031afc56314bb02c6cd73193981996f7d1b9
SHA256 1ae07d4ddb70ff0da0d3c1e110df4bea72ec1816749e0b00b26570f38a0f76c7
SHA512 f5c2bea81e186346d310e1dbbdc43f2f99976aaf274a15a4bb09bcbef0114478140110ff38fd1dd661f935d4365c0f28fc307b19a0d1269a718538648d7b42a5

memory/2744-284-0x00000000022F0000-0x00000000042F0000-memory.dmp

memory/2200-285-0x0000000000EF0000-0x0000000000F30000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 39b9c7f4ba1665e3f2985b053412720d
SHA1 834a33bedeccfcdf426f946ce56a310da6830a7b
SHA256 ef975fb733331dd879a76edae0d606edd48a87d2236d0ac6a7c9a7c967fe49b1
SHA512 794051afa88eaf53bef6ba3ff11310d2d97050f31b006356f5c28dc86986a4ffa59d7064b32c239af4506f0842a1a025ef4eb017ec19d0c928afe64473059fad

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 07b92c740a313d86d75367932e30e758
SHA1 620f0ca0fbcce2b3b42e486aa1bb15c80015b3ea
SHA256 9143f8697cc2fc54ec98ceb44c62012c8afb84721165858790ec9f3f2978b1dc
SHA512 8d1a9af6e70421ccd3a5d9a3644493020e630b6023c439afd427f0a6fc589b2b4b89de1adb6defbd1d014155ed07f4c15018e29cbea48b4501309f5f31d73b68

memory/2376-290-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2636-292-0x0000000000400000-0x0000000000452000-memory.dmp

memory/848-296-0x00000000012A0000-0x00000000012A8000-memory.dmp

memory/2248-299-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2636-301-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2636-312-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2248-315-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2996-314-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/2200-311-0x0000000002510000-0x0000000004510000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 a4d246963dedc608be011ba1c5e9bf41
SHA1 58b7f94bdc1befaa3f46445720a477f12b42ff52
SHA256 fca8bc09de434f89ae4cf6c8dd49ac96c1636acc5c25307c3903017c119e2d7c
SHA512 6eecb31e6b53d628be34e76149cfac67a8c6fedd89ce1767a348e33b45ac479007c959851453c30e7d55ecec93b3c177eeac0698f3e7529d66676e43de7f92f7

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 bc4c0dbc7f4ca3a6e6724f979a772ea0
SHA1 b4abb9fdb370bfebaba0e59671198264fc1ffadc
SHA256 3589a1ef64aecb7f4efc9243171d29b385c26e53b29792bd35e0ce9e2d0ea73e
SHA512 d2a69c52a0a3eb1ed6f36b91f4c286d61bd3499cc89ec4fe85aa741629d2b7e0254f05a94bf232703f55f427551c5d30377a2d95624a18712b16031f72da9250

C:\Users\Admin\AppData\Local\Temp\Cab8D44.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/2672-349-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2636-351-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2672-355-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2672-356-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2672-354-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2200-353-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2744-352-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2636-348-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2672-357-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2636-324-0x0000000000400000-0x0000000000452000-memory.dmp

memory/2672-359-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2248-310-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 63223b9703dba7cf83bac754d8bc671a
SHA1 24b48882e27b8f48bd2a1d79a9f6470c1d6c31ee
SHA256 e22bf7042b6a1276fe5c0d7cf7c59dcec369541b27dfcd89a1258fb10109cc3d
SHA512 3c1923a14c6a31fcf542ebdd05da5c873686c2f0493baafffcc842772ff9e2f0c6778119b3e5d14afa826429e3f1b9443c12a399a2af66879e86322a4aa9e94f

memory/2672-362-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 18940054a281e1f658b5afb28995555c
SHA1 adc58b783c7703a54e9c0348fc0e8d6b3687f6cd
SHA256 b16645d95c05ef38d9c57e60dc5fbf6d375e9467210858c2fe09b8fe97b0da52
SHA512 df68d9939e45ea851bb2ad9a44f9b5a7772b2fadc0dac0b9c98501747efb5ed097a438e5432d4b68c21cd5c9931e01b07df49252f5a812eade320e469108fcd8

memory/2672-364-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2248-300-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2636-298-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1784-295-0x0000000000B30000-0x0000000000BB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 b2f3f214e959043b7a6b623b82c95946
SHA1 4924ee55c541809f9ba20fd508f2dd98168ffdc7
SHA256 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29
SHA512 c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

memory/2248-293-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2248-291-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1784-374-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2580-246-0x00000000744F0000-0x0000000074BDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 20dce95390f66ce99b42a429e70391ab
SHA1 c276bd355b5256e233dce5c07c07ec208853aa30
SHA256 c69200b76ccc4d73e5532426fff7c8f51fcee893cbd7de9dd326db693425f470
SHA512 ed06fb7f3b1b987ee2e6d541f9be422228791a342ebffb6c672668cc90ff07f53c6109a0a85694d6d53d47372a430d959da4d66dda3c46f08a417955608ba9ab

memory/2744-239-0x0000000000270000-0x00000000002C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

C:\Users\Admin\AppData\Local\Temp\Tar983F.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2100-226-0x0000000002C80000-0x0000000002D80000-memory.dmp

memory/2100-437-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1720-442-0x00000000049D0000-0x0000000004A76000-memory.dmp

memory/1720-445-0x0000000004920000-0x00000000049C6000-memory.dmp

memory/2248-443-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2248-454-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/1720-469-0x0000000004920000-0x00000000049BF000-memory.dmp

memory/1720-479-0x0000000004920000-0x00000000049BF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 11109385eaeaf4734af0c8860a1f69f9
SHA1 1f22017efe44086768924574dc59263551233afb
SHA256 b9bb1fc8be1237292bac9a69b37f9edd01f975be99845d4c615575af261227fc
SHA512 4f996ec71d439038a238cce7813e0bf6940f46365e74cc398538eed9ba0676a4d7d4fdf2314aceb59ddb1d6eb0fb31eab1ae36e03c36c15f54f11373f9580db3

memory/1720-481-0x0000000004920000-0x00000000049BF000-memory.dmp

memory/1720-483-0x0000000004920000-0x00000000049BF000-memory.dmp

memory/2016-488-0x0000000004D10000-0x0000000004EBC000-memory.dmp

memory/2016-491-0x0000000004EC0000-0x000000000506C000-memory.dmp

memory/848-582-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp

memory/2016-588-0x00000000744F0000-0x0000000074BDE000-memory.dmp

memory/2016-593-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/2016-595-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/2016-598-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/2016-599-0x00000000008B0000-0x00000000008F0000-memory.dmp

memory/2188-600-0x0000000004A00000-0x000000000543D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EA11.exe

MD5 051acd118e84612a34e8ef3ecc44a4a4
SHA1 ba50cc48379f01d9c737e4f4df60e8907374e0d9
SHA256 53968e0ae6a491e5bb03ee4d7d40b318c4c5c6a375a9d517b547152c4d721422
SHA512 fc52da4f2d29b8779c36a3a5894a1f19f138d24efd78e8ca9cc412c08d0e3c4de7152c4db429a70ed2f447f1d77c023d5494748a4b555b384212ed3c55f34851

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\AEA.exe

MD5 0a3303d13df2f74ca52000b263bdd8a1
SHA1 a8a2e3fdc4271a05e2507f0a1ed049cde51e1b20
SHA256 36b4f3f2ff55a415b7765444690832201b714938bbd37ef0c86e7a09d3cde517
SHA512 652df8074d3e17107a81ebdc98f29df8c460e4707a7f6f0fc48c88065e72d1defecc680d7424e81a873890daf000e1eac0834ec755b291ecd41b3822a31a8938

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

MD5 ff59d999beb970447667695ce3273f75
SHA1 316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512 d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 568d3de870dda8a255763f5c28ebe984
SHA1 adf1dbdb02fa6b0e9efc3bc52c45017368bcc0ce
SHA256 a326d35df0281661f29f27cc95f28ad7b186cf536b8a3718209973bc8d99d8de
SHA512 bdcd6ea5bef5f9f04ccaa3e9177bfac6c87f8bfe42e7f5b377079cdcbd730118cbf2b5de088648a798a26f41318beda8e061e9391b52dfdf12379bcc3724891d

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-26 15:41

Reported

2024-01-26 15:43

Platform

win10v2004-20231215-en

Max time kernel

19s

Max time network

166s

Command Line

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4068 set thread context of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 3208 set thread context of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\9A09.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\AF76.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\sc.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\sc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\system32\sc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4636 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4636 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4636 wrote to memory of 1152 N/A C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1152 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1152 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1152 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 1152 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 1152 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 1152 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
PID 1152 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
PID 1152 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
PID 1152 wrote to memory of 680 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
PID 680 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 680 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 680 wrote to memory of 3096 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
PID 680 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Windows\system32\sc.exe
PID 680 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Windows\system32\sc.exe
PID 680 wrote to memory of 3076 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Windows\system32\sc.exe
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 1152 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 680 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 680 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 680 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
PID 3096 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3096 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 3096 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
PID 680 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 680 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 680 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 680 wrote to memory of 2108 N/A C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
PID 1152 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
PID 1152 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
PID 1152 wrote to memory of 4360 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
PID 1152 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
PID 1152 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
PID 1152 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
PID 4856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\System32\Conhost.exe
PID 4856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\System32\Conhost.exe
PID 4856 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 4068 wrote to memory of 4180 N/A C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe C:\Windows\System32\Conhost.exe
PID 3096 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
PID 3096 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
PID 3096 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
PID 1152 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
PID 1152 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
PID 1152 wrote to memory of 3208 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3208 wrote to memory of 4140 N/A C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1152 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
PID 1152 wrote to memory of 4936 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe

"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4624 -ip 4624

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 372

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 388

C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp

C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 392

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 680

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 728

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 680

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4624 -ip 4624

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 764

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4624 -ip 4624

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 828

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1932 -ip 1932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 2360

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4624 -ip 4624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 616

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 828

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4624 -ip 4624

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1504 -ip 1504

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1196

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 756

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5632 -ip 5632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 740

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\9A09.exe

C:\Users\Admin\AppData\Local\Temp\9A09.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6004 -ip 6004

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 240

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\AF76.exe

C:\Users\Admin\AppData\Local\Temp\AF76.exe

C:\Users\Admin\AppData\Local\Temp\AF76.exe

C:\Users\Admin\AppData\Local\Temp\AF76.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\4644e54c-433c-4ebe-8aba-621b53014f47" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AF76.exe

"C:\Users\Admin\AppData\Local\Temp\AF76.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\D203.exe

C:\Users\Admin\AppData\Local\Temp\D203.exe

C:\Users\Admin\AppData\Local\Temp\AF76.exe

"C:\Users\Admin\AppData\Local\Temp\AF76.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4060 -ip 4060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\DCB2.exe

C:\Users\Admin\AppData\Local\Temp\DCB2.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 912

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 876

C:\Users\Admin\AppData\Local\Temp\fi.exe

"C:\Users\Admin\AppData\Local\Temp\fi.exe"

C:\Users\Admin\AppData\Local\Temp\3A63.exe

C:\Users\Admin\AppData\Local\Temp\3A63.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4024 -ip 4024

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4024 -ip 4024

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

work.exe -priverdD

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1060

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\7D3A.exe

C:\Users\Admin\AppData\Local\Temp\7D3A.exe

C:\Users\Admin\AppData\Local\Temp\onefile_440_133507574180011169\stub.exe

C:\Users\Admin\AppData\Local\Temp\7D3A.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
HK 154.92.15.189:443 tcp
DE 185.172.128.90:80 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
NL 195.20.16.103:20440 tcp
DE 144.76.1.85:25894 tcp
US 20.106.86.13:443 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 willpoweragreebokkskiew.site udp
US 104.21.80.27:443 willpoweragreebokkskiew.site tcp
DE 141.95.211.148:46011 tcp
US 52.165.165.26:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 20.79.30.95:33223 tcp
US 52.165.165.26:443 tcp
DE 185.172.128.33:8924 tcp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 104.21.71.8:443 tcp
HK 154.92.15.189:80 tcp
US 8.8.8.8:53 braidfadefriendklypk.site udp
US 104.21.1.205:443 braidfadefriendklypk.site tcp
US 104.21.1.205:443 braidfadefriendklypk.site tcp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
NL 51.15.61.114:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 114.61.15.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 158.160.118.17:80 trad-einmyus.com tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 17.118.160.158.in-addr.arpa udp
US 8.8.8.8:53 brusuax.com udp
BA 185.12.79.25:80 brusuax.com tcp
US 8.8.8.8:53 25.79.12.185.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 188.114.96.2:443 api.2ip.ua tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
DE 146.0.41.68:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 racingcycle.net udp
PT 194.38.133.167:443 racingcycle.net tcp
US 8.8.8.8:53 167.133.38.194.in-addr.arpa udp
RU 185.215.113.68:80 tcp
NL 45.15.156.13:443 tcp
US 8.8.8.8:53 13.156.15.45.in-addr.arpa udp
NL 45.15.156.60:12050 tcp
US 8.8.8.8:53 snnclermontprojects.com udp
AU 176.97.69.235:443 snnclermontprojects.com tcp
US 8.8.8.8:53 60.156.15.45.in-addr.arpa udp
AM 92.246.138.149:80 92.246.138.149 tcp
US 8.8.8.8:53 149.138.246.92.in-addr.arpa udp
US 8.8.8.8:53 56b2f50e-b7dd-490d-ad3a-77cb31b82872.uuid.thestatsfiles.ru udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 server1.thestatsfiles.ru udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 ftsolutions.com.pk udp
US 64.31.22.34:80 ftsolutions.com.pk tcp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 transfer.adttemp.com.br udp
US 104.196.109.209:443 transfer.adttemp.com.br tcp
US 8.8.8.8:53 34.22.31.64.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.2:443 walkinglate.com tcp
US 8.8.8.8:53 209.109.196.104.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 5.42.64.33:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 146.70.169.164:2227 tcp
US 8.8.8.8:53 164.169.70.146.in-addr.arpa udp
GB 173.222.13.40:80 tcp
GB 96.17.179.201:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.96:443 server1.thestatsfiles.ru tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.183.220.149:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 96.17.178.178:80 tcp
US 8.8.8.8:53 198.111.78.13.in-addr.arpa udp

Files

memory/4636-0-0x0000000000560000-0x0000000000968000-memory.dmp

memory/4636-1-0x0000000000560000-0x0000000000968000-memory.dmp

memory/4636-2-0x0000000000560000-0x0000000000968000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 194d36596016f52a59cc6163a5cc1898
SHA1 db46517b2906cc7dbe9f3f477e009476b7fe951c
SHA256 a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
SHA512 f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 a1d3566902c8ea7ad55d41a8d8b5a237
SHA1 ec64f23944ce2c285a867e352a24541653157607
SHA256 7eac0c3855d2bd06fb30d60a51819e3e3533f74348ed3e701bd1b4fcb2fffdbc
SHA512 f7ee149b1221a3ee8849350b0676fe89a2b059ada2cdd3aa630bf2833dd1b8b7ee0ea53e86ee1a6af62f489c4f4b9dbf0b5c89359267dbccf0341e69e62e434c

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1152-15-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/4636-14-0x0000000000560000-0x0000000000968000-memory.dmp

memory/1152-16-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/1152-17-0x00000000006B0000-0x0000000000AB8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 86dcf064474fd20f25006f96ab661f01
SHA1 69375b55e39c2bab40cc6da7896762a56d631d91
SHA256 d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc
SHA512 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe

MD5 d9468a9882dbcdcc164e156a12e9ce29
SHA1 8b69c825833d00f461526958361a8ce0005b50e3
SHA256 5f51374f8d96f1b8872424cdfd41e1529f8d1b4d95593196bce26aea701e68e2
SHA512 c7ec28c893ed354650d020c6511e47f518c96e662a2d830aa2f236304fbaa510c8c9aa166bb21129feb7f11c7b7a21ad836a4928798143773c7ebb17f5d38bef

memory/3484-41-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3484-40-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/3484-39-0x0000000004950000-0x0000000004992000-memory.dmp

memory/3484-42-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3484-43-0x0000000004AC0000-0x0000000005064000-memory.dmp

memory/3484-44-0x0000000004A10000-0x0000000004A4E000-memory.dmp

memory/3484-45-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/3484-46-0x0000000005690000-0x0000000005CA8000-memory.dmp

memory/3484-47-0x0000000005070000-0x0000000005082000-memory.dmp

memory/3484-48-0x0000000005090000-0x000000000519A000-memory.dmp

memory/3484-49-0x00000000051A0000-0x00000000051DC000-memory.dmp

memory/3484-50-0x0000000005320000-0x000000000536C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 45318ecf14a2f37f7fe1341c7173c37e
SHA1 fc1f84af4edb2e678ed4da085d5543551d488a38
SHA256 cfb52439fff5f51d07a9041285d386ce5cba53b074220f9b5dbfa1d7aa3a530b
SHA512 322bdec5d496dce8ee8ce1f13942b0657bf157b74cc2d0e3d9a12df91ed641e73d0eaea2dbb26003b661666fa32698e8a39b6f432dad182de313d78d5e0c6dfd

memory/3484-60-0x00000000054A0000-0x0000000005506000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 fd542048e59d74ee42bbb3295bb9aa34
SHA1 59e6c8f8e5f0373e21071e7f7dc5308f9ddd4b11
SHA256 89da75114497a34ac5db1d0073e3c962463b119598d4d4296425a59df15e34cc
SHA512 adbf683ebd6597eb89ba518e8c283e54937010b07b9ad772acf297637cca373a336327accf2c5fdc8226ca185400dc52d16146be2b5e44705a51ba8cf90b79ef

C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe

MD5 d8018b7600235a8921fa563b0192321a
SHA1 d8843d6763803fdff4af1a3924fa1dc6fe769359
SHA256 87a48071259390f436d3d09e3de8bcbec3c410f9a2e04a86f6562e356e9a312f
SHA512 5395be9ebfb64fc4ccbf1c9a859fb5b0e36a0ad8fd70cb1fbe70113f80736c7f1a8d8bfd1155875f8e49bcc4c0d1432170a5db2802958bd419f2db6d762b1740

memory/680-72-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/3484-71-0x00000000062B0000-0x0000000006326000-memory.dmp

memory/680-73-0x0000000000110000-0x0000000000A58000-memory.dmp

memory/3484-75-0x0000000006370000-0x0000000006402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 c5e287d992e1a5f31664e426150e5810
SHA1 83d364d32e7b06a5053396654c46c8ef507908be
SHA256 d15094043dafff858110fa749eeddf5fbb9da4d318795ba875d5ae517fe65722
SHA512 dfa73eb9dcd0a2da9961a198c123a25dc195cbe8eb26e266ff7836918c1371af53fe6f1cb5094cf8bf1724a3abe98a99f219e8c84e282e6aab30dec69aa2ec44

memory/3484-80-0x00000000064A0000-0x00000000064BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 b83e101375d0863029dfd1f290f6b0e8
SHA1 476030a3a9f80ec5c7904b7950aa2561532cbf86
SHA256 fff64920a0cd72f4b6a772a6a319dfa905631ddc02f9a4a2e36bab55dfc7d270
SHA512 6b8195f5c2bfe4a4aa23dd2f4bd85bc729105ec63f9f38a7f34938e95a0c03987e912bc90f4355e8acc1c77c4316cf88e184cc1f19de73cff8360e450f4851ac

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 ac1fae80815183076b2e70376aa50504
SHA1 7716be4ca12b5f6fea7ab115f41de54fbaa3b461
SHA256 9392de0e01d4a24c0ea3cb7aacd49888e3161c675acb8594b22b11b04b094f6a
SHA512 b52ef499ad20a32c4f5c1fb33a2fc18a6bf828e9480fafcc09f725777e1c8bfb1d26a6bdf680005cba400f61332e3620abf9042306269d5f4adb52ce5b38254a

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8b72e1c038e70ccded70c3142de91b8c
SHA1 14cea9bc828e819edbc9fb811e6cad952e4cf17a
SHA256 5414bcef10ed6aac86421a93a2be1ddf072112dd71c2169136ef3cdd7f1b285d
SHA512 8680539298e83f3f32851d714c93c078b7829dfe17baf447f172dd3e5b5c2df64bc6d141ef2a06c9a17fac828153ebd17ba3edb342d2836978534947c3a30bdb

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 5a7deab7f20915b04cfdfc8b9cdfd7ed
SHA1 09883735857dd5c389488fddc71e0d9f0064d625
SHA256 a2ef0aa4d48192c565ea2ab2ac1d4d3961e0d6cebf4315fc9eb3c4da561da48b
SHA512 c3ae60f7ea0820dc74d33f71771270a39bb6be1e9ce13bfb2ad7137b96733f3dee18b487e5097b02c558a0007e01822aeb5c12042eecb8f3ee7e22d2b775dd61

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 48739109cd3563730e16507cdcb4e989
SHA1 383955e757e4636211a400c35e1dd8fe7288395c
SHA256 5a88221348d60a771997ddd0ea660650056f0c8db3ac7f816f60c31355f7377d
SHA512 26a6a372ad0ec031058c3e24637b4b939996b71508911d8ad9f01f267360ae8680f7c6df7fd1bd097ce51596844edc0eb358ff9df27133e80a603dd6146bae5c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5c88ff061ad198142e83d44940e68c82
SHA1 b66ecb1c3f262744c8115029b7753a200bf82873
SHA256 043aaefb797a6e68ddc0d45dae32720243b6e5cbd35fc900fb99947c4d20b7f0
SHA512 d57e6b7e1b033c62b5a2e70e5a1957b26fe4818bda42e1d436b811241ffe4bc619699f7ffa172a108533e74a75a3aa7872f0db01ccc59395275511a40fc658cd

memory/3076-112-0x00000000004A0000-0x00000000005A0000-memory.dmp

memory/3076-129-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 08a7ab563018ae02476f6765e37a7d53
SHA1 4f049b40aada0dead5f5f5944863792a352c5592
SHA256 38e169f5fb2fab82a2005c93d8e45828cab9617850886428824c5799591d2f6f
SHA512 3c52fe3bdf7547b96f72b2b4ac6a7ccdbc0ff675490a54682349b572c9a1f2c493e3d1cc77110356f398ec316f9898273d1a81f9ba7244b21335c33e83cd6e3c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 82c837b39d806c045a941d84e4b77de9
SHA1 3403e1511eb4b97e8cf63fcafecfeb6bfb93831d
SHA256 d47dde6a06942ce746c136490332eb40590689bdcd1e346c7fbc5c717dc94e65
SHA512 53d1ff35deeff41b9864c81222c01fa5c7c92561d8c5cb4bee2aba6d4023195622f2445329c019c68e2171963643ec33c9bba57c1ba4ccc76e4aa2d660df4d69

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6989c3dbd1f46f3fc191cda8c09a1e52
SHA1 30db4cdc6cd5d1b8df97e228f6ac9f3a3f517fea
SHA256 9b60eb9c97d822219723060a033db585ede481ff24704a3e9755e83a8c21804f
SHA512 75dbf0a99eec8268773c7cd01fdf4846fb74f6bd68031b315053434434f76365adeac1b6cc6c67ff4b6d89481dcb7287b3260aebd65757bad5e5f851a7db0e38

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 9a89b87509405651e0defa8e2c3d789f
SHA1 63767cea85cc4c346ed428c40a7398edec8693ea
SHA256 f3d305e29d6d911d1f93962050eec90946d0cdb1053f10e26c7184ab0a51728d
SHA512 4bc06bb950b9f1fcbd1d87a427238fe1b917c4b57c06ce9408ee371f753d4aef3584cc0128b8ac352fe623c6d0a0224d347cc8cec22afdffdab186c3aedea7bd

C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe

MD5 5d89d5b7a3e25404bba18cbdbec78e62
SHA1 f86a47fa54ca0f7ffcb03f620201f5c7d68e429c
SHA256 416792c60e5f46f5d6e29892556b0003bb33f8c3e30f1254b00c713521e76916
SHA512 ad5347c4ac92e8eb719da7e3351431525cea1c9c5fdd2de3d85c9e72b856d853af9a48855cdf48a88172a69aa78fec284414f78c3b934f4220b72d7a4772666a

C:\Users\Admin\AppData\Local\Temp\nsr97CC.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/3076-117-0x0000000000490000-0x000000000049B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 4fe7bef521345515a1a3e94fa4a25c3a
SHA1 081fe1bedaabd9586b4c3af635814de71d41467d
SHA256 c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4
SHA512 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec

memory/2732-133-0x00000000008C0000-0x0000000000912000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 7b71fbd072514dec46d0679a8e17f80b
SHA1 b71b87db7d2d32f79c31871296a7eade8932eb75
SHA256 cce05be2cbdc5e963fc88871ab44e1f13363fa555836aef3af3ad042a67861eb
SHA512 d51f7ddabfdbbe401d07d3a5ae59417537285f25121b92d88c0e2aab2b67c3d3ae01642a6a183fdd084636516025aca5d12d083e972ebc8ce51942a3a5ec8917

memory/2732-135-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/3484-134-0x00000000068C0000-0x0000000006910000-memory.dmp

memory/2732-142-0x0000000005390000-0x000000000539A000-memory.dmp

memory/4856-145-0x00000000025A0000-0x00000000025A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 7b3e1ac799bd8d7115cc6be790987970
SHA1 666b15ad96cd6d52f1e230136e86c61bc7748a91
SHA256 b5797522d0206cd9e466a01c9aef49130571146cfe1cf92d226b50236bf2eeea
SHA512 980296055714ee87bf3704dd424b82d75b997d47c11f74c14eaeb14bca16d4dee3bd78eb7d674520725646af65a8a3aa4b0a4f6a76276070eb9a453bebf8ab85

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 b8a6b464e4cf53a6183e9d3417e070db
SHA1 a070842d82369d74f15ecbe71c4acea3224fce86
SHA256 6b8f2c54e623bc1243d3465aad8029287536b09009bc0e1f8c22841f66defcb2
SHA512 fe6a748eed3c20a7985950fe4108c88bc71ec7ab0794b14d0c965f6b92205b1637cc119f50a883d7bdd0617b650057783d835cf9c9c4485a51baefb840080b51

memory/3484-155-0x0000000006650000-0x0000000006812000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 c4b225c3ed059a4643203535663ee57d
SHA1 30d77a094999b080ca82159973ce84ed08ab1e6a
SHA256 2c9a50630a5c2c81a4b2dd56401166db6fef08f1430bce4c4a3b93601036004a
SHA512 4bc096d75709140e888d9947cbc908b07372d2c957dd1c0df252230e4fde3a9c70f4c90d234c8bf8c3c20cd0f9d005f25a9253ffcbe1d2ae0b2c06fd7adebba0

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 b7a0b291921bb7a95fcc215f82ed8acd
SHA1 e04e0705426c1c35115ab00210f590c6295566d7
SHA256 157ba58474f4c550ef9fa443d479f431e952ca56d71f3d0e23f479d3fbeae481
SHA512 5296d4f4f77a1c4c7efd947769d85963aa8d1c50c4c6dcb062ab93aba9716094457582f82d819020d0e9c274bac21256a90918afbf98ed7ae66e55050a3131c3

memory/1152-148-0x00000000006B0000-0x0000000000AB8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 7442ea138b340ef84f5e32622b30fcaa
SHA1 addc76b28a23a56798b762bb8e5a9f0cd21f757b
SHA256 24f1265f0cfc4af9497e4f66182bb72af5d5bccd4c1c9cad57ed07f6ea1a6145
SHA512 5e1b4c394dfc8eb032fa8ced80c56a15d39886a513b1ee0741fcec2fe5e41f5179c7fdcbe0a17c9bae5650d2f0883f0ff53e270a4ce7fe0f3bba3e956852bea5

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 a6fef0562abecca0d7b3567825ae5b99
SHA1 2fa30153197cf09fd9bc36a26c062ee69644be2d
SHA256 dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b
SHA512 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8

memory/4624-143-0x0000000001170000-0x0000000001577000-memory.dmp

memory/2732-170-0x0000000005370000-0x0000000005380000-memory.dmp

memory/680-171-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/3520-176-0x00007FF7752A0000-0x00007FF7752F6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 76b257acff76f84889fce17a00d570f5
SHA1 75c0854b4c50e97fc40da6df752a9c0e57787d37
SHA256 ec71d1d81b7a90c8667f7c90d0206f100a3be0c8fc14845d263ef84e45e82c7c
SHA512 68084025808d15262d1288b79efe291ac015a9f3c57331078e71ef850a3c8aa10b06d1ea95922cf711e94b778e08dcac20497ba6f0ca12077552846fd53ba475

memory/4624-179-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4624-169-0x0000000002E20000-0x000000000370B000-memory.dmp

memory/3484-168-0x0000000008510000-0x0000000008A3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe

MD5 291f1779234533e698b556baecbe8c33
SHA1 d7fd9e99636365b19ca197a1cb2ae6d881dca9b4
SHA256 2ea7b877c161ab3feaed83bbad8a0fc3847ff67c314fbd38309e797b5853444f
SHA512 48ad82e9576c48c1c8b4f93bceeefc3ca2e9c809dc3363edf7921cfef9093c79bd8999f9edeab810e34250f923dd223c7ff7f55ded350cc8f11f05d45d604a01

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 05ce0544fbe1ed4d5cbf002d88a9e351
SHA1 ef5b4afe56af7ddb8fc8718dedcf20eca6865825
SHA256 8109acb44e7b3e2bb59955c1fb0ce116cd276f2cf80bdc86e1ebcb9b11600e9c
SHA512 92773d27a1fca3ac99db03f6c64434cf9368d8a12a0e05bfcab3ae599797159412385693fb5fe9d1e873258e7e3e3b0e70b5f67dbaa45a134da09570b59d10b9

C:\Users\Admin\AppData\Local\Temp\nsr97CC.tmp\INetC.dll

MD5 c7ae096c02849c7eeb07623b18de8a59
SHA1 9f57c75aa9f96121413a793d356d876a09f564ca
SHA256 711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0
SHA512 2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c

memory/4068-207-0x0000000000E10000-0x0000000000E7C000-memory.dmp

memory/1152-205-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/1152-208-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/3484-210-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4360-220-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4068-215-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4180-221-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp

MD5 cd2f9fdeaebb83a5659501b612e2fda6
SHA1 d63ab664522c1810c7345b09e5f9bde8165ed827
SHA256 452c54eb8295998ddf268c0fef99578dc3063e3303ad5335b808c9bf4a809f69
SHA512 6118f2f1dcce01ae9ac6d06551dc386b630b9cae1578a73420e33fc116566028625c520abbb4e62e7cf1a7b6a9a515958877e795bde74cadbead2891cf5d80c7

memory/4360-235-0x0000000072B00000-0x00000000732B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp

MD5 a5cf199caae465b0b4ec87750f179f4c
SHA1 746602eee6965d4861301d5435c733028e950beb
SHA256 dbaf4ca18c4794a792af604abd7bcba11894e077c5db342e6b340606de4e4a9c
SHA512 69c892fe423844a05067c27055fc3623afdb509d470f951d68509836bceb6405532ae9a2c214f44577fd40bd601d58efa2762355e39ff250aabd02a7f8471746

memory/3448-245-0x0000000002950000-0x0000000002966000-memory.dmp

memory/4068-249-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/3076-259-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1932-264-0x0000000002C70000-0x0000000002C8C000-memory.dmp

memory/4180-260-0x0000000005470000-0x0000000005480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 8843162fe90d0883aeef66757a3a6434
SHA1 56143a12404fee069b653bfd7156222df28908fd
SHA256 1a8e2d73f1cf272715959887efb83718774ae251eb23497c1ed3bca118887f68
SHA512 4451bbb42f55d23151ac8bd7e8aff66dc19324fa395473aa2cc2a557d9538f28eb41f33247c5b1e0cb05daf3bd5e4e290ef2331c075d0fa0db816c558fe7293f

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 85f91a60d172e9baa50218714a6c04ff
SHA1 dc4aeaa521308874aedc64f9a2ef0cb8d8cffdc2
SHA256 de4667f678649d6222a295b8f83ef3cde799f18a8a3fe1e78371dfd28119926f
SHA512 88e3cd102260673921099de22f417ae9c38d7ddd491789e977bbdb333b1470889426170d6b7ffffd96075dad1eb60bf059bae61f97d804c8b7d10293ee2bafbf

memory/4360-251-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4360-247-0x0000000072B00000-0x00000000732B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe

MD5 d7fb8d664eae6c371352283f34359df3
SHA1 7391044ea1abe47cbcf46122ae747376c0cf9d98
SHA256 1d59bdbf006aa855c3803d00fb8f63b161dc7b785011919f0cf6e10da6002501
SHA512 372ce73d09f12325e60dc51e4d3d72b09b1e0ad56571cbd7ce427836b0fb2a05344a9604b7eef4fb961ec430997c270180fae40155b9917a5a7fd4e3a65f5676

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/3208-268-0x0000000000AF0000-0x0000000000B46000-memory.dmp

memory/4360-202-0x0000000002060000-0x00000000020E7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 dd4fcd3ba23a6be123aae46d2463a2ac
SHA1 af322d5dfd3f0cde338ae859ca91fdc625084dbb
SHA256 d5b5921e7064ee185539c9367f7e430bddc66c2a79361625da97e099e6efe6d4
SHA512 4ff4e4bdd67fef7f530ab39d18fe5dee0f232842f562644c661114fd49977029a663dce1aa8fed1e5dac7c7f28ff6f710eddacd9d20d332ef133f7951a06a83b

memory/4140-285-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1932-284-0x0000000000400000-0x0000000002B17000-memory.dmp

memory/4360-297-0x00000000005C0000-0x00000000005C1000-memory.dmp

memory/1932-301-0x0000000002C90000-0x0000000002D90000-memory.dmp

memory/3208-302-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4140-303-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4180-300-0x0000000072B00000-0x00000000732B0000-memory.dmp

memory/4936-299-0x0000000000910000-0x0000000000964000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 427805b4368ec423e44e4ae7bfd24f84
SHA1 ff57b8fda893e0a778cc952bdefba5dfd0da99f9
SHA256 324914bc0fc5a6d2053fa6959b02733bacfa54d4a5a88ef1b70bddeee389c1ed
SHA512 4eb2338e8010f8486b2e0ecdc03bbf04a3a2f9dadd803056a19b3cbaee7894c5911c6fc35a4d5abbe51e250269e1203dcb30e2573e453dc2798c64cdd689e8db

memory/3484-306-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/4936-305-0x0000000072B00000-0x00000000732B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe

MD5 302623f324ab143623da3c5485adc397
SHA1 3547fae1ecb54c0f93f9f2cb1d3e9ff33fd1cc2a
SHA256 f7c6b97401a4218c24e81167f963fabb4de5a66662585b87704e058ce3dfb13e
SHA512 4ac4cae4b32c9411befdf24d362f37f8391ed519dab8fa996f5c487ff19f0f154bc9d3ee11bd91ca8b1324ed34888b3848d122fae99ea03ffd383e62e1525ca5

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4936-316-0x00000000054A0000-0x00000000054B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 deb1ea97a52721fa4872abe5d648fb7e
SHA1 7834683f935b333e2cb4952c1bc201a853def992
SHA256 77e225e20e6019b26c8f28f33d5fd87060ff53dee0e2ec7113d2e76ed36abd53
SHA512 ad06adc814e90da6da2a223a5affe405d36fbcf86bcde63054d4bc5d34edb12f138be151831ab4aa7d3e8ce6eeae55f4b519d5545339169febc6a3fda79e110e

memory/2864-340-0x0000000000120000-0x0000000000128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 8daa84ebbcaa0439fd38b25b8ed6a54c
SHA1 b177d8ece0c609f43f4c9c170b584695dc8172b4
SHA256 3a8e906529a950d6e91c06f50731be525bdf710594823550954ad6bd5141f4fb
SHA512 f0fef934ef0ebe81eff0617fc11fdc9b5f7cfc35bc689316e515679bde624f66820ec18a439073fb736c59f79af464e04f940f7136f2a23311825ecd7bb605cc

memory/3484-336-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

memory/5008-339-0x0000000000590000-0x0000000000612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4856-357-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4624-347-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3028-358-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 a63f4d4ad5647adc98d64bab955ed63c
SHA1 28e36a789d96213e520f62827693eb0c29b28144
SHA256 d000ec66e7b548761ed007bd14706a52919842e892fee3916bb58adf6c327acc
SHA512 09fb05f82eceb14db10def2bbb1f854f28f949e14dcaf1eae2034c12ae0c04189d115c3131275ee2386bf86de9bf618336af5ea40f3ca7d6c42e4710c3ed11e6

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 275cd4cd7fa97d0267a340a624e8a5b0
SHA1 21e103572b126771e3f027428c616ee8277504ee
SHA256 6e864a26756055a46273d5cda8c70346b8c07536b4cac20ccf545c2b30cb3a77
SHA512 7f792644f45af0da2d93e1203a39014d0610c356d74ebba24287b71d6aba8cb4775c354828c8d699eb1810f84385b3f2ff821d0eabd16b1e6efaa9ce4515619f

C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe

MD5 61b1e9a0e9304cba603fe6c76e2bdc12
SHA1 632d169d711f8fa899483e7325d52c9b064b4a10
SHA256 fdc69cf6cfe06eb53a906f14e1f9076f6047936c47935f85f1d2137e9695ec9c
SHA512 09581836e7e4d1878b04bbccf15cef99d35f9bb7f2292c4e5d083e452b779baf67e62b140861e87f4b0a9b1de1b8d91906b0fa13cd72ac83290897904ae5816b

memory/1932-375-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe

MD5 a41bcaa5faf1b180540a34efcd72ca61
SHA1 a31e3bd50ed844c35150ccb841478a0d00012a46
SHA256 0bca5aba072f21edbe8f5581e50ce8897ff186c31e99eb9907a34de472e87612
SHA512 93faf916ed11c4fe453d9cce0c357634bfbf6a8d371044cffd4426d3e87b6024cc968f3a30cf29d3e53aa160849f5b063f9cb1360e3d2298ee5954261a0eff32

memory/4368-382-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4368-385-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4368-390-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4368-406-0x0000000004B40000-0x0000000004BDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 47923c6d2c56c851ca426547d73ddb25
SHA1 12ddb5c2afc681fd99ecd10a00e6b50712ebd66d
SHA256 72befa929be91712f6eb93d6a286c24df6480337ee07f9b2a5a55e876d7b6a3a
SHA512 4d059a02b6ff1b1dd5217c0273d5f1592c017422fc09dcca7723dfa1c65931ed9f4c40040b627afdb90f7ee95de08fe5631019e22482d2c6462d907f1b5368d0

memory/4368-418-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4368-425-0x0000000004B40000-0x0000000004BDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 b1e2e51e8d3b3ec760d1cf94aca52ccb
SHA1 2b53e727f7c6b7b041324c50a088acb407ed8364
SHA256 2ca6f6dfc9d439efc06264d2ffe2e43510b65b76d829ec54459a78b33d6a36f7
SHA512 795aa6ecc1c5a4eec8c8f903556545011cec361f8d84d1a49cac9d8d85bb1fbea3da86644c85563eb040a9806c6ac1e09bef7b0631c027d9cef8e62ee1dc8604

memory/4368-431-0x0000000004B40000-0x0000000004BDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe

MD5 096517e479e8da1da600888f2f7e408d
SHA1 c399ed02a26b658a7ffad9df86c569d947daaa17
SHA256 36ef778edf62b899837ac6ce221a75456b9693284239b826ac759fb66c79bef7
SHA512 85e638ec48d4904cd76add2ac51a9f51dd00da1ab0df0918bb96476ab06ec97bb671bd0827e0681a62540502ba48923a60bcd8193a159e184d917e7eaeeccddf

memory/4368-435-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4368-443-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/1152-446-0x00000000006B0000-0x0000000000AB8000-memory.dmp

memory/4248-452-0x0000000004ED0000-0x0000000005075000-memory.dmp

memory/4248-451-0x0000000004ED0000-0x0000000005075000-memory.dmp

memory/4368-456-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4248-458-0x0000000004ED0000-0x0000000005075000-memory.dmp

memory/4368-450-0x0000000004B40000-0x0000000004BDF000-memory.dmp

memory/4368-470-0x0000000004B40000-0x0000000004BDF000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 13d0884c9089d2118f3aeaa368a2c135
SHA1 68052e28c79ceda019076eb28601696da430cca0
SHA256 e2fad8befcd09cbd6acd298e9ac424bb7fe2fe6715fc9f9daaac3031921752ef
SHA512 2ecb2d96d66b87d5315ecc7b01148b6332658dc177306e021a4d8c81410f39c4d166ef56b1fef7532bd27bb162ce91ee6a70647dc36215a11eb0e08dd939441f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 1a3bc71533ff8cde574f897503576bf0
SHA1 d2d805d3d1f08e4fa60805744d46b686e832c77f
SHA256 3bb74e53ba6d30bd00321c4036085b95c34a54663ee0545c4f9f9dddd275ebd8
SHA512 25c0db4c0eae5ca47a5049c70c0f5f85ec94015c9a38138e1203897c7eface273ab8eea0373e4b2b03ccbd533626b749602c4c4cf0b55eda3e1d476c2c21f686

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 2d751abdc1481a755744981c3cd68dcd
SHA1 0e3dd7cb8aa297e40a86cb9339566c51b1487319
SHA256 cd027cdc90e08109d7dc90c040d2b0df5500818b33596785c24f24f6acec2ee1
SHA512 fd544923db13e53fda69cb35235252131674dbe53750f504907fd9480569d6980dd7d54c80a0260d2aef23133fd5fee61b6adee33edb0924836b3b8dee8a30be

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 ae9257f4d640a547e37e1648933aa15f
SHA1 2644c18670ae4af40435cb6e5ca9c81aa681b872
SHA256 d2d94ac48935cfc01e05908a07d24cd61ef0ca45259a92f776566e78b241ec70
SHA512 53857adf175bf438c8c90a827b02b91dd631a36ae73b7f13423692402c91fbcfda6626abd3d05fc135d0c605a95bec2f3758bf8aa60419232e85c07ff6a9a01a

C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe

MD5 0a5fe479126856438039edcbf5bdf2dc
SHA1 056b676720c6175ce6e1e29943e3284da68704e9
SHA256 e54ebc07acf8e4bd5be7f13493716190a35601ecd64ba25199e0d963cc4aef5f
SHA512 81b5b7be1fb2ffd99f28931d02d97ee07755ee4170b89ad9c6c634485c37d11906e7cad0b72e31cb4e22214a0dc78ba568c49549425f544ba5a5670d12c9683a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 7c6158126fcaf750413a7930915b308f
SHA1 caa1e195ea7af6169a0e6ac0709223557998792b
SHA256 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3
SHA512 d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 f9a61fad8fc3f9d34df1ff547c998dc1
SHA1 fd015db6c2696ef00743e25ffde4fbddcc803a8e
SHA256 c4574eb151978ae571fd4314eb0031274f31dfc2a8eef9fd12a9ff8d5f5b65d1
SHA512 6da8123e21c79d0a375e8874d86440543bfa87c4789a7fa255f1fbc109dc2201042702e3eb66e2218b358bb02160e50d402dc0b5264dcb935c1b979afd284145

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 5367e6b786d6bb21cb8ab6cee3ca388b
SHA1 f98687808088f88b03ea159d502e497f7366be69
SHA256 9c58d2ea2a01e04bf1428b15a2d076a10b3a6ddbfc5a6d15ccc57733047a6792
SHA512 f2fcfc69bff0200715bd119b9817fb3472398c11258c716642a810ae795a9a3f57ea6fbc7ebfe109c183fe5d072f03d35ff937fae6310f543363a2a75f9792f1

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 c9944e129fb149c95a33880158d85543
SHA1 32878df9e6035764e5b4037c5234810ab6425dc4
SHA256 098e8c9f7c0706b0fc8429f42265546ae980cabe18efaa8e797259241c91c889
SHA512 1588b18faf7a8dc01609d04fc9aa22b6f78f210a0ea771abdd24e13061cc5a51bfdfa7d14b5b0862e4de784998a6e445bb3ba4340920b84e995ecdd14c93d0d1

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 1f2219ab50ae35beb17567c2742a7677
SHA1 ba28551e186ce036a31cec13b5c08b90abc7d8bd
SHA256 63a60f5bcf2dfb676fcde5b75c01410f608ae0f4c39b4dd35e575bf83b97e838
SHA512 e9c6d6537a4a5c3439d37bd948b83878ef037a814113838aa4f22934ab0be26b96116dd6ab59881c458d084c3470488fe87c648d6cdd086791cfe2f956f1318e

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 89a7ecaf1494e323914889ce54bdc0d1
SHA1 29cc1b5462b53d1ad24361f60f15513e67fe0f14
SHA256 eb20b51883af507b2e3b2e5f5a22ea053dbaf4084892b19bca39f28215e45999
SHA512 ff5c3ce995a4922fe8f5d78280dd9188c1514292a6ddde2fc56b624fb01906667825a03f1ba78d495e71427a503e95c677a9dfd781aa721b08f20a711b330f66

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 04cdfc611a4b15c1e8e7bcfb618f7a30
SHA1 1f0a2f5300e1c54b718370460e50a2e371c5c97e
SHA256 fdfc04d37300bb71170266d5d8922eb0926c878c3e6af40fd88f5004a332d7bd
SHA512 2b32e6fdfdb1e3e6e33fc4f9c59250a4f157140006619148ca25d8fcdd0e3f5da0d526fd3827bb06074ad011a095a1097321379c251bfd8120e1e6fb179380c7

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 b0207403d88821b832de621a94b59d03
SHA1 3741a24dde7c6900eba946b19cbee4a80ef0c7f6
SHA256 7dd887c47479f93f6443f6eb3b6e780f97bfa4a8b0867453acf6594c08c699d7
SHA512 395213d4a2a25ed8070ee83a4c2c941c8169874c90aeb15c458ac01bcdb08e6cd092e76e7406973b961ac008ebe5df4e866910f6d4612c47beecf45055d29124

C:\ProgramData\nss3.dll

MD5 aa2a4823b87d7936fa94f1d909524735
SHA1 773c2c872f52b95b25acfa6e24598114bc0dfb6a
SHA256 fffbf92110a154f94ed11b306cc6344f3d3b765b01c0cd46f9418b5a2923302d
SHA512 419b70abab0c4644b025929fe6814dbec3f2e6d9997fa7fafefe3b233c32b701299abb9f85a1819e5b1affa369fafbb7fa185c98b0b459055c6aa5b2791d4174

C:\ProgramData\mozglue.dll

MD5 8f77166b0e074bb325434eda0ca25a81
SHA1 b3a75acf37aad0d44eb49e9c5c7488d389b531ea
SHA256 5d497070239c93fed6cb2319e44d30d5a3bb0460d83f19f314090037d2a92267
SHA512 5d9e11749f6ce5f5a389f32687f9f4c1a4728a794de78a5cd96b84578fed1670079e3e2c4de0e3dc363d8927acb273e23c609dd254e79cdbeaf61d9a001fa4b1

C:\ProgramData\mozglue.dll

MD5 d89e169a92f49a44be629a0b76f7b793
SHA1 808bfead02560416bda7c1531c7a6f01f8932050
SHA256 bf65e03dd51d22862a26911fcb5604ed1b874b34e818c9714676b297741b0be4
SHA512 bcd3d2e440a9cc9a8093e24f1628d6b5ac05453114a9d4fc62484ea84596c99ea0c0e80b9373ea8b013cce7f63e27ce6287a48c6c84612583e627bb4aac59ad0

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 706eea9a934fe9c2c8038d55d599fc30
SHA1 36a5dd871d7854786c0d2170adf52b029833381d
SHA256 d40e196c0711896f1381edad77fc8d4cb2d106689bfb8ee4d71e0b371b974e5d
SHA512 a05d7024fbbdfec34f977dc8b01101d822d523325e974be6419cfcb7c045534854f7498db197c53eca8b2eda8b3b54ccfe889756a5b71a9751544da57b759df7

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5tjzny3.qk4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 e7f7c1deac8d26e118fc33d4f9f01216
SHA1 05a0f7425e8df5fb498b0e94d02245d18e6e5765
SHA256 fd702d29ad474574634b7a1da442fbb752a65a342ca88282815c78ad3d82e0d8
SHA512 f8e8f949cd1c49a7b48ae3d58457bcd1cf04067d0ae7a30add27a8c233b57a4dc0c98ed98aaddee6a8d02f8894ab30cde4f261a37e0903ca9100c365e8742af9

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

MD5 dfb236d83a8ea8fe6be09e99e927d707
SHA1 68d39cf235a53b763e85c17f00125dd7c659fc94
SHA256 941b5000a7a34059fcf331503873f05b14356647725eb63dd3fbf2893ff464ce
SHA512 7feade50b9c4558cb0a90665fe05739e5f69af1446ecc12e73f799c391117a8e829cba996557d25b0ea5d71f34730e540cbe733f0dc2ca4ad43a44c45ac642bc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 763ce0de077d6e333eb48f7f09b754e9
SHA1 e82a2c5ff84c4334c0201dd6a4aa209be461c638
SHA256 ff2b3b6c0aa2a6c0d20631dcd9b14926dbfa08aacd2a7b40ca6d16315a42586d
SHA512 4c18be5aab8a431783094376a6d0916db626f099cb8af1ef4ae87241675404dfd42cbb412819e37c104dd09e0e38ca3df3cc804b9d82d644c302554eab17e715

C:\Users\Admin\AppData\Local\Temp\9A09.exe

MD5 051acd118e84612a34e8ef3ecc44a4a4
SHA1 ba50cc48379f01d9c737e4f4df60e8907374e0d9
SHA256 53968e0ae6a491e5bb03ee4d7d40b318c4c5c6a375a9d517b547152c4d721422
SHA512 fc52da4f2d29b8779c36a3a5894a1f19f138d24efd78e8ca9cc412c08d0e3c4de7152c4db429a70ed2f447f1d77c023d5494748a4b555b384212ed3c55f34851

C:\Users\Admin\AppData\Local\Temp\AF76.exe

MD5 0a3303d13df2f74ca52000b263bdd8a1
SHA1 a8a2e3fdc4271a05e2507f0a1ed049cde51e1b20
SHA256 36b4f3f2ff55a415b7765444690832201b714938bbd37ef0c86e7a09d3cde517
SHA512 652df8074d3e17107a81ebdc98f29df8c460e4707a7f6f0fc48c88065e72d1defecc680d7424e81a873890daf000e1eac0834ec755b291ecd41b3822a31a8938

C:\Users\Admin\AppData\Local\Temp\AF76.exe

MD5 ac819f377c02c70e690af558f555316f
SHA1 cb97dfbd9f83a83e9839c48372d7421c03494118
SHA256 22f44ee1ee9e40bf659ac3df38a8ec05e83bcdc13f4d158efb9581f3f210ac59
SHA512 7a8763ceac98f0ebb5072fe20f54f897630273f8cda73554bd2c16d228b99d4a69a6c49b4ed2e6da9dd4a7a09fc5616057436b12c218445ba27db908d1bfb46a

C:\ProgramData\HDBKJEGIEBFHCAAKKEBAEBKEBK

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\JKKECBGI

MD5 9fee8c6cda7eb814654041fa591f6b79
SHA1 10fe32a980a52fbc85b05c5bf762087fad09a560
SHA256 f61539118d4f62a6d89c0f8db022ee078a2f01606c8fff84605b53d76d887355
SHA512 939047294ebfb118bc622084af8008299496076b6a40919b44c9c90c723ddda2d17f9b03d17b607b79f6a69ba4331153c6df2caf62260bf23e46c6cfe32613a8

C:\ProgramData\GIIIIJDH

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\fi.exe

MD5 1eb1c24f33b5c237d0fe04c68152e9eb
SHA1 fa1c602b3282bbe3ea5c742725e9f97bb2a839e3
SHA256 208b3c6d440df348cf53a377c54af7d23223c90631e13ffec9c32b4ef6622f30
SHA512 745d5d565ae57124e69b9b8f1a3815eaf6578aa5725a2d1f3a8f156850f35c8f7792ba40e89bdab7945f18d35cacf62f0eee0b5dd3955453f9cbe8c46b88db11

C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe

MD5 568d3de870dda8a255763f5c28ebe984
SHA1 adf1dbdb02fa6b0e9efc3bc52c45017368bcc0ce
SHA256 a326d35df0281661f29f27cc95f28ad7b186cf536b8a3718209973bc8d99d8de
SHA512 bdcd6ea5bef5f9f04ccaa3e9177bfac6c87f8bfe42e7f5b377079cdcbd730118cbf2b5de088648a798a26f41318beda8e061e9391b52dfdf12379bcc3724891d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg

MD5 655d9f0cf81ffe21abba5cf876043e25
SHA1 6b2d8c5f9a422a97330a46de3189a2aff082525a
SHA256 1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43
SHA512 f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384