Analysis Overview
SHA256
a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c
Threat Level: Known bad
The file 194d36596016f52a59cc6163a5cc1898.exe was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
RedLine
RedLine payload
RisePro
Glupteba
Stealc
Glupteba payload
SmokeLoader
ZGRat
Amadey
Modifies Windows Firewall
Downloads MZ/PE file
Creates new service(s)
Stops running service(s)
.NET Reactor proctector
Themida packer
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Delays execution with timeout.exe
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Enumerates processes with tasklist
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Checks processor information in registry
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-26 15:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-26 15:41
Reported
2024-01-26 15:43
Platform
win7-20231215-en
Max time kernel
9s
Max time network
153s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\stan.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000650001\\stan.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe
"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
"C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe"
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp
C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 604
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 604
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\EA11.exe
C:\Users\Admin\AppData\Local\Temp\EA11.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\taskeng.exe
taskeng.exe {39B83679-C223-4096-BC83-BC5C645FEDAB} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\AEA.exe
C:\Users\Admin\AppData\Local\Temp\AEA.exe
C:\Users\Admin\AppData\Local\Temp\AEA.exe
C:\Users\Admin\AppData\Local\Temp\AEA.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\07409a7f-582a-4181-b608-d561902c8b2e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Users\Admin\AppData\Local\Temp\AEA.exe
"C:\Users\Admin\AppData\Local\Temp\AEA.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\DC90.exe
C:\Users\Admin\AppData\Local\Temp\DC90.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
C:\Users\Admin\AppData\Local\Temp\4FFF.exe
C:\Users\Admin\AppData\Local\Temp\4FFF.exe
C:\Users\Admin\AppData\Local\Temp\onefile_2616_133507574065918000\stub.exe
C:\Users\Admin\AppData\Local\Temp\4FFF.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| NL | 195.20.16.103:20440 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 146.0.41.68:80 | tcp | |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| NL | 45.15.156.13:443 | tcp | |
| NL | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| NL | 51.15.61.114:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| AT | 5.42.64.33:80 | tcp | |
| US | 8.8.8.8:53 | ftsolutions.com.pk | udp |
| US | 64.31.22.34:80 | ftsolutions.com.pk | tcp |
| US | 8.8.8.8:53 | transfer.adttemp.com.br | udp |
| US | 104.196.109.209:443 | transfer.adttemp.com.br | tcp |
Files
memory/2932-1-0x0000000000ED0000-0x00000000012D8000-memory.dmp
memory/2932-2-0x0000000000ED0000-0x00000000012D8000-memory.dmp
memory/2932-4-0x0000000000570000-0x0000000000571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 1fc72b024e9c5502c8b1e4e7c9e1f153 |
| SHA1 | 25ec7e190d726ecb233d06d43f71b96755d406f7 |
| SHA256 | 39dd09713cab559e516450617f8ca6ada02fd9baf4e53f20c556f26cbce0f4df |
| SHA512 | dff598fc33d3dc93d2caf88673a50769fc4efe11dabe0eb5810da789d65751ccc0712d4fd9fe311bb2ced772429ca868e9f264d9d04469d630799e5c466f4a4d |
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | fe7d1c028934e80307fba09167c376bc |
| SHA1 | 87f5e1abba596eb21847eb287a6917863f5890db |
| SHA256 | 29dec279cd6d9a5209368c46d989c3bc824a993810713f980dec9aeb8f59ce72 |
| SHA512 | afbe72001409c8b83e51459c3485e715cf5f502d83264a0729a9bf49dac347e09d155f5a50b92091fde1e8b3e7511875c8736276032d12516372f14b77f54b87 |
memory/2932-13-0x0000000000ED0000-0x00000000012D8000-memory.dmp
memory/2188-14-0x0000000000B80000-0x0000000000F88000-memory.dmp
memory/2932-15-0x0000000004B70000-0x0000000004F78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 5cf302f0d472282eba66c97780873007 |
| SHA1 | 8ffb0debafc5b9b2bd4e5bbcc6e63902bd96a67c |
| SHA256 | ba8f7ae614ded7625cfc5d5dc49ab78fd2e0e9709214891b70775f0338b4f0ca |
| SHA512 | 7a2d4b0939343f4bcda19cbe930960010468269712fe474c6c43966d38f1365d0d473c12b6ac2327f8e7a37c257ca7ca3dbbd2678c006f82daee7499af6fd5ff |
memory/2188-18-0x0000000000B80000-0x0000000000F88000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
memory/2188-19-0x0000000000B80000-0x0000000000F88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | ea9bbdb07537c910b4f371cce9eedc00 |
| SHA1 | 88966ddea866ffcf707cc4f66e62af2ee5d2c51b |
| SHA256 | aeb79e24508eac6edc0d47d7fe6101f6ff524205c13e8614151d286c1021e8e9 |
| SHA512 | d0bccac5565e5573fb4ff6f564c1cecde970b0a17c8c756128f47b3571385e6795903e931682089d33943bc93efd6f216b05ef61f85f340be63335589cf603bf |
C:\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
| MD5 | e269fcd91d171f9be2a9d6da88b78478 |
| SHA1 | d161f5449071b121bcff64ad936f4cf0a9f79296 |
| SHA256 | 92b3703629645e41b106393954f930a0431c82d3975a6eb9c1b158bc99826387 |
| SHA512 | 45e635d9d809554c1cdd33d4f3af7828cb7ade461ba0f2a7f24b6dc1671e3074ea986c9e6b9530cba7494aa5b61713d28f4453e6b356fb7808e482d34db42181 |
\Users\Admin\AppData\Local\Temp\1000650001\stan.exe
| MD5 | 49e1ba45dbfa0bb247ce9bf85fc30d79 |
| SHA1 | 5c68ec8fdea0d71dc867e51883442a62d84c0bc6 |
| SHA256 | ec6f360a390067b164d8ad958ddcb90df7d6bf4851c0ac7900590782ae81a8ef |
| SHA512 | b1ca4c7f1a9622660460c04342ac7a0327cb259717cecdf2f8d7f5212b0279beae4737537c7ed6007edcd3fdc35bfb0b87c8f7cd36db2422fcdea81b0bffa8da |
memory/2188-35-0x00000000048E0000-0x0000000004DC0000-memory.dmp
memory/2880-36-0x0000000000330000-0x0000000000810000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/2580-53-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2580-54-0x00000000046C0000-0x0000000004700000-memory.dmp
memory/2580-55-0x0000000001F70000-0x0000000001FB2000-memory.dmp
memory/2580-56-0x00000000046C0000-0x0000000004700000-memory.dmp
memory/2580-57-0x0000000004700000-0x000000000473E000-memory.dmp
memory/2580-58-0x00000000046C0000-0x0000000004700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | 7a8326661fcd62926073a0954ccd62c8 |
| SHA1 | b1a2146d22e58541bebf33aa1e61aebb756c6c27 |
| SHA256 | 4c76636fcb0aadf6830a43a80ec922566a30e164485f67e8ac97f066e1adc573 |
| SHA512 | d9aa9c04cb9b5e46a85436504a1ef6bfdc98ef92912f1f534678e05543a3dbb6b0be22cbb53f239d1ab20a441705b273a80e3c6e55a8519a0c8c1de59ecf8300 |
\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | 7c2b2783af1a8c7f77f4bc4e76d8b71e |
| SHA1 | 1bc2ffa3e793ef7ae36c70d7674d3c9b24602853 |
| SHA256 | 99243c526dd8becd54960d9b6cac909826ba99ebd5c034a6cf2cef3512cc8da4 |
| SHA512 | db4eb9082e25922e36c46e928a53182c7ec8a5980abe7f6b5cbe85cedc5311b9501b019c0331db0e5fb8ae0506f0c4b5c90101e0ed15e1538d5e3b355aac122e |
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | 4069cda7d2b8d301cee4d16234f0144c |
| SHA1 | 4347e24d01e42462a2677041a53bc60e5eb54a98 |
| SHA256 | 374d9c36f7925644e9da7ae43b59d670e645952f42c166f52604679a920740d2 |
| SHA512 | 30df5bdf6ff3d5448d654566ac9924e6805c944c593c22c7d0fe6faf288c16935d3697067783418d6899121216db87687451cd0aacd2a1601877a40ff19ef971 |
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | aac0996f94a00f3e777469af73b91700 |
| SHA1 | 14721d0f2af49148563541fc4928b16684c409ed |
| SHA256 | b1851c4ea2a8d3b341f780b88d0a928a8fc4dbe7e677c88637663d5c2c49eefb |
| SHA512 | 78a4f054d2afb90858d44da50edb0030835929807abc5e111ccb2e5c5f92c9142e284625a8eb98fc2cd1ce0b1b487a708c9d18dcd1fe63d262f2a1ffb7f33609 |
memory/2188-74-0x0000000000B80000-0x0000000000F88000-memory.dmp
memory/1476-75-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/1476-76-0x00000000009F0000-0x0000000001338000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 18b0c4846dc1495c22788fbb9daa72ae |
| SHA1 | fe4c57e670c30cdd1f51674a83bcf786e19faf36 |
| SHA256 | 5cf72a2004a29fc0d0b4e782a7463cefe00851569f55a2efa9f5418a2accf411 |
| SHA512 | 460c66615f86fc6dc7d58c38590b21eb8065896fa5bc788933278ce7929f59dde0ae58b5b934f09bcf6d862f12b1510aaea28bb81a7e072b25eb47f537c8cfc1 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 6f1345dc62e46658b6ab8005546d9a8a |
| SHA1 | 4fd3f14f8c955548cf971507ac0899dbeb873b29 |
| SHA256 | 6d607b4ed0777747f9592558bbeb51719bb8b135c7959a22868ca0d35c2e4d09 |
| SHA512 | b0205731919d7977c45797511fe5ce7175c7fee00b680023e9c0bbea35f08edbf9ff8131cf574ff21b01d5433a77be9dae2d513ebbec30128f849df742e95dca |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | f497061270032f19d17db5c21364cbe0 |
| SHA1 | 46f563ed84d591dc33fecfbcb5d34483e158a6ca |
| SHA256 | c92e3785d9bbdfcc58e58f73f8617be52ed81fccca79bbbf08eec3d74a17299d |
| SHA512 | 7ddbd49bcf4c6410eca6fd1a1756dd0f137c2e68cd7f3a0c79943381948a03fb1ee3ea7e079cd4ef1dd56647b10f1b9fcefaffb60899e04a4eafde619a652e12 |
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | e8917b00e7dc77ff5c9d43ae09dd36cc |
| SHA1 | bd9188cb1abdb577e32e60083cd11b5702a65ebc |
| SHA256 | b0d91c00eb83ed56f2446a7256a8061f6e4e3dd6c1b267fcd52c87dfca0e9bb6 |
| SHA512 | c9baaf6483e5c31b4d74002727ed7cef71b5ceaafe1ee7f172d1cf0f13e767ecdf2cab37e7c1d273814c3804746eaacbb69c4e4f5cb4dcf6d25300af49c423ca |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | d058a9af26e79a6bc9205aa16be1d5a0 |
| SHA1 | 4699767799b706280f342a30ffe7b129dcc70fd5 |
| SHA256 | bf0e66a4428765a24002ebf6d8c72b25d7fe7d247acc44d57122327d4f22130c |
| SHA512 | 5166507f083c75fe1480f232c08bfadde640109a09a3ca4c6b8174abcf61c8aa5c662cc902851e15a514b0d8812dd62b64525f8467eb090f74a21be7203340f4 |
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | c52af49982bb0789f421313bcb75fee0 |
| SHA1 | 644d60ba07988a4f34f0f5b38b43113eee7772c1 |
| SHA256 | 18ed9a7375b92c3b4c857ff0061109e4b36f46579abdc8a264e3f540ff97010f |
| SHA512 | 6060a82b0427ef345c39f3be1f22b3b0bf655ec1c6a48e8b54bf0e2dec996644b2b853abed2aaf234e29ad51cd33fff7a091f68d2c04728c297b2a6c00289eab |
memory/2188-121-0x0000000000B80000-0x0000000000F88000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd60D6.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/2188-123-0x00000000048E0000-0x0000000004DC0000-memory.dmp
memory/1752-124-0x0000000000230000-0x0000000000330000-memory.dmp
memory/1752-125-0x00000000003A0000-0x00000000003AB000-memory.dmp
memory/2816-126-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2816-122-0x00000000009B0000-0x0000000000A02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 443cf179a6164e5aefd3fbbea9709c80 |
| SHA1 | dc022536f35683e7e087b2c4087b40ecbf87df19 |
| SHA256 | d8803f7fd7f5f465b372ca39e091510c2e46111837192574ddb701d78b8f611c |
| SHA512 | 66030341151dc1a66dce0e9b0d6c4ed2c2954ea55c61d952027bb3c6bee4a17f21686812d8eb0ee034488d9ef368ffc54bc6b773df8131b5d846690828af1c30 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 099c0f986bad25faf4cbcb6b7e161f34 |
| SHA1 | 8b48390aa412a36ff0aa8b74ad27b6a5e2454380 |
| SHA256 | e533a5b78f8a0185bfc1c76ffdee008a76ca5649ac57d85f6ab343515e9be1e4 |
| SHA512 | 41285652eb3e5cf8f7562473fa55a6af0bd9bade64f939deea64d2b0da517b17a353fcc472219f75124da23ba065841f22e69d23047888b3048e7c78b734c565 |
memory/2188-137-0x0000000000B80000-0x0000000000F88000-memory.dmp
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 1c385cf14c01cd3a17f8d570aefdcad5 |
| SHA1 | f9055ac245ae434dad1b43832a54f74bc5a8c101 |
| SHA256 | 907ac2bf3005f13a1c4068184221beecf3237db7952138ccc3808dec1fb24f4f |
| SHA512 | e4da12b598fba7fc39f30dfbb3384519d6abb0f998c07c6a90aa6e854902c28eb9897e3a11b6c4721befe16b25f72e483e1d78f213b5d03d06c2463e9673f2fc |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 704ea6029bc145481783af2a4dff02f1 |
| SHA1 | aaed860dd55c74fae8d11e2663240a32429b7bf4 |
| SHA256 | 9526af5ed228075da74a32f801df5ea04966410c589d4892c185dc0a7c2d2ea6 |
| SHA512 | 0b67198bd1bcbb748898604b4b2a0a724f6852a5e6f00da19c072e386367fa5123c0ed0af49d629abcf55b2315d70972b0ac53feccc47488971fec05303a2b0f |
\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 2a48ff85aabccc1b7af4e64801f85d70 |
| SHA1 | 2d3bd23f52e59306888197dcd68c45f270c0b455 |
| SHA256 | eb9a8679b8f1efa6f705dfbd60c739aeb06f0bd6773756f551ad6b2b93ca3000 |
| SHA512 | b6c25e8a876570cdfb1d75fd9c1b65995c1911611a912c47926ce41333d1031c201a74315ef65a4ec87b26a14a1f5f9263adb07293336b8c0ba513a783ea3643 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 9c98d287b85fd3f6c0d3da750e84b894 |
| SHA1 | 3e54df60668ff6216ab3a4b51a91c376371b05e0 |
| SHA256 | ddf6fe5fde91c2133ead2e81d90ac4460f68c2b421c76e10e1a0f57c22a9ab2d |
| SHA512 | af5deaec948b31f7f47cfe2d70bb5d6be01f9ff07cf0277d1be81d30d86df2ea8ad9effe2ddf8dfad1eb49aaf3a215b2679e00975138c8d44e8c81fbf2b2f5c9 |
memory/2880-127-0x0000000000330000-0x0000000000810000-memory.dmp
memory/1752-143-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2580-144-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2816-138-0x0000000000580000-0x00000000005C0000-memory.dmp
memory/944-145-0x000000013FA30000-0x000000013FA86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | dee63473a06ba61e8c176166609f3dbc |
| SHA1 | 40d399b25974e5d969a1f97604b35e93e19b82d3 |
| SHA256 | 10f299d0ae3f143ffa249eb9850cf0cb50643a691c60d80d0c82c2f3cb3fca6b |
| SHA512 | 416ca33de603b33e0ae49e292d06747e1e9fc1d8af9f1f750d8171495e6a4d6cde743b9ef6b8f79be4c171a63e3a6a932b1b6882d6e011092342fd060969774c |
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 247b4f319d00bf7e1c3dc76616df031e |
| SHA1 | 001eacb1f709aa4c632810d159921559d424a0c4 |
| SHA256 | 8407766007129be61de4e13cf98ae45c3f8adb3e2537a16249a7e32cd3f33e77 |
| SHA512 | ee8542712fe73665171a1affdb9bc1e8b2fcfadb1dcd4754f84ae6d2792f5354354afe3e71a95c561b448c1c792dedc2c4dedd59b027f3605392fbe0518bf919 |
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 2f107b5aadce0240cc675777e7123635 |
| SHA1 | 77e7c7092b9f4e7b3bc066d3f14093ed7b31050c |
| SHA256 | 043cea94c31c06612c799d19bee5314a4a660300015cbdc652b03b297987b60d |
| SHA512 | f8da0105a65140ef77cbc850c76e8abdeeb36d5b0ed2d3a7ce2683d9eed5a08dae7018f08e457508f53111fe301f76b0113441bf8ace2c3d71e310f87ececb6f |
memory/1476-168-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2480-167-0x0000000000FD0000-0x00000000013C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | b4afbb483de02f4443da834cb38fe78f |
| SHA1 | a1427c5cd4d0a32de2eb926ae59d096b74b38499 |
| SHA256 | 6916edc11f74643a9f67df6444ac78a2381265e20da73b167caf933060c7d382 |
| SHA512 | a0ba6a196dd93b16fcb06b319a59db31d4a767a8b22448e5db88358e8f2821a512ccab81b8e111900809a5d17e2bed066c85e90e2492cd878a7a2869d7c72eac |
\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 592720d5a214a71a133385120fcdbc26 |
| SHA1 | 164f60b37ffd9d61613904877d475973409677de |
| SHA256 | 9cd590f8d9afa9ec830c099c79a8e4589b40db84b24cc87a61d55cf5ba7f4ffd |
| SHA512 | ca13b5fcd96370efd15e834ad2100dd33b0bdd9b00ad7f6d6825ee4526b554a502fc24108460478625a606c7861a3edb51b39c2f8194c63c8037c1b533c69978 |
\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | f46d1cf6198904d3fa120df4b1ea311e |
| SHA1 | c63c5ea45d01128bab06182f1917dc8edd2bf24a |
| SHA256 | 0781e3bb3d535e7b125c7e3ddcd9f569db9635dd5c0d8a125b6813804ea5e8a7 |
| SHA512 | 650adc1cf091054cda620b3082e71e2ca496f802aee120fc58be7be7f65bbff4563e35cd734372f5cc478feb04852093b492a9e656602d58f9e9cd6528672c81 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | a1c5973174eac846a9c80f3fe66450da |
| SHA1 | aa181d9e11f10f3427763dd4f94a5713295b8d4b |
| SHA256 | 8ac5e98cca62faa396d3189fd13a95104c19deb0afdff2370fb559c2805fb2e6 |
| SHA512 | 2c5ce9fdcac9ae1d7fb77f12b4fb6c9e4fe4dfa88c566d6712fa8b7af922d7328e096d7aae4068bd4f47518ddcdc14ac80ee826492dffebabdd4fc98a7ac5dc3 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | fa0e48fc537abc54c91e44f3bf486f43 |
| SHA1 | 1daffa43118ec92e9217f99e0feda6af6794d1a3 |
| SHA256 | f86633c86d827c826ac30b920e179720356d18ea86841250ca7ef005eb94e333 |
| SHA512 | dc8e1c320ab3bfc96c0a78aacb00a33e780d1f09d71bcf6cc4c1e0d8e394cc83ed8d35853e3e5ee9afb281430c2297fc0372ea77e67cb4d477bcc8aaecda4e07 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 2825b0f9684d5993736f4c93fa68b8bc |
| SHA1 | 3e43cf5bc8f20f1f32e00e82c7449383a01e2aed |
| SHA256 | 02e31aef9630a3942b5f619ee2ced1a8b7ab31c54598000ed033988c808563b6 |
| SHA512 | b1f785997ca5308f41d3b9153ab813ec79bec5878caa337adc993b4f79c77bf6e5143daf6df6dd01572f115e0487cbe397c4b5020311355a198e9448afca4293 |
\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | bfa865777650c9d233387ddcc968f5b1 |
| SHA1 | 7468370cab2f49612af95b63ed8cb0a88e410f40 |
| SHA256 | 55c85bb3741fad4ebb25f9d6006e566f43c5ba29c75c6ed0fd74662f16674c99 |
| SHA512 | e36dd191d4c29d6d7cfc0442bd58f02ec8226656e7cebb79ce6a4801ee23f81163ddc9050d13c7b48d8c76c3d8bbff546ee3e8e76fcb8e842d3bb08b3490d684 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | 44d2729c1e33025f0bc5b12c644b8d3b |
| SHA1 | e61c8c26b706c0b5f9b1a4d23f802d20fba168b9 |
| SHA256 | 2be347a0ed5a8f71a5aeb34243b8c95e7eb5d6ace9feabbe784b911623f6ba95 |
| SHA512 | 7666807152cde994477081a7623a329ef1bcc2b6068fadc08a3f777b0d37985c8ad1fa499540a508f62651c9093c28f2bc56cc2b70215106b48a7e0bc842558d |
memory/2996-173-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/2580-182-0x00000000046C0000-0x0000000004700000-memory.dmp
memory/2480-188-0x0000000000FD0000-0x00000000013C8000-memory.dmp
memory/2880-200-0x0000000000330000-0x0000000000810000-memory.dmp
memory/2480-202-0x0000000002960000-0x000000000324B000-memory.dmp
memory/2080-203-0x00000000002F0000-0x0000000000377000-memory.dmp
\Users\Admin\AppData\Local\Temp\nst6E01.tmp
| MD5 | 3319137a786fa4ca341c0198c37717e0 |
| SHA1 | 413ecc6781b11d39e26f3681d4102e5a49011cec |
| SHA256 | 96e293c1cba699fb64559aadf11b00dc84f11f677fe32153cb4a659788a5d88c |
| SHA512 | 162a2b01de935f79b586cc76dbf756b08d76681873d7301bb7c4d1b000e9d0d47e2b1fa855fb9017f2bf28b71b33531c916abbfd7e078ce4774bdc62d84ac8f4 |
C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp
| MD5 | 7f082ecbe630a82618ec53db3b3d8bd8 |
| SHA1 | 3e808773d92addecc7e274b3236a0f1091b2ab77 |
| SHA256 | 987db118fd3797fadeb0b17e39857262bc05145f3ce1a186d29af885fa67a8a2 |
| SHA512 | 5ba2e2feb0535d0f56446617b888e49c463296f599ef9b720cc2be450193b626a294b7b4a49c99b498f930ca1f925a2e2f055aab53841b72444f3eae3a9704ef |
memory/2480-204-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nst6E01.tmp
| MD5 | bf381654a9e776ba87a0ed614d42f4df |
| SHA1 | 6d4ae60de53b4b0aa326906553a3f43e863af18d |
| SHA256 | b3471bc531afa59eb34d278e4666108f7f7f60dddfaa26d37aeab88c769333d3 |
| SHA512 | 5e0e7d62d16eedf4fbb6d04b867abdf0b080168b8dec424b67c52b03262fe2af2c711150294561f29b02a0227d8c7a20d7f79ac262e6bf4469cfe68e552e595a |
\Users\Admin\AppData\Local\Temp\nst6E01.tmp
| MD5 | d8e7281c5aed633be3f0d4994b9a2ad2 |
| SHA1 | 8dd89930eae68db645b0241686bb170a1d2c6ee5 |
| SHA256 | 12181f82cb3af7f8d06e1b5c9797669569cefadf4b5e8f39c1e6b058abe834ba |
| SHA512 | 5cccd6ebfce7ef1f586d1375e8f79d7748c545f63cc57d139b1df42d383980f3a761a8afc0773362d36755b45137b9324b77968805815b2f32f03ae61231ca33 |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | b997a60a8f9ff398425ef90879c1bd85 |
| SHA1 | 08190d3f9e38470498e8cdfbdf9152364b40ae90 |
| SHA256 | 412da46b6875c1fe96653aa415c3358e7c1643e6f011282390ed3e9b3c3fa067 |
| SHA512 | c23d6e2121cbd7b99e62b55f9600e7113bde0e2edd76a1cd4118e9134424564832db5224c6994600683c3a7570d51c5d9e769e826c986ab73b454a1d65616811 |
memory/2580-217-0x00000000046C0000-0x0000000004700000-memory.dmp
memory/2100-232-0x0000000000220000-0x000000000023C000-memory.dmp
memory/2200-245-0x00000000010A0000-0x000000000110C000-memory.dmp
memory/1244-247-0x0000000002960000-0x0000000002976000-memory.dmp
memory/1752-260-0x00000000003A0000-0x00000000003AB000-memory.dmp
memory/1752-257-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 5a6358bb95f251ab50b99305958a4c98 |
| SHA1 | c7efa3847114e6fa410c5b2d3056c052a69cda01 |
| SHA256 | 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5 |
| SHA512 | 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0 |
memory/2100-265-0x0000000000400000-0x0000000002B17000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | c92ab6e6788af797bcd8cd95102238c5 |
| SHA1 | 049ac77cb84327a1529e4265aa39573dff9277e7 |
| SHA256 | 9057d67f2a67f4a4ba906fc641f73ec46321d2a8de370c8d60833c5340a729ca |
| SHA512 | 2fad09051c6b48e3c54beeb781b5940b5020cd46785798e44416f4067ce743a5f51ffacf0cf3bbc7feec7161db8353b19c30d1d8a661d6cc3db145e7e28bed52 |
memory/2200-272-0x00000000744F0000-0x0000000074BDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 708b707d8b9127c4589cf90422dd6ae9 |
| SHA1 | 1cb9e3ce2d17d2fc66ec98af3c458a1d8f767a86 |
| SHA256 | d84c25ad2ace1777d065d890f090dadbefc354483da66b4110187767fea73163 |
| SHA512 | 4fe58adbc42558d3a77d863ec0fc6ca0114c49bc32598d637262da9996dbe29954e766c725b8b2b0a2b6a1619fdd15ba43d49ba5aa937e5042f0387937cd265c |
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | 6d4d5f1fb740bffbc12d686ae4796a20 |
| SHA1 | 44e74e85f17d4308a550353d7cfa8c4144dcfb71 |
| SHA256 | 0ff18587844a40f3b264da11fb928ac7b21fec5ae422130af9225e746f4939b3 |
| SHA512 | e2c133e3fd0110a1366731f3c86c3cfae8b31da454345d30b0307d768d34af3b500720549371de2c56b532e1b5e00c7618c94af9a1710351b9e8d8b48b0f267d |
memory/2376-273-0x0000000001390000-0x00000000013E4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 9eb1dfa1454ae0f0e3754542d2465fe0 |
| SHA1 | 556a031afc56314bb02c6cd73193981996f7d1b9 |
| SHA256 | 1ae07d4ddb70ff0da0d3c1e110df4bea72ec1816749e0b00b26570f38a0f76c7 |
| SHA512 | f5c2bea81e186346d310e1dbbdc43f2f99976aaf274a15a4bb09bcbef0114478140110ff38fd1dd661f935d4365c0f28fc307b19a0d1269a718538648d7b42a5 |
memory/2744-284-0x00000000022F0000-0x00000000042F0000-memory.dmp
memory/2200-285-0x0000000000EF0000-0x0000000000F30000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | 39b9c7f4ba1665e3f2985b053412720d |
| SHA1 | 834a33bedeccfcdf426f946ce56a310da6830a7b |
| SHA256 | ef975fb733331dd879a76edae0d606edd48a87d2236d0ac6a7c9a7c967fe49b1 |
| SHA512 | 794051afa88eaf53bef6ba3ff11310d2d97050f31b006356f5c28dc86986a4ffa59d7064b32c239af4506f0842a1a025ef4eb017ec19d0c928afe64473059fad |
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | 07b92c740a313d86d75367932e30e758 |
| SHA1 | 620f0ca0fbcce2b3b42e486aa1bb15c80015b3ea |
| SHA256 | 9143f8697cc2fc54ec98ceb44c62012c8afb84721165858790ec9f3f2978b1dc |
| SHA512 | 8d1a9af6e70421ccd3a5d9a3644493020e630b6023c439afd427f0a6fc589b2b4b89de1adb6defbd1d014155ed07f4c15018e29cbea48b4501309f5f31d73b68 |
memory/2376-290-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2636-292-0x0000000000400000-0x0000000000452000-memory.dmp
memory/848-296-0x00000000012A0000-0x00000000012A8000-memory.dmp
memory/2248-299-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2636-301-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2636-312-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2248-315-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2996-314-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/2200-311-0x0000000002510000-0x0000000004510000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | a4d246963dedc608be011ba1c5e9bf41 |
| SHA1 | 58b7f94bdc1befaa3f46445720a477f12b42ff52 |
| SHA256 | fca8bc09de434f89ae4cf6c8dd49ac96c1636acc5c25307c3903017c119e2d7c |
| SHA512 | 6eecb31e6b53d628be34e76149cfac67a8c6fedd89ce1767a348e33b45ac479007c959851453c30e7d55ecec93b3c177eeac0698f3e7529d66676e43de7f92f7 |
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | bc4c0dbc7f4ca3a6e6724f979a772ea0 |
| SHA1 | b4abb9fdb370bfebaba0e59671198264fc1ffadc |
| SHA256 | 3589a1ef64aecb7f4efc9243171d29b385c26e53b29792bd35e0ce9e2d0ea73e |
| SHA512 | d2a69c52a0a3eb1ed6f36b91f4c286d61bd3499cc89ec4fe85aa741629d2b7e0254f05a94bf232703f55f427551c5d30377a2d95624a18712b16031f72da9250 |
C:\Users\Admin\AppData\Local\Temp\Cab8D44.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
memory/2672-349-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2636-351-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2672-355-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2672-356-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2672-354-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2200-353-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2744-352-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2636-348-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2672-357-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2636-324-0x0000000000400000-0x0000000000452000-memory.dmp
memory/2672-359-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2248-310-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | 63223b9703dba7cf83bac754d8bc671a |
| SHA1 | 24b48882e27b8f48bd2a1d79a9f6470c1d6c31ee |
| SHA256 | e22bf7042b6a1276fe5c0d7cf7c59dcec369541b27dfcd89a1258fb10109cc3d |
| SHA512 | 3c1923a14c6a31fcf542ebdd05da5c873686c2f0493baafffcc842772ff9e2f0c6778119b3e5d14afa826429e3f1b9443c12a399a2af66879e86322a4aa9e94f |
memory/2672-362-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 18940054a281e1f658b5afb28995555c |
| SHA1 | adc58b783c7703a54e9c0348fc0e8d6b3687f6cd |
| SHA256 | b16645d95c05ef38d9c57e60dc5fbf6d375e9467210858c2fe09b8fe97b0da52 |
| SHA512 | df68d9939e45ea851bb2ad9a44f9b5a7772b2fadc0dac0b9c98501747efb5ed097a438e5432d4b68c21cd5c9931e01b07df49252f5a812eade320e469108fcd8 |
memory/2672-364-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2248-300-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2636-298-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1784-295-0x0000000000B30000-0x0000000000BB2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | b2f3f214e959043b7a6b623b82c95946 |
| SHA1 | 4924ee55c541809f9ba20fd508f2dd98168ffdc7 |
| SHA256 | 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29 |
| SHA512 | c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67 |
memory/2248-293-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2248-291-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1784-374-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2580-246-0x00000000744F0000-0x0000000074BDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 20dce95390f66ce99b42a429e70391ab |
| SHA1 | c276bd355b5256e233dce5c07c07ec208853aa30 |
| SHA256 | c69200b76ccc4d73e5532426fff7c8f51fcee893cbd7de9dd326db693425f470 |
| SHA512 | ed06fb7f3b1b987ee2e6d541f9be422228791a342ebffb6c672668cc90ff07f53c6109a0a85694d6d53d47372a430d959da4d66dda3c46f08a417955608ba9ab |
memory/2744-239-0x0000000000270000-0x00000000002C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 927fa2810d057f5b7740f9fd3d0af3c9 |
| SHA1 | b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8 |
| SHA256 | 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9 |
| SHA512 | 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8 |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
C:\Users\Admin\AppData\Local\Temp\Tar983F.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/2100-226-0x0000000002C80000-0x0000000002D80000-memory.dmp
memory/2100-437-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1720-442-0x00000000049D0000-0x0000000004A76000-memory.dmp
memory/1720-445-0x0000000004920000-0x00000000049C6000-memory.dmp
memory/2248-443-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2248-454-0x0000000000400000-0x000000000045A000-memory.dmp
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
memory/1720-469-0x0000000004920000-0x00000000049BF000-memory.dmp
memory/1720-479-0x0000000004920000-0x00000000049BF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | 11109385eaeaf4734af0c8860a1f69f9 |
| SHA1 | 1f22017efe44086768924574dc59263551233afb |
| SHA256 | b9bb1fc8be1237292bac9a69b37f9edd01f975be99845d4c615575af261227fc |
| SHA512 | 4f996ec71d439038a238cce7813e0bf6940f46365e74cc398538eed9ba0676a4d7d4fdf2314aceb59ddb1d6eb0fb31eab1ae36e03c36c15f54f11373f9580db3 |
memory/1720-481-0x0000000004920000-0x00000000049BF000-memory.dmp
memory/1720-483-0x0000000004920000-0x00000000049BF000-memory.dmp
memory/2016-488-0x0000000004D10000-0x0000000004EBC000-memory.dmp
memory/2016-491-0x0000000004EC0000-0x000000000506C000-memory.dmp
memory/848-582-0x000007FEF5D00000-0x000007FEF66EC000-memory.dmp
memory/2016-588-0x00000000744F0000-0x0000000074BDE000-memory.dmp
memory/2016-593-0x00000000008B0000-0x00000000008F0000-memory.dmp
memory/2016-595-0x00000000008B0000-0x00000000008F0000-memory.dmp
memory/2016-598-0x00000000008B0000-0x00000000008F0000-memory.dmp
memory/2016-599-0x00000000008B0000-0x00000000008F0000-memory.dmp
memory/2188-600-0x0000000004A00000-0x000000000543D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\EA11.exe
| MD5 | 051acd118e84612a34e8ef3ecc44a4a4 |
| SHA1 | ba50cc48379f01d9c737e4f4df60e8907374e0d9 |
| SHA256 | 53968e0ae6a491e5bb03ee4d7d40b318c4c5c6a375a9d517b547152c4d721422 |
| SHA512 | fc52da4f2d29b8779c36a3a5894a1f19f138d24efd78e8ca9cc412c08d0e3c4de7152c4db429a70ed2f447f1d77c023d5494748a4b555b384212ed3c55f34851 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\AEA.exe
| MD5 | 0a3303d13df2f74ca52000b263bdd8a1 |
| SHA1 | a8a2e3fdc4271a05e2507f0a1ed049cde51e1b20 |
| SHA256 | 36b4f3f2ff55a415b7765444690832201b714938bbd37ef0c86e7a09d3cde517 |
| SHA512 | 652df8074d3e17107a81ebdc98f29df8c460e4707a7f6f0fc48c88065e72d1defecc680d7424e81a873890daf000e1eac0834ec755b291ecd41b3822a31a8938 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
| MD5 | ff59d999beb970447667695ce3273f75 |
| SHA1 | 316fa09f467ba90ac34a054daf2e92e6e2854ff8 |
| SHA256 | 065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2 |
| SHA512 | d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | 568d3de870dda8a255763f5c28ebe984 |
| SHA1 | adf1dbdb02fa6b0e9efc3bc52c45017368bcc0ce |
| SHA256 | a326d35df0281661f29f27cc95f28ad7b186cf536b8a3718209973bc8d99d8de |
| SHA512 | bdcd6ea5bef5f9f04ccaa3e9177bfac6c87f8bfe42e7f5b377079cdcbd730118cbf2b5de088648a798a26f41318beda8e061e9391b52dfdf12379bcc3724891d |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-26 15:41
Reported
2024-01-26 15:43
Platform
win10v2004-20231215-en
Max time kernel
19s
Max time network
166s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Stealc
ZGRat
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4068 set thread context of 4180 | N/A | C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe | C:\Windows\System32\Conhost.exe |
| PID 3208 set thread context of 4140 | N/A | C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Launches sc.exe
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\sc.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\system32\sc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe
"C:\Users\Admin\AppData\Local\Temp\194d36596016f52a59cc6163a5cc1898.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
"C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4624 -ip 4624
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
"C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 372
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 388
C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
"C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 392
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 680
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 728
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
"C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 680
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4624 -ip 4624
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 680
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4624 -ip 4624
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 832
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 764
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4624 -ip 4624
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 828
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1932 -ip 1932
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 2360
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4360 -ip 4360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 1060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 468
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 764
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4624 -ip 4624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 616
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 828
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "WSNKISKT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "WSNKISKT"
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4624 -ip 4624
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1504 -ip 1504
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1504 -s 1196
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 336
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 692
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 732
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 756
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5632 -ip 5632
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5632 -s 740
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\9A09.exe
C:\Users\Admin\AppData\Local\Temp\9A09.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 6004 -ip 6004
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6004 -s 240
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Users\Admin\AppData\Local\Temp\AF76.exe
C:\Users\Admin\AppData\Local\Temp\AF76.exe
C:\Users\Admin\AppData\Local\Temp\AF76.exe
C:\Users\Admin\AppData\Local\Temp\AF76.exe
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\4644e54c-433c-4ebe-8aba-621b53014f47" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Users\Admin\AppData\Local\Temp\AF76.exe
"C:\Users\Admin\AppData\Local\Temp\AF76.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\D203.exe
C:\Users\Admin\AppData\Local\Temp\D203.exe
C:\Users\Admin\AppData\Local\Temp\AF76.exe
"C:\Users\Admin\AppData\Local\Temp\AF76.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4060 -ip 4060
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 568
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\DCB2.exe
C:\Users\Admin\AppData\Local\Temp\DCB2.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 664
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 756
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 884
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 912
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 876
C:\Users\Admin\AppData\Local\Temp\fi.exe
"C:\Users\Admin\AppData\Local\Temp\fi.exe"
C:\Users\Admin\AppData\Local\Temp\3A63.exe
C:\Users\Admin\AppData\Local\Temp\3A63.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4024 -ip 4024
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4024 -ip 4024
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 936
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4024 -ip 4024
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 1060
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe"
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\7D3A.exe
C:\Users\Admin\AppData\Local\Temp\7D3A.exe
C:\Users\Admin\AppData\Local\Temp\onefile_440_133507574180011169\stub.exe
C:\Users\Admin\AppData\Local\Temp\7D3A.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\explorer.exe
explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| DE | 185.172.128.90:80 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| NL | 195.20.16.103:20440 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| US | 20.106.86.13:443 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | willpoweragreebokkskiew.site | udp |
| US | 104.21.80.27:443 | willpoweragreebokkskiew.site | tcp |
| DE | 141.95.211.148:46011 | tcp | |
| US | 52.165.165.26:443 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 20.79.30.95:33223 | tcp | |
| US | 52.165.165.26:443 | tcp | |
| DE | 185.172.128.33:8924 | tcp | |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 104.21.71.8:443 | tcp | |
| HK | 154.92.15.189:80 | tcp | |
| US | 8.8.8.8:53 | braidfadefriendklypk.site | udp |
| US | 104.21.1.205:443 | braidfadefriendklypk.site | tcp |
| US | 104.21.1.205:443 | braidfadefriendklypk.site | tcp |
| US | 8.8.8.8:53 | zeph-eu2.nanopool.org | udp |
| NL | 51.15.61.114:10943 | zeph-eu2.nanopool.org | tcp |
| US | 8.8.8.8:53 | 114.61.15.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| BA | 185.12.79.25:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 25.79.12.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| DE | 146.0.41.68:80 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | racingcycle.net | udp |
| PT | 194.38.133.167:443 | racingcycle.net | tcp |
| US | 8.8.8.8:53 | 167.133.38.194.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | tcp | |
| NL | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | 13.156.15.45.in-addr.arpa | udp |
| NL | 45.15.156.60:12050 | tcp | |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| US | 8.8.8.8:53 | 60.156.15.45.in-addr.arpa | udp |
| AM | 92.246.138.149:80 | 92.246.138.149 | tcp |
| US | 8.8.8.8:53 | 149.138.246.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56b2f50e-b7dd-490d-ad3a-77cb31b82872.uuid.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | server1.thestatsfiles.ru | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ftsolutions.com.pk | udp |
| US | 64.31.22.34:80 | ftsolutions.com.pk | tcp |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | transfer.adttemp.com.br | udp |
| US | 104.196.109.209:443 | transfer.adttemp.com.br | tcp |
| US | 8.8.8.8:53 | 34.22.31.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.2:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 209.109.196.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 5.42.64.33:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| DE | 146.70.169.164:2227 | tcp | |
| US | 8.8.8.8:53 | 164.169.70.146.in-addr.arpa | udp |
| GB | 173.222.13.40:80 | tcp | |
| GB | 96.17.179.201:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.96:443 | server1.thestatsfiles.ru | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.183.220.149:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.178:80 | tcp | |
| US | 8.8.8.8:53 | 198.111.78.13.in-addr.arpa | udp |
Files
memory/4636-0-0x0000000000560000-0x0000000000968000-memory.dmp
memory/4636-1-0x0000000000560000-0x0000000000968000-memory.dmp
memory/4636-2-0x0000000000560000-0x0000000000968000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 194d36596016f52a59cc6163a5cc1898 |
| SHA1 | db46517b2906cc7dbe9f3f477e009476b7fe951c |
| SHA256 | a89c93b0aba62403a80bd9c958ac6b101f0d71bfae0da9a39538b2b9f711b93c |
| SHA512 | f2a72893453e58deb92bd51792b98a04c6ad1037e356ce082894fecebc4a4f440c6fad165cb8be7721500afbd99ade88b7d42db29bad4eea504672807d3c7d09 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | a1d3566902c8ea7ad55d41a8d8b5a237 |
| SHA1 | ec64f23944ce2c285a867e352a24541653157607 |
| SHA256 | 7eac0c3855d2bd06fb30d60a51819e3e3533f74348ed3e701bd1b4fcb2fffdbc |
| SHA512 | f7ee149b1221a3ee8849350b0676fe89a2b059ada2cdd3aa630bf2833dd1b8b7ee0ea53e86ee1a6af62f489c4f4b9dbf0b5c89359267dbccf0341e69e62e434c |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1152-15-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/4636-14-0x0000000000560000-0x0000000000968000-memory.dmp
memory/1152-16-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/1152-17-0x00000000006B0000-0x0000000000AB8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 86dcf064474fd20f25006f96ab661f01 |
| SHA1 | 69375b55e39c2bab40cc6da7896762a56d631d91 |
| SHA256 | d956fed8f63372009c4e822b60a5dc7ced764194e07426491f0a131243280efc |
| SHA512 | 86886fe62f38d638271e7dbeb277de76e6a0cd8eda5cbfc233649eda3e5a2c481808541c8655cf3ae099d1892aee561e379507768a29da6f6a721bb57f1ff963 |
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
C:\Users\Admin\AppData\Local\Temp\1000651001\leg221.exe
| MD5 | d9468a9882dbcdcc164e156a12e9ce29 |
| SHA1 | 8b69c825833d00f461526958361a8ce0005b50e3 |
| SHA256 | 5f51374f8d96f1b8872424cdfd41e1529f8d1b4d95593196bce26aea701e68e2 |
| SHA512 | c7ec28c893ed354650d020c6511e47f518c96e662a2d830aa2f236304fbaa510c8c9aa166bb21129feb7f11c7b7a21ad836a4928798143773c7ebb17f5d38bef |
memory/3484-41-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/3484-40-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/3484-39-0x0000000004950000-0x0000000004992000-memory.dmp
memory/3484-42-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/3484-43-0x0000000004AC0000-0x0000000005064000-memory.dmp
memory/3484-44-0x0000000004A10000-0x0000000004A4E000-memory.dmp
memory/3484-45-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/3484-46-0x0000000005690000-0x0000000005CA8000-memory.dmp
memory/3484-47-0x0000000005070000-0x0000000005082000-memory.dmp
memory/3484-48-0x0000000005090000-0x000000000519A000-memory.dmp
memory/3484-49-0x00000000051A0000-0x00000000051DC000-memory.dmp
memory/3484-50-0x0000000005320000-0x000000000536C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | 45318ecf14a2f37f7fe1341c7173c37e |
| SHA1 | fc1f84af4edb2e678ed4da085d5543551d488a38 |
| SHA256 | cfb52439fff5f51d07a9041285d386ce5cba53b074220f9b5dbfa1d7aa3a530b |
| SHA512 | 322bdec5d496dce8ee8ce1f13942b0657bf157b74cc2d0e3d9a12df91ed641e73d0eaea2dbb26003b661666fa32698e8a39b6f432dad182de313d78d5e0c6dfd |
memory/3484-60-0x00000000054A0000-0x0000000005506000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | fd542048e59d74ee42bbb3295bb9aa34 |
| SHA1 | 59e6c8f8e5f0373e21071e7f7dc5308f9ddd4b11 |
| SHA256 | 89da75114497a34ac5db1d0073e3c962463b119598d4d4296425a59df15e34cc |
| SHA512 | adbf683ebd6597eb89ba518e8c283e54937010b07b9ad772acf297637cca373a336327accf2c5fdc8226ca185400dc52d16146be2b5e44705a51ba8cf90b79ef |
C:\Users\Admin\AppData\Local\Temp\1000654001\latestrocki.exe
| MD5 | d8018b7600235a8921fa563b0192321a |
| SHA1 | d8843d6763803fdff4af1a3924fa1dc6fe769359 |
| SHA256 | 87a48071259390f436d3d09e3de8bcbec3c410f9a2e04a86f6562e356e9a312f |
| SHA512 | 5395be9ebfb64fc4ccbf1c9a859fb5b0e36a0ad8fd70cb1fbe70113f80736c7f1a8d8bfd1155875f8e49bcc4c0d1432170a5db2802958bd419f2db6d762b1740 |
memory/680-72-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/3484-71-0x00000000062B0000-0x0000000006326000-memory.dmp
memory/680-73-0x0000000000110000-0x0000000000A58000-memory.dmp
memory/3484-75-0x0000000006370000-0x0000000006402000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | c5e287d992e1a5f31664e426150e5810 |
| SHA1 | 83d364d32e7b06a5053396654c46c8ef507908be |
| SHA256 | d15094043dafff858110fa749eeddf5fbb9da4d318795ba875d5ae517fe65722 |
| SHA512 | dfa73eb9dcd0a2da9961a198c123a25dc195cbe8eb26e266ff7836918c1371af53fe6f1cb5094cf8bf1724a3abe98a99f219e8c84e282e6aab30dec69aa2ec44 |
memory/3484-80-0x00000000064A0000-0x00000000064BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | b83e101375d0863029dfd1f290f6b0e8 |
| SHA1 | 476030a3a9f80ec5c7904b7950aa2561532cbf86 |
| SHA256 | fff64920a0cd72f4b6a772a6a319dfa905631ddc02f9a4a2e36bab55dfc7d270 |
| SHA512 | 6b8195f5c2bfe4a4aa23dd2f4bd85bc729105ec63f9f38a7f34938e95a0c03987e912bc90f4355e8acc1c77c4316cf88e184cc1f19de73cff8360e450f4851ac |
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | ac1fae80815183076b2e70376aa50504 |
| SHA1 | 7716be4ca12b5f6fea7ab115f41de54fbaa3b461 |
| SHA256 | 9392de0e01d4a24c0ea3cb7aacd49888e3161c675acb8594b22b11b04b094f6a |
| SHA512 | b52ef499ad20a32c4f5c1fb33a2fc18a6bf828e9480fafcc09f725777e1c8bfb1d26a6bdf680005cba400f61332e3620abf9042306269d5f4adb52ce5b38254a |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 8b72e1c038e70ccded70c3142de91b8c |
| SHA1 | 14cea9bc828e819edbc9fb811e6cad952e4cf17a |
| SHA256 | 5414bcef10ed6aac86421a93a2be1ddf072112dd71c2169136ef3cdd7f1b285d |
| SHA512 | 8680539298e83f3f32851d714c93c078b7829dfe17baf447f172dd3e5b5c2df64bc6d141ef2a06c9a17fac828153ebd17ba3edb342d2836978534947c3a30bdb |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 5a7deab7f20915b04cfdfc8b9cdfd7ed |
| SHA1 | 09883735857dd5c389488fddc71e0d9f0064d625 |
| SHA256 | a2ef0aa4d48192c565ea2ab2ac1d4d3961e0d6cebf4315fc9eb3c4da561da48b |
| SHA512 | c3ae60f7ea0820dc74d33f71771270a39bb6be1e9ce13bfb2ad7137b96733f3dee18b487e5097b02c558a0007e01822aeb5c12042eecb8f3ee7e22d2b775dd61 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe
| MD5 | 48739109cd3563730e16507cdcb4e989 |
| SHA1 | 383955e757e4636211a400c35e1dd8fe7288395c |
| SHA256 | 5a88221348d60a771997ddd0ea660650056f0c8db3ac7f816f60c31355f7377d |
| SHA512 | 26a6a372ad0ec031058c3e24637b4b939996b71508911d8ad9f01f267360ae8680f7c6df7fd1bd097ce51596844edc0eb358ff9df27133e80a603dd6146bae5c |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5c88ff061ad198142e83d44940e68c82 |
| SHA1 | b66ecb1c3f262744c8115029b7753a200bf82873 |
| SHA256 | 043aaefb797a6e68ddc0d45dae32720243b6e5cbd35fc900fb99947c4d20b7f0 |
| SHA512 | d57e6b7e1b033c62b5a2e70e5a1957b26fe4818bda42e1d436b811241ffe4bc619699f7ffa172a108533e74a75a3aa7872f0db01ccc59395275511a40fc658cd |
memory/3076-112-0x00000000004A0000-0x00000000005A0000-memory.dmp
memory/3076-129-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 08a7ab563018ae02476f6765e37a7d53 |
| SHA1 | 4f049b40aada0dead5f5f5944863792a352c5592 |
| SHA256 | 38e169f5fb2fab82a2005c93d8e45828cab9617850886428824c5799591d2f6f |
| SHA512 | 3c52fe3bdf7547b96f72b2b4ac6a7ccdbc0ff675490a54682349b572c9a1f2c493e3d1cc77110356f398ec316f9898273d1a81f9ba7244b21335c33e83cd6e3c |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 82c837b39d806c045a941d84e4b77de9 |
| SHA1 | 3403e1511eb4b97e8cf63fcafecfeb6bfb93831d |
| SHA256 | d47dde6a06942ce746c136490332eb40590689bdcd1e346c7fbc5c717dc94e65 |
| SHA512 | 53d1ff35deeff41b9864c81222c01fa5c7c92561d8c5cb4bee2aba6d4023195622f2445329c019c68e2171963643ec33c9bba57c1ba4ccc76e4aa2d660df4d69 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 6989c3dbd1f46f3fc191cda8c09a1e52 |
| SHA1 | 30db4cdc6cd5d1b8df97e228f6ac9f3a3f517fea |
| SHA256 | 9b60eb9c97d822219723060a033db585ede481ff24704a3e9755e83a8c21804f |
| SHA512 | 75dbf0a99eec8268773c7cd01fdf4846fb74f6bd68031b315053434434f76365adeac1b6cc6c67ff4b6d89481dcb7287b3260aebd65757bad5e5f851a7db0e38 |
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | 9a89b87509405651e0defa8e2c3d789f |
| SHA1 | 63767cea85cc4c346ed428c40a7398edec8693ea |
| SHA256 | f3d305e29d6d911d1f93962050eec90946d0cdb1053f10e26c7184ab0a51728d |
| SHA512 | 4bc06bb950b9f1fcbd1d87a427238fe1b917c4b57c06ce9408ee371f753d4aef3584cc0128b8ac352fe623c6d0a0224d347cc8cec22afdffdab186c3aedea7bd |
C:\Users\Admin\AppData\Local\Temp\1000655001\2024.exe
| MD5 | 5d89d5b7a3e25404bba18cbdbec78e62 |
| SHA1 | f86a47fa54ca0f7ffcb03f620201f5c7d68e429c |
| SHA256 | 416792c60e5f46f5d6e29892556b0003bb33f8c3e30f1254b00c713521e76916 |
| SHA512 | ad5347c4ac92e8eb719da7e3351431525cea1c9c5fdd2de3d85c9e72b856d853af9a48855cdf48a88172a69aa78fec284414f78c3b934f4220b72d7a4772666a |
C:\Users\Admin\AppData\Local\Temp\nsr97CC.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/3076-117-0x0000000000490000-0x000000000049B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 4fe7bef521345515a1a3e94fa4a25c3a |
| SHA1 | 081fe1bedaabd9586b4c3af635814de71d41467d |
| SHA256 | c12d839dbfee42f8e45ef72d839e5723cf39db75688cd566ffbcbe8d239b57e4 |
| SHA512 | 3f4f06de530ba8d7832e6712aae3a4d3427adb7138feff4b23b0ea9b7ad0427c32f0e915bee9baba05c20b82cfc961778f765a4db473925ba17e6a9dfe7ca5ec |
memory/2732-133-0x00000000008C0000-0x0000000000912000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 7b71fbd072514dec46d0679a8e17f80b |
| SHA1 | b71b87db7d2d32f79c31871296a7eade8932eb75 |
| SHA256 | cce05be2cbdc5e963fc88871ab44e1f13363fa555836aef3af3ad042a67861eb |
| SHA512 | d51f7ddabfdbbe401d07d3a5ae59417537285f25121b92d88c0e2aab2b67c3d3ae01642a6a183fdd084636516025aca5d12d083e972ebc8ce51942a3a5ec8917 |
memory/2732-135-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/3484-134-0x00000000068C0000-0x0000000006910000-memory.dmp
memory/2732-142-0x0000000005390000-0x000000000539A000-memory.dmp
memory/4856-145-0x00000000025A0000-0x00000000025A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 7b3e1ac799bd8d7115cc6be790987970 |
| SHA1 | 666b15ad96cd6d52f1e230136e86c61bc7748a91 |
| SHA256 | b5797522d0206cd9e466a01c9aef49130571146cfe1cf92d226b50236bf2eeea |
| SHA512 | 980296055714ee87bf3704dd424b82d75b997d47c11f74c14eaeb14bca16d4dee3bd78eb7d674520725646af65a8a3aa4b0a4f6a76276070eb9a453bebf8ab85 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | b8a6b464e4cf53a6183e9d3417e070db |
| SHA1 | a070842d82369d74f15ecbe71c4acea3224fce86 |
| SHA256 | 6b8f2c54e623bc1243d3465aad8029287536b09009bc0e1f8c22841f66defcb2 |
| SHA512 | fe6a748eed3c20a7985950fe4108c88bc71ec7ab0794b14d0c965f6b92205b1637cc119f50a883d7bdd0617b650057783d835cf9c9c4485a51baefb840080b51 |
memory/3484-155-0x0000000006650000-0x0000000006812000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | c4b225c3ed059a4643203535663ee57d |
| SHA1 | 30d77a094999b080ca82159973ce84ed08ab1e6a |
| SHA256 | 2c9a50630a5c2c81a4b2dd56401166db6fef08f1430bce4c4a3b93601036004a |
| SHA512 | 4bc096d75709140e888d9947cbc908b07372d2c957dd1c0df252230e4fde3a9c70f4c90d234c8bf8c3c20cd0f9d005f25a9253ffcbe1d2ae0b2c06fd7adebba0 |
C:\Users\Admin\AppData\Local\Temp\FirstZ.exe
| MD5 | b7a0b291921bb7a95fcc215f82ed8acd |
| SHA1 | e04e0705426c1c35115ab00210f590c6295566d7 |
| SHA256 | 157ba58474f4c550ef9fa443d479f431e952ca56d71f3d0e23f479d3fbeae481 |
| SHA512 | 5296d4f4f77a1c4c7efd947769d85963aa8d1c50c4c6dcb062ab93aba9716094457582f82d819020d0e9c274bac21256a90918afbf98ed7ae66e55050a3131c3 |
memory/1152-148-0x00000000006B0000-0x0000000000AB8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 7442ea138b340ef84f5e32622b30fcaa |
| SHA1 | addc76b28a23a56798b762bb8e5a9f0cd21f757b |
| SHA256 | 24f1265f0cfc4af9497e4f66182bb72af5d5bccd4c1c9cad57ed07f6ea1a6145 |
| SHA512 | 5e1b4c394dfc8eb032fa8ced80c56a15d39886a513b1ee0741fcec2fe5e41f5179c7fdcbe0a17c9bae5650d2f0883f0ff53e270a4ce7fe0f3bba3e956852bea5 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | a6fef0562abecca0d7b3567825ae5b99 |
| SHA1 | 2fa30153197cf09fd9bc36a26c062ee69644be2d |
| SHA256 | dc66239f557a96a96ac84dcffcaa0c6c166785a3333e974beee0647bbbce8c0b |
| SHA512 | 7d08bf50a299c8bc2997a41ac42c51613916b609645043ceafc4d7bb14b85f19d4a45641cf4c2b1e1dfe0bf58d6c9ae13cad42b56d4dccc20aed73d47786e1a8 |
memory/4624-143-0x0000000001170000-0x0000000001577000-memory.dmp
memory/2732-170-0x0000000005370000-0x0000000005380000-memory.dmp
memory/680-171-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/3520-176-0x00007FF7752A0000-0x00007FF7752F6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 76b257acff76f84889fce17a00d570f5 |
| SHA1 | 75c0854b4c50e97fc40da6df752a9c0e57787d37 |
| SHA256 | ec71d1d81b7a90c8667f7c90d0206f100a3be0c8fc14845d263ef84e45e82c7c |
| SHA512 | 68084025808d15262d1288b79efe291ac015a9f3c57331078e71ef850a3c8aa10b06d1ea95922cf711e94b778e08dcac20497ba6f0ca12077552846fd53ba475 |
memory/4624-179-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4624-169-0x0000000002E20000-0x000000000370B000-memory.dmp
memory/3484-168-0x0000000008510000-0x0000000008A3C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000656001\installs.exe
| MD5 | 291f1779234533e698b556baecbe8c33 |
| SHA1 | d7fd9e99636365b19ca197a1cb2ae6d881dca9b4 |
| SHA256 | 2ea7b877c161ab3feaed83bbad8a0fc3847ff67c314fbd38309e797b5853444f |
| SHA512 | 48ad82e9576c48c1c8b4f93bceeefc3ca2e9c809dc3363edf7921cfef9093c79bd8999f9edeab810e34250f923dd223c7ff7f55ded350cc8f11f05d45d604a01 |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 05ce0544fbe1ed4d5cbf002d88a9e351 |
| SHA1 | ef5b4afe56af7ddb8fc8718dedcf20eca6865825 |
| SHA256 | 8109acb44e7b3e2bb59955c1fb0ce116cd276f2cf80bdc86e1ebcb9b11600e9c |
| SHA512 | 92773d27a1fca3ac99db03f6c64434cf9368d8a12a0e05bfcab3ae599797159412385693fb5fe9d1e873258e7e3e3b0e70b5f67dbaa45a134da09570b59d10b9 |
C:\Users\Admin\AppData\Local\Temp\nsr97CC.tmp\INetC.dll
| MD5 | c7ae096c02849c7eeb07623b18de8a59 |
| SHA1 | 9f57c75aa9f96121413a793d356d876a09f564ca |
| SHA256 | 711ce1b5b08d30470c7cb844d2dd9345ffb6c2add9392f56a86e8c515ba89ed0 |
| SHA512 | 2a070a13ed45b3cc289f8174eb313d244daf10c1ae36c837f305b450bf2f1b839850eed70f672bb94c75117fe232341b01a868824e42d4d01ddd754fa9b5670c |
memory/4068-207-0x0000000000E10000-0x0000000000E7C000-memory.dmp
memory/1152-205-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/1152-208-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/3484-210-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4360-220-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4068-215-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4180-221-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
| MD5 | cd2f9fdeaebb83a5659501b612e2fda6 |
| SHA1 | d63ab664522c1810c7345b09e5f9bde8165ed827 |
| SHA256 | 452c54eb8295998ddf268c0fef99578dc3063e3303ad5335b808c9bf4a809f69 |
| SHA512 | 6118f2f1dcce01ae9ac6d06551dc386b630b9cae1578a73420e33fc116566028625c520abbb4e62e7cf1a7b6a9a515958877e795bde74cadbead2891cf5d80c7 |
memory/4360-235-0x0000000072B00000-0x00000000732B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nscA5A8.tmp
| MD5 | a5cf199caae465b0b4ec87750f179f4c |
| SHA1 | 746602eee6965d4861301d5435c733028e950beb |
| SHA256 | dbaf4ca18c4794a792af604abd7bcba11894e077c5db342e6b340606de4e4a9c |
| SHA512 | 69c892fe423844a05067c27055fc3623afdb509d470f951d68509836bceb6405532ae9a2c214f44577fd40bd601d58efa2762355e39ff250aabd02a7f8471746 |
memory/3448-245-0x0000000002950000-0x0000000002966000-memory.dmp
memory/4068-249-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/3076-259-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1932-264-0x0000000002C70000-0x0000000002C8C000-memory.dmp
memory/4180-260-0x0000000005470000-0x0000000005480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 8843162fe90d0883aeef66757a3a6434 |
| SHA1 | 56143a12404fee069b653bfd7156222df28908fd |
| SHA256 | 1a8e2d73f1cf272715959887efb83718774ae251eb23497c1ed3bca118887f68 |
| SHA512 | 4451bbb42f55d23151ac8bd7e8aff66dc19324fa395473aa2cc2a557d9538f28eb41f33247c5b1e0cb05daf3bd5e4e290ef2331c075d0fa0db816c558fe7293f |
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | 85f91a60d172e9baa50218714a6c04ff |
| SHA1 | dc4aeaa521308874aedc64f9a2ef0cb8d8cffdc2 |
| SHA256 | de4667f678649d6222a295b8f83ef3cde799f18a8a3fe1e78371dfd28119926f |
| SHA512 | 88e3cd102260673921099de22f417ae9c38d7ddd491789e977bbdb333b1470889426170d6b7ffffd96075dad1eb60bf059bae61f97d804c8b7d10293ee2bafbf |
memory/4360-251-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4360-247-0x0000000072B00000-0x00000000732B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000658001\rdx1122.exe
| MD5 | d7fb8d664eae6c371352283f34359df3 |
| SHA1 | 7391044ea1abe47cbcf46122ae747376c0cf9d98 |
| SHA256 | 1d59bdbf006aa855c3803d00fb8f63b161dc7b785011919f0cf6e10da6002501 |
| SHA512 | 372ce73d09f12325e60dc51e4d3d72b09b1e0ad56571cbd7ce427836b0fb2a05344a9604b7eef4fb961ec430997c270180fae40155b9917a5a7fd4e3a65f5676 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\1000657001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/3208-268-0x0000000000AF0000-0x0000000000B46000-memory.dmp
memory/4360-202-0x0000000002060000-0x00000000020E7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | dd4fcd3ba23a6be123aae46d2463a2ac |
| SHA1 | af322d5dfd3f0cde338ae859ca91fdc625084dbb |
| SHA256 | d5b5921e7064ee185539c9367f7e430bddc66c2a79361625da97e099e6efe6d4 |
| SHA512 | 4ff4e4bdd67fef7f530ab39d18fe5dee0f232842f562644c661114fd49977029a663dce1aa8fed1e5dac7c7f28ff6f710eddacd9d20d332ef133f7951a06a83b |
memory/4140-285-0x0000000000400000-0x0000000000452000-memory.dmp
memory/1932-284-0x0000000000400000-0x0000000002B17000-memory.dmp
memory/4360-297-0x00000000005C0000-0x00000000005C1000-memory.dmp
memory/1932-301-0x0000000002C90000-0x0000000002D90000-memory.dmp
memory/3208-302-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4140-303-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4180-300-0x0000000072B00000-0x00000000732B0000-memory.dmp
memory/4936-299-0x0000000000910000-0x0000000000964000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 427805b4368ec423e44e4ae7bfd24f84 |
| SHA1 | ff57b8fda893e0a778cc952bdefba5dfd0da99f9 |
| SHA256 | 324914bc0fc5a6d2053fa6959b02733bacfa54d4a5a88ef1b70bddeee389c1ed |
| SHA512 | 4eb2338e8010f8486b2e0ecdc03bbf04a3a2f9dadd803056a19b3cbaee7894c5911c6fc35a4d5abbe51e250269e1203dcb30e2573e453dc2798c64cdd689e8db |
memory/3484-306-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/4936-305-0x0000000072B00000-0x00000000732B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000659001\sadsadsadsa.exe
| MD5 | 302623f324ab143623da3c5485adc397 |
| SHA1 | 3547fae1ecb54c0f93f9f2cb1d3e9ff33fd1cc2a |
| SHA256 | f7c6b97401a4218c24e81167f963fabb4de5a66662585b87704e058ce3dfb13e |
| SHA512 | 4ac4cae4b32c9411befdf24d362f37f8391ed519dab8fa996f5c487ff19f0f154bc9d3ee11bd91ca8b1324ed34888b3848d122fae99ea03ffd383e62e1525ca5 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
memory/4936-316-0x00000000054A0000-0x00000000054B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | deb1ea97a52721fa4872abe5d648fb7e |
| SHA1 | 7834683f935b333e2cb4952c1bc201a853def992 |
| SHA256 | 77e225e20e6019b26c8f28f33d5fd87060ff53dee0e2ec7113d2e76ed36abd53 |
| SHA512 | ad06adc814e90da6da2a223a5affe405d36fbcf86bcde63054d4bc5d34edb12f138be151831ab4aa7d3e8ce6eeae55f4b519d5545339169febc6a3fda79e110e |
memory/2864-340-0x0000000000120000-0x0000000000128000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | 8daa84ebbcaa0439fd38b25b8ed6a54c |
| SHA1 | b177d8ece0c609f43f4c9c170b584695dc8172b4 |
| SHA256 | 3a8e906529a950d6e91c06f50731be525bdf710594823550954ad6bd5141f4fb |
| SHA512 | f0fef934ef0ebe81eff0617fc11fdc9b5f7cfc35bc689316e515679bde624f66820ec18a439073fb736c59f79af464e04f940f7136f2a23311825ecd7bb605cc |
memory/3484-336-0x0000000004AB0000-0x0000000004AC0000-memory.dmp
memory/5008-339-0x0000000000590000-0x0000000000612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/4856-357-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/4624-347-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3028-358-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | a63f4d4ad5647adc98d64bab955ed63c |
| SHA1 | 28e36a789d96213e520f62827693eb0c29b28144 |
| SHA256 | d000ec66e7b548761ed007bd14706a52919842e892fee3916bb58adf6c327acc |
| SHA512 | 09fb05f82eceb14db10def2bbb1f854f28f949e14dcaf1eae2034c12ae0c04189d115c3131275ee2386bf86de9bf618336af5ea40f3ca7d6c42e4710c3ed11e6 |
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | 275cd4cd7fa97d0267a340a624e8a5b0 |
| SHA1 | 21e103572b126771e3f027428c616ee8277504ee |
| SHA256 | 6e864a26756055a46273d5cda8c70346b8c07536b4cac20ccf545c2b30cb3a77 |
| SHA512 | 7f792644f45af0da2d93e1203a39014d0610c356d74ebba24287b71d6aba8cb4775c354828c8d699eb1810f84385b3f2ff821d0eabd16b1e6efaa9ce4515619f |
C:\Users\Admin\AppData\Local\Temp\1000661001\MRK.exe
| MD5 | 61b1e9a0e9304cba603fe6c76e2bdc12 |
| SHA1 | 632d169d711f8fa899483e7325d52c9b064b4a10 |
| SHA256 | fdc69cf6cfe06eb53a906f14e1f9076f6047936c47935f85f1d2137e9695ec9c |
| SHA512 | 09581836e7e4d1878b04bbccf15cef99d35f9bb7f2292c4e5d083e452b779baf67e62b140861e87f4b0a9b1de1b8d91906b0fa13cd72ac83290897904ae5816b |
memory/1932-375-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000660001\fsdfsfsfs.exe
| MD5 | a41bcaa5faf1b180540a34efcd72ca61 |
| SHA1 | a31e3bd50ed844c35150ccb841478a0d00012a46 |
| SHA256 | 0bca5aba072f21edbe8f5581e50ce8897ff186c31e99eb9907a34de472e87612 |
| SHA512 | 93faf916ed11c4fe453d9cce0c357634bfbf6a8d371044cffd4426d3e87b6024cc968f3a30cf29d3e53aa160849f5b063f9cb1360e3d2298ee5954261a0eff32 |
memory/4368-382-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4368-385-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4368-390-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4368-406-0x0000000004B40000-0x0000000004BDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 47923c6d2c56c851ca426547d73ddb25 |
| SHA1 | 12ddb5c2afc681fd99ecd10a00e6b50712ebd66d |
| SHA256 | 72befa929be91712f6eb93d6a286c24df6480337ee07f9b2a5a55e876d7b6a3a |
| SHA512 | 4d059a02b6ff1b1dd5217c0273d5f1592c017422fc09dcca7723dfa1c65931ed9f4c40040b627afdb90f7ee95de08fe5631019e22482d2c6462d907f1b5368d0 |
memory/4368-418-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4368-425-0x0000000004B40000-0x0000000004BDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | b1e2e51e8d3b3ec760d1cf94aca52ccb |
| SHA1 | 2b53e727f7c6b7b041324c50a088acb407ed8364 |
| SHA256 | 2ca6f6dfc9d439efc06264d2ffe2e43510b65b76d829ec54459a78b33d6a36f7 |
| SHA512 | 795aa6ecc1c5a4eec8c8f903556545011cec361f8d84d1a49cac9d8d85bb1fbea3da86644c85563eb040a9806c6ac1e09bef7b0631c027d9cef8e62ee1dc8604 |
memory/4368-431-0x0000000004B40000-0x0000000004BDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000662001\alex.exe
| MD5 | 096517e479e8da1da600888f2f7e408d |
| SHA1 | c399ed02a26b658a7ffad9df86c569d947daaa17 |
| SHA256 | 36ef778edf62b899837ac6ce221a75456b9693284239b826ac759fb66c79bef7 |
| SHA512 | 85e638ec48d4904cd76add2ac51a9f51dd00da1ab0df0918bb96476ab06ec97bb671bd0827e0681a62540502ba48923a60bcd8193a159e184d917e7eaeeccddf |
memory/4368-435-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4368-443-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/1152-446-0x00000000006B0000-0x0000000000AB8000-memory.dmp
memory/4248-452-0x0000000004ED0000-0x0000000005075000-memory.dmp
memory/4248-451-0x0000000004ED0000-0x0000000005075000-memory.dmp
memory/4368-456-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4248-458-0x0000000004ED0000-0x0000000005075000-memory.dmp
memory/4368-450-0x0000000004B40000-0x0000000004BDF000-memory.dmp
memory/4368-470-0x0000000004B40000-0x0000000004BDF000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 13d0884c9089d2118f3aeaa368a2c135 |
| SHA1 | 68052e28c79ceda019076eb28601696da430cca0 |
| SHA256 | e2fad8befcd09cbd6acd298e9ac424bb7fe2fe6715fc9f9daaac3031921752ef |
| SHA512 | 2ecb2d96d66b87d5315ecc7b01148b6332658dc177306e021a4d8c81410f39c4d166ef56b1fef7532bd27bb162ce91ee6a70647dc36215a11eb0e08dd939441f |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 1a3bc71533ff8cde574f897503576bf0 |
| SHA1 | d2d805d3d1f08e4fa60805744d46b686e832c77f |
| SHA256 | 3bb74e53ba6d30bd00321c4036085b95c34a54663ee0545c4f9f9dddd275ebd8 |
| SHA512 | 25c0db4c0eae5ca47a5049c70c0f5f85ec94015c9a38138e1203897c7eface273ab8eea0373e4b2b03ccbd533626b749602c4c4cf0b55eda3e1d476c2c21f686 |
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | 2d751abdc1481a755744981c3cd68dcd |
| SHA1 | 0e3dd7cb8aa297e40a86cb9339566c51b1487319 |
| SHA256 | cd027cdc90e08109d7dc90c040d2b0df5500818b33596785c24f24f6acec2ee1 |
| SHA512 | fd544923db13e53fda69cb35235252131674dbe53750f504907fd9480569d6980dd7d54c80a0260d2aef23133fd5fee61b6adee33edb0924836b3b8dee8a30be |
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | ae9257f4d640a547e37e1648933aa15f |
| SHA1 | 2644c18670ae4af40435cb6e5ca9c81aa681b872 |
| SHA256 | d2d94ac48935cfc01e05908a07d24cd61ef0ca45259a92f776566e78b241ec70 |
| SHA512 | 53857adf175bf438c8c90a827b02b91dd631a36ae73b7f13423692402c91fbcfda6626abd3d05fc135d0c605a95bec2f3758bf8aa60419232e85c07ff6a9a01a |
C:\Users\Admin\AppData\Local\Temp\1000663001\moto.exe
| MD5 | 0a5fe479126856438039edcbf5bdf2dc |
| SHA1 | 056b676720c6175ce6e1e29943e3284da68704e9 |
| SHA256 | e54ebc07acf8e4bd5be7f13493716190a35601ecd64ba25199e0d963cc4aef5f |
| SHA512 | 81b5b7be1fb2ffd99f28931d02d97ee07755ee4170b89ad9c6c634485c37d11906e7cad0b72e31cb4e22214a0dc78ba568c49549425f544ba5a5670d12c9683a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1305705ab4eb7a8ff5a73874670d91f4 |
| SHA1 | a118cf0ba2d4ac47473b9140c0aa7745efc6aac7 |
| SHA256 | d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b |
| SHA512 | 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 7c6158126fcaf750413a7930915b308f |
| SHA1 | caa1e195ea7af6169a0e6ac0709223557998792b |
| SHA256 | 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3 |
| SHA512 | d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | f9a61fad8fc3f9d34df1ff547c998dc1 |
| SHA1 | fd015db6c2696ef00743e25ffde4fbddcc803a8e |
| SHA256 | c4574eb151978ae571fd4314eb0031274f31dfc2a8eef9fd12a9ff8d5f5b65d1 |
| SHA512 | 6da8123e21c79d0a375e8874d86440543bfa87c4789a7fa255f1fbc109dc2201042702e3eb66e2218b358bb02160e50d402dc0b5264dcb935c1b979afd284145 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 5367e6b786d6bb21cb8ab6cee3ca388b |
| SHA1 | f98687808088f88b03ea159d502e497f7366be69 |
| SHA256 | 9c58d2ea2a01e04bf1428b15a2d076a10b3a6ddbfc5a6d15ccc57733047a6792 |
| SHA512 | f2fcfc69bff0200715bd119b9817fb3472398c11258c716642a810ae795a9a3f57ea6fbc7ebfe109c183fe5d072f03d35ff937fae6310f543363a2a75f9792f1 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | c9944e129fb149c95a33880158d85543 |
| SHA1 | 32878df9e6035764e5b4037c5234810ab6425dc4 |
| SHA256 | 098e8c9f7c0706b0fc8429f42265546ae980cabe18efaa8e797259241c91c889 |
| SHA512 | 1588b18faf7a8dc01609d04fc9aa22b6f78f210a0ea771abdd24e13061cc5a51bfdfa7d14b5b0862e4de784998a6e445bb3ba4340920b84e995ecdd14c93d0d1 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 1f2219ab50ae35beb17567c2742a7677 |
| SHA1 | ba28551e186ce036a31cec13b5c08b90abc7d8bd |
| SHA256 | 63a60f5bcf2dfb676fcde5b75c01410f608ae0f4c39b4dd35e575bf83b97e838 |
| SHA512 | e9c6d6537a4a5c3439d37bd948b83878ef037a814113838aa4f22934ab0be26b96116dd6ab59881c458d084c3470488fe87c648d6cdd086791cfe2f956f1318e |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 89a7ecaf1494e323914889ce54bdc0d1 |
| SHA1 | 29cc1b5462b53d1ad24361f60f15513e67fe0f14 |
| SHA256 | eb20b51883af507b2e3b2e5f5a22ea053dbaf4084892b19bca39f28215e45999 |
| SHA512 | ff5c3ce995a4922fe8f5d78280dd9188c1514292a6ddde2fc56b624fb01906667825a03f1ba78d495e71427a503e95c677a9dfd781aa721b08f20a711b330f66 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 04cdfc611a4b15c1e8e7bcfb618f7a30 |
| SHA1 | 1f0a2f5300e1c54b718370460e50a2e371c5c97e |
| SHA256 | fdfc04d37300bb71170266d5d8922eb0926c878c3e6af40fd88f5004a332d7bd |
| SHA512 | 2b32e6fdfdb1e3e6e33fc4f9c59250a4f157140006619148ca25d8fcdd0e3f5da0d526fd3827bb06074ad011a095a1097321379c251bfd8120e1e6fb179380c7 |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | b0207403d88821b832de621a94b59d03 |
| SHA1 | 3741a24dde7c6900eba946b19cbee4a80ef0c7f6 |
| SHA256 | 7dd887c47479f93f6443f6eb3b6e780f97bfa4a8b0867453acf6594c08c699d7 |
| SHA512 | 395213d4a2a25ed8070ee83a4c2c941c8169874c90aeb15c458ac01bcdb08e6cd092e76e7406973b961ac008ebe5df4e866910f6d4612c47beecf45055d29124 |
C:\ProgramData\nss3.dll
| MD5 | aa2a4823b87d7936fa94f1d909524735 |
| SHA1 | 773c2c872f52b95b25acfa6e24598114bc0dfb6a |
| SHA256 | fffbf92110a154f94ed11b306cc6344f3d3b765b01c0cd46f9418b5a2923302d |
| SHA512 | 419b70abab0c4644b025929fe6814dbec3f2e6d9997fa7fafefe3b233c32b701299abb9f85a1819e5b1affa369fafbb7fa185c98b0b459055c6aa5b2791d4174 |
C:\ProgramData\mozglue.dll
| MD5 | 8f77166b0e074bb325434eda0ca25a81 |
| SHA1 | b3a75acf37aad0d44eb49e9c5c7488d389b531ea |
| SHA256 | 5d497070239c93fed6cb2319e44d30d5a3bb0460d83f19f314090037d2a92267 |
| SHA512 | 5d9e11749f6ce5f5a389f32687f9f4c1a4728a794de78a5cd96b84578fed1670079e3e2c4de0e3dc363d8927acb273e23c609dd254e79cdbeaf61d9a001fa4b1 |
C:\ProgramData\mozglue.dll
| MD5 | d89e169a92f49a44be629a0b76f7b793 |
| SHA1 | 808bfead02560416bda7c1531c7a6f01f8932050 |
| SHA256 | bf65e03dd51d22862a26911fcb5604ed1b874b34e818c9714676b297741b0be4 |
| SHA512 | bcd3d2e440a9cc9a8093e24f1628d6b5ac05453114a9d4fc62484ea84596c99ea0c0e80b9373ea8b013cce7f63e27ce6287a48c6c84612583e627bb4aac59ad0 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 706eea9a934fe9c2c8038d55d599fc30 |
| SHA1 | 36a5dd871d7854786c0d2170adf52b029833381d |
| SHA256 | d40e196c0711896f1381edad77fc8d4cb2d106689bfb8ee4d71e0b371b974e5d |
| SHA512 | a05d7024fbbdfec34f977dc8b01101d822d523325e974be6419cfcb7c045534854f7498db197c53eca8b2eda8b3b54ccfe889756a5b71a9751544da57b759df7 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5tjzny3.qk4.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | e7f7c1deac8d26e118fc33d4f9f01216 |
| SHA1 | 05a0f7425e8df5fb498b0e94d02245d18e6e5765 |
| SHA256 | fd702d29ad474574634b7a1da442fbb752a65a342ca88282815c78ad3d82e0d8 |
| SHA512 | f8e8f949cd1c49a7b48ae3d58457bcd1cf04067d0ae7a30add27a8c233b57a4dc0c98ed98aaddee6a8d02f8894ab30cde4f261a37e0903ca9100c365e8742af9 |
C:\ProgramData\wikombernizc\reakuqnanrkn.exe
| MD5 | dfb236d83a8ea8fe6be09e99e927d707 |
| SHA1 | 68d39cf235a53b763e85c17f00125dd7c659fc94 |
| SHA256 | 941b5000a7a34059fcf331503873f05b14356647725eb63dd3fbf2893ff464ce |
| SHA512 | 7feade50b9c4558cb0a90665fe05739e5f69af1446ecc12e73f799c391117a8e829cba996557d25b0ea5d71f34730e540cbe733f0dc2ca4ad43a44c45ac642bc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 763ce0de077d6e333eb48f7f09b754e9 |
| SHA1 | e82a2c5ff84c4334c0201dd6a4aa209be461c638 |
| SHA256 | ff2b3b6c0aa2a6c0d20631dcd9b14926dbfa08aacd2a7b40ca6d16315a42586d |
| SHA512 | 4c18be5aab8a431783094376a6d0916db626f099cb8af1ef4ae87241675404dfd42cbb412819e37c104dd09e0e38ca3df3cc804b9d82d644c302554eab17e715 |
C:\Users\Admin\AppData\Local\Temp\9A09.exe
| MD5 | 051acd118e84612a34e8ef3ecc44a4a4 |
| SHA1 | ba50cc48379f01d9c737e4f4df60e8907374e0d9 |
| SHA256 | 53968e0ae6a491e5bb03ee4d7d40b318c4c5c6a375a9d517b547152c4d721422 |
| SHA512 | fc52da4f2d29b8779c36a3a5894a1f19f138d24efd78e8ca9cc412c08d0e3c4de7152c4db429a70ed2f447f1d77c023d5494748a4b555b384212ed3c55f34851 |
C:\Users\Admin\AppData\Local\Temp\AF76.exe
| MD5 | 0a3303d13df2f74ca52000b263bdd8a1 |
| SHA1 | a8a2e3fdc4271a05e2507f0a1ed049cde51e1b20 |
| SHA256 | 36b4f3f2ff55a415b7765444690832201b714938bbd37ef0c86e7a09d3cde517 |
| SHA512 | 652df8074d3e17107a81ebdc98f29df8c460e4707a7f6f0fc48c88065e72d1defecc680d7424e81a873890daf000e1eac0834ec755b291ecd41b3822a31a8938 |
C:\Users\Admin\AppData\Local\Temp\AF76.exe
| MD5 | ac819f377c02c70e690af558f555316f |
| SHA1 | cb97dfbd9f83a83e9839c48372d7421c03494118 |
| SHA256 | 22f44ee1ee9e40bf659ac3df38a8ec05e83bcdc13f4d158efb9581f3f210ac59 |
| SHA512 | 7a8763ceac98f0ebb5072fe20f54f897630273f8cda73554bd2c16d228b99d4a69a6c49b4ed2e6da9dd4a7a09fc5616057436b12c218445ba27db908d1bfb46a |
C:\ProgramData\HDBKJEGIEBFHCAAKKEBAEBKEBK
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\JKKECBGI
| MD5 | 9fee8c6cda7eb814654041fa591f6b79 |
| SHA1 | 10fe32a980a52fbc85b05c5bf762087fad09a560 |
| SHA256 | f61539118d4f62a6d89c0f8db022ee078a2f01606c8fff84605b53d76d887355 |
| SHA512 | 939047294ebfb118bc622084af8008299496076b6a40919b44c9c90c723ddda2d17f9b03d17b607b79f6a69ba4331153c6df2caf62260bf23e46c6cfe32613a8 |
C:\ProgramData\GIIIIJDH
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Temp\fi.exe
| MD5 | 1eb1c24f33b5c237d0fe04c68152e9eb |
| SHA1 | fa1c602b3282bbe3ea5c742725e9f97bb2a839e3 |
| SHA256 | 208b3c6d440df348cf53a377c54af7d23223c90631e13ffec9c32b4ef6622f30 |
| SHA512 | 745d5d565ae57124e69b9b8f1a3815eaf6578aa5725a2d1f3a8f156850f35c8f7792ba40e89bdab7945f18d35cacf62f0eee0b5dd3955453f9cbe8c46b88db11 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\fesa.exe
| MD5 | 568d3de870dda8a255763f5c28ebe984 |
| SHA1 | adf1dbdb02fa6b0e9efc3bc52c45017368bcc0ce |
| SHA256 | a326d35df0281661f29f27cc95f28ad7b186cf536b8a3718209973bc8d99d8de |
| SHA512 | bdcd6ea5bef5f9f04ccaa3e9177bfac6c87f8bfe42e7f5b377079cdcbd730118cbf2b5de088648a798a26f41318beda8e061e9391b52dfdf12379bcc3724891d |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1024_600_POS4.jpg
| MD5 | 655d9f0cf81ffe21abba5cf876043e25 |
| SHA1 | 6b2d8c5f9a422a97330a46de3189a2aff082525a |
| SHA256 | 1e101a054ba3cf6edabc59936ef9a395ee11453d0403af5c46db5e726cdaaf43 |
| SHA512 | f402acada9bfecc60f957212cb83e289e59cb2b854196cc5427093703bf9a869d84895c9f98f8e3700764e92c74b661ba6d0a43e6f6111e00d5ff25873791384 |