Malware Analysis Report

2025-01-22 10:24

Sample ID 240130-gsdtraaah5
Target tmp
SHA256 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
Tags
amadey redline risepro xmrig zgrat 2024 @pixelscloud livetraffic evasion infostealer miner persistence rat stealer trojan upx @oleh_ps @rlreborn cloud (tg: @fatherofcarders) collection discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro xmrig zgrat 2024 @pixelscloud livetraffic evasion infostealer miner persistence rat stealer trojan upx @oleh_ps @rlreborn cloud (tg: @fatherofcarders) collection discovery spyware

RisePro

Detect ZGRat V1

RedLine

RedLine payload

Amadey

xmrig

ZGRat

XMRig Miner payload

Blocklisted process makes network request

Modifies Windows Firewall

Stops running service(s)

Downloads MZ/PE file

Creates new service(s)

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks computer location settings

UPX packed file

.NET Reactor proctector

Checks installed software on the system

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Checks SCSI registry key(s)

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Delays execution with timeout.exe

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 06:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 06:03

Reported

2024-01-30 06:06

Platform

win7-20231215-en

Max time kernel

2s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe"

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {82A2E3D5-C4B8-4E74-8842-3A2F18044972} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 596

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 596

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 604

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 96

C:\Users\Admin\AppData\Local\Temp\1000764001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000764001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000764001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\nsdC8BD.tmp

C:\Users\Admin\AppData\Local\Temp\nsdC8BD.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsdC8BD.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240130060537.log C:\Windows\Logs\CBS\CbsPersist_20240130060537.cab

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 20.79.30.95:33223 tcp
NL 80.79.4.61:18236 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 95.179.241.203:80 pool.hashvault.pro tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 144.76.1.85:25894 tcp
NL 94.156.67.230:13781 tcp
DE 185.172.128.90:80 tcp
NL 195.20.16.103:20440 tcp
DE 95.179.241.203:80 pool.hashvault.pro tcp
HK 154.92.15.189:443 tcp
AT 5.42.64.33:80 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
NL 94.156.67.230:13781 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
NL 94.156.67.230:13781 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
NL 94.156.67.230:13781 tcp

Files

memory/2372-0-0x0000000000010000-0x0000000000418000-memory.dmp

memory/2372-1-0x0000000000010000-0x0000000000418000-memory.dmp

memory/2372-3-0x0000000000010000-0x0000000000418000-memory.dmp

memory/2372-4-0x00000000007B0000-0x00000000007B1000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 dafba6b93e117bf5477c56a3a30a1a2d
SHA1 9f5b1c990ec15ba2a90377dbc1da6e046d083050
SHA256 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
SHA512 eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc

memory/2372-15-0x0000000000010000-0x0000000000418000-memory.dmp

memory/2372-14-0x0000000004CE0000-0x00000000050E8000-memory.dmp

memory/2028-13-0x0000000000370000-0x0000000000778000-memory.dmp

memory/2028-16-0x0000000000370000-0x0000000000778000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 fc4a48eb5ab147650c3f8631874939f0
SHA1 f25bf4d2a9fbca84a2dc9c15c99277a81d9f2406
SHA256 58b3302f798ba0c7292ac7c437c9e225fa32fd3bb58d4013eb61fa0eab40ae2d
SHA512 86d1ee6c75a85663d7e25b77f586fcbe16f79b9fbc308d963f1335221677c882659f27aa0136e94e7bde80729402c214c8ce9bbf3820e53766df3a7a1eefe1ad

\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 3c28f764516c5ff132b88468a535ed45
SHA1 94a03270f723be37501d22c8b061341d81744d85
SHA256 a73efac0cf78ce9f3fb7dd74ad7c17618c146d93915a69d04f4b4ff4252d823e
SHA512 d7abbf22e49005d016c45963fe8550f10049c11b02bc4a31b3fb8a2ac97444fbd80ac06af5284305a261c9dd349d9a26b5462de6406acfd93d5b9702fcdb20d6

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 3dc382e1fb4f18e3259e5af7a33d3c13
SHA1 3efeb823d79f5037ee46ee7b7259d9e13ac5edb4
SHA256 7694d7ba820964dc251e5ce4470acb3182af4f12f7d5bdecb8684f08661373c6
SHA512 66019d8a1ebda23c23edb48682f8e720c06de4a9542cb260a9d3f148eecf6e0a77e311e457e16d547787506ef7c97185aa3b0d5378f07149944c22794487d8f5

memory/2028-34-0x0000000004740000-0x0000000004C20000-memory.dmp

memory/2872-37-0x0000000000CE0000-0x00000000011C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 e800f34543dd60249858d3eddcc8cb5b
SHA1 eac2ef576d7aaf50f451bc6044a7112284863b0e
SHA256 a6a262b2d76556a2c4155d8be6f51b4f1ff5c360dff9d5a0f6ef6a11b93b89fe
SHA512 d2c1b453354de79ee04d9fa5851eafc9a286418c6c6e8d2be848a42bef9cbc55229873261f1aabe355f34f1f05eb92e3271d78fbb144c2f3314599125bca7e24

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 60b4b35ffe49af4c0dacddd1365be70d
SHA1 b81c174d6593d75267917d699eca852ff5b95228
SHA256 0f93e426873788dd9b8fcbb4263c0714482c26614326a353debbf107e5e69a2d
SHA512 fb6c972508ab72d7b066a870b0c247895071f5fc5e8602376ea8f683bf1e8eba00f77c70c7d234a5ce25c47643d7315aed2578db80492294c8aa7ad0e8b00cea

\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 eabc6a6dddc5b631b557adc2bd34f223
SHA1 b8eb844371dc9296e5112ce860ff76a7d0a5b043
SHA256 fb0d1247e40c92c923003daae8e2b7af124e2911284bb3c135d2c616d2fb2a6d
SHA512 82a00e9945f6b0e1b204f67909cb38000be9a945ea491e91eaf51ef8b3457a414531cf9d0c771a69983dc5867d0805f3d461dff1bdd8f7d22bba6dae37e46667

memory/2028-52-0x00000000046A0000-0x0000000004C18000-memory.dmp

memory/1640-53-0x0000000000890000-0x0000000000E08000-memory.dmp

memory/1640-54-0x00000000773C0000-0x00000000773C2000-memory.dmp

memory/1640-59-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1640-58-0x0000000002700000-0x0000000002701000-memory.dmp

memory/1640-60-0x0000000000890000-0x0000000000E08000-memory.dmp

memory/1640-71-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1640-76-0x0000000000830000-0x0000000000831000-memory.dmp

memory/1640-78-0x0000000002920000-0x0000000002922000-memory.dmp

memory/1640-77-0x00000000027B0000-0x00000000027B1000-memory.dmp

memory/1640-75-0x00000000027A0000-0x00000000027A1000-memory.dmp

memory/1640-74-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/1640-73-0x0000000002710000-0x0000000002711000-memory.dmp

memory/1640-72-0x00000000027C0000-0x00000000027C1000-memory.dmp

memory/1640-70-0x00000000026F0000-0x00000000026F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 2684dfc807a6fd650a378cf184086e15
SHA1 95ce189b296abd2acfdd27eca297b2eb3b17f514
SHA256 8c4f8dca2ec40370117d262c1dc59d36404c002780a1cd060f7cf9d631372b6c
SHA512 baee286916bed8fa422e97a370828b3a521874db2916b3ef41b6dd37bf8661adf26750aa89f8ee80c8a340e381ad4cad80cc55e99dfaff922d3dcfb32cde9e8a

memory/1640-57-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1640-56-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1640-55-0x0000000002540000-0x0000000002541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 52cb826983b2256778edc560437f151f
SHA1 69b8f3014b7a347fb8655b9d869c8261209df183
SHA256 e17b05bcc1f2377bc161a3f5efac6004517412c2f7ebd288730a2f0bdcc72bbd
SHA512 0eea2a93aa7594141acfa4f55a67728ff6e4b61793466d5f625cc1ce68105ec29efa466005de8ba9bfeb4109c545d78426a2f93da4bd02661b26b457aab7648b

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 f0f33904891016484ac929bf5705e05d
SHA1 4d8765942643ebfa0e902e67b839f1356078adea
SHA256 3ea49310d17d840eebda8665866d3ac764a5a31a695b4b0cd84c607ff4cb5d1a
SHA512 ac731ec3b206bb00a72ee47ef7bc287a91f1dcc08ee7fd124765a46d2b8dc1e5bb46c1c53212b0807a3deda40473124430f24adaff1cd73678b4c3015f3f79a8

\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 b522feb68c6f2a8e99e467f877ece55f
SHA1 f402b41961fdc603c1954fe45ad6bd643eafcd7f
SHA256 092ae32de04a777e9af32e52b5cd81950a25872560ae0dda3ea13b600066c282
SHA512 7d7ba752ab2db4d0835b873eeed1e80b21754c5e6bc97f7a16c2a2b6dd1ff8c432ea2fabdf13d0157436172f312e1f57a736d0bcf4dffbd7496fa63a93a3a194

memory/2028-85-0x0000000000370000-0x0000000000778000-memory.dmp

memory/2656-86-0x0000000001050000-0x00000000010BC000-memory.dmp

memory/2656-87-0x0000000073B10000-0x00000000741FE000-memory.dmp

memory/2656-88-0x0000000000FE0000-0x0000000001020000-memory.dmp

memory/2656-91-0x00000000024C0000-0x00000000044C0000-memory.dmp

memory/1972-92-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1972-93-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1972-95-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1972-94-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1972-98-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1972-96-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1972-112-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 c0532ec879dc01671fb3e92c3e6a3de0
SHA1 40017234d60498409d7dadd7361394cc4c472ecb
SHA256 34398a18cb72ce2965e2a33f1bd4f35538d5f0d3b5a0a93f616c5dd55ee0287a
SHA512 3b3abbd26aeff756d8dca62118d75555ae117a9995f1ebdf1eb43b0dfc4ff348e7096c8445b99dde7b1b64e9208b3d9491be3a108311e4c75a87e04df128a40f

memory/1972-101-0x0000000000400000-0x000000000045A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 cdeca1be2177d76abc35ff08be0cd836
SHA1 561898a83f2c5947239d5b93f6950290c9c78219
SHA256 f49cac2fe266eb7e49722090937af589dcc3f3567e6eede1836ea176f67ba463
SHA512 ccadd746fad423a80cef3547a10a4d8236984d720ab0490db1d67c836a922a8c6e9decaf30b0afafb0fedaf96b54f1446d3cd09cfa5d3925f099f4f476d3273b

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 a29bc6316b9944a247e4a040e1310be3
SHA1 f98b9ebf5bb1952d6472a82d84b5ab847d80c455
SHA256 eed6a8494ccb4c6c62ec7b35a7e773b0ca7e3347f0832946002991342e81dc22
SHA512 14a0b28d83e34ce6ab47abdcc2e83d3bb60c0323838b067051658059a5f84a6b3186081c203c8b1a8e18d02c1118bbd1b16dadeef0fa0bb5bb701bf92fed9aaf

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 02f809b94e31e90b5ee6ea48b6c7bd8f
SHA1 ac8bb03fb788c53604d344bc14fb013848d71bb4
SHA256 e060915f8254c9cc258587e3900e2416fe790a5abf16e68bea4a773c067b34fd
SHA512 e5eacb34a12f040e11a60b30320605d3c0759a4d9d74dc67154a3c588345e65af41f545685ef1a5a955b214399394e1fe64af1f7023863ddf164690ef1c13694

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 cf4c14a3a2d60b7ffdc77f900391a44b
SHA1 6e0eee0ac976115e47e87bbcb9480ba469b7dcf1
SHA256 fb113aeb0c2b95b54ba40c1dca1775c2b83d2882b6adf22682509fb29b15c1da
SHA512 1e7244978445cc25a75a7d36e0cc2704a4644e80b2559cd5079a9eed3ba55176fb0264796c4a93e5bdbb3a49256e4a5f83fcacea849ad15d5bbe0da35bcfae58

memory/2656-119-0x0000000073B10000-0x00000000741FE000-memory.dmp

memory/2028-124-0x0000000000370000-0x0000000000778000-memory.dmp

memory/1096-125-0x0000000000370000-0x0000000000778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 31201661705a0c56f6729c6e6d35e606
SHA1 e38f271969466be95da5426aa8623a92788280b6
SHA256 5ae4f2c36e99b04682836acf3a5255e0d1429bb36c1483c73b8e35515c5fde8d
SHA512 f42d7508e1ff2edf28e6f4904ee8797921eadcef063f08db2d21442a5cdb9283cbf1d1223cacb4e0ecfd91daf6893d1bc6a1e85b1a0be0f0678cc6c28869f8a5

\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 fd93fa849a47a7cc59c1e5e9903c8747
SHA1 58b0ac7f14ff6755e6bf250b5bdab29407b83a28
SHA256 ac183f629675b1f1af1f2d2176e8795575455689561ed5891847e86de5a3be12
SHA512 9981dda693df529dc0d8c345a89d0e60d9c591dd14023bf09cb3049a1d3f55c2e61813981a77f34e31249fbced1117752bac05988ec3b6586fd0a038487108ba

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 49563b7eab6568baa70c9f26c6b8c19f
SHA1 f38937f66eab0b344b522c43869624c2f7764b2b
SHA256 3cb8594bf633fbd733431a716000ff0cfb348477cd0a2dce0c0a3a182b730298
SHA512 e3ae54ad62df9be94070107ef7fc9505715bea65405b2233a56fb33e304547d794ff624e89f9707e544317550e3e93b21cbbb12f1e80c0582e071df0bd574f10

\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 079b940d455121d80fcc85525b27803a
SHA1 9c9a08b064ce169333483f569eb22e79920ca3a4
SHA256 aa949e4ef2d92aef23f94cc267fea87fcc22c86ccb07a10e52e698befacd9e8b
SHA512 630cae9c2707cfee8e055c691ce50b0f0ff32b69a6b9c025da2e46eb88af6f354ac9ba8bfc31e002f0f385f8a1754aa54407cddee8aa3b2e5c1310c6a6942ee6

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 13cdb2feff2bbd25059e7484b0be73e6
SHA1 e3489fa1d3acfba2eb1153052dd78f178ecfa43d
SHA256 799b8e3075198c0ddd11f571bd4a1ebfce860a411bd63229b15493a58797ac56
SHA512 1374cf1f759c992d726a7020255f774c7944561b4a371519bf2a7a6327c74a020354416429aa091fd9aa2bfd06704dd913bbff54aeb6ffd3b84a92ab46aba590

memory/2028-160-0x0000000000370000-0x0000000000778000-memory.dmp

memory/2028-165-0x0000000004740000-0x0000000004C20000-memory.dmp

memory/2468-167-0x0000000004920000-0x00000000049B8000-memory.dmp

memory/2872-168-0x0000000000CE0000-0x00000000011C0000-memory.dmp

memory/2468-170-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/2468-169-0x0000000073B10000-0x00000000741FE000-memory.dmp

memory/2468-171-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/2028-172-0x00000000046A0000-0x0000000004C18000-memory.dmp

memory/2468-166-0x00000000048E0000-0x0000000004920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 c20fd97d0d469074222e67c30e9fabed
SHA1 70b9c9d6ec17690f3d90c5adb7e04ba8664783c3
SHA256 697894ad04df911f760cb2c0b3d67626e256bba17f704e249287e36fd95c9874
SHA512 21fd70d463dda15fe7798336cba43ae00f4f69f52ee48dff3c945ce08ae443a57aed743c0cf67caf1963ef10de03bb67347dfdf1cfa92ed1974da0d55eafadea

memory/2468-176-0x00000000048E0000-0x0000000004920000-memory.dmp

memory/1640-174-0x0000000000890000-0x0000000000E08000-memory.dmp

memory/1640-178-0x0000000000890000-0x0000000000E08000-memory.dmp

memory/2468-173-0x0000000004840000-0x00000000048D8000-memory.dmp

memory/2468-179-0x0000000002370000-0x0000000004370000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 6a060b710d3db37dbbdf1c94ef16a39b
SHA1 99d2868d0fcbc3131cf020777306f8cf42b3f866
SHA256 539833b078cb576948a5870b73c31bf97cc436b717008dff62aa6730bcb38a67
SHA512 4c2350dd07d0f7444cd3b11ccd789b52f6aaf203a435aab12c2eeb61f992018a7b67cb918232c53445d466adbaabd39859ad0e4351ddb227a9e57c2a504b97fe

\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 067c397ba01b684cd7f3ba8492a7dfc6
SHA1 bd76bbd6f246f5bcf834b9c9c4676b3094d5f60b
SHA256 853037c4971a97da36ccf35a715af64d54bf30e60a85fbe1343de440238fbdf7
SHA512 c42893f8cb4be934d4597d6a67d94f43283ff5fb886c1ed55d3d24d22fb944dbf594b87ef75090f8a6095b83b545c69a13eed09128360ea0221a6487c384d48f

\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 ee0cbc3489433cba1a6fb6885831483e
SHA1 688f0c6653344f7f654e13e0d0e28584049166de
SHA256 a5e62f680cdb9f519351d4c3be75cc33e16ccc012d9fcbe94474168effb0fd87
SHA512 191b6351ff6ba16e7254752c9e0be1488cfec2a91c2faaecfc80bc8c9d204fbc2d4efacb3b3f9a373bcd2a6152acb48b821f37145bc002a969d635b8cde60efa

\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 1baa5ba646d9ac4e700616c7a2c0b9c5
SHA1 5d8cf777bf93abdf41e073f15c46bca069232e70
SHA256 55a03dad8933049af7b553d34879dc23780e8058b242371ef4f3e8246c4afdb4
SHA512 a7dea8f58bb8a6364b7d8559e4cca4d49801d742fde2297a97b5927fb2e51724ecc43b526afd3c6da65796f4fc8532a8c3ae365a526008165c5b7e1b19fef085

\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 672b9c9bef7a0a6365689c02281972a0
SHA1 e9045faf0ada88e036746f011950dc1ac09d4be1
SHA256 3cd02023b85d1a15be882c7b7102606e93c942c5d95e8c3443e7c3a6342d67e3
SHA512 dad15678ea8ccce037c9cbb4f085265e1ce5d01690053d005dd48dd471cf38f003a85f4405a1bcaf56f7e664d2a414e29da2da35befb31843c7fd06730a181fc

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 d683f10a72c9db259c95076dcbb959ec
SHA1 26414d0d3710abf48a51ca763f43da77e6ec66cb
SHA256 0acb17024a7db4545f6cb770e2e8447d64c7114bb875258df937962cdc576d0f
SHA512 d1edf7b46515adfd9d427e8beb03ae585dd814bf98f906cb82dbd9a8362a706677af8690e91752904de49949570e911b4d28be78d566cf89fc12b8c931bd4847

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 25eaf5a6c559fcc44fd3704f438429c8
SHA1 bd6ea621c22d70e68398cd13df3df06ff82af82f
SHA256 e515468a71ff16253b7061be85a9f56c7c013f0291d13100d420f6c75c318e0c
SHA512 8e9a90d725c64837ea4eec48f7c5a264476b94d265ae083c908a2d208b834758aa1ff09784fc73fa59083100f31f2cf9d2ad4f97837afc86ccef45de647acae9

\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 9fc87a5b81a043a39e814137ad7e1111
SHA1 5ef772971a550fa7e7c5cfad3c53c184462f34c5
SHA256 93bab0cc116fc83d4e06adb6111adb8c0fb3575b179a0b4b8a742486d2588ffe
SHA512 f264a75baf0b1db99caada41563fce9410da6da66856302f05877740dd217966dfede9f99956ec3ca18ffdaa0071199bfb21eaaab27b1a833f73f9cb4f072b0c

\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 31ca9ee711d76d5f8e8ddb5a92f5aa3b
SHA1 ab7296ece9209d44ff47adc49784eec6a5e8b4cf
SHA256 1e3dd3d062f57a0cddabee847facb822e43d35b2a0b3057aaafabe0c4d10f572
SHA512 8d384edce1f779ea62309346a65e80cf655b1dc3bf00eae2cf010c1fea167217bc6a7c91c7d97f9cce63a28ac2ab357c58cce712fe697c70624a9146a30c3d96

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 b0b21822b6339ef8b177ec6c5c6eb4fd
SHA1 840fd6200a774297ebd1a8243d59a3767d8bb844
SHA256 bbc5b08262a3c109bb2bcf9deeac651b09c9ad0b6c8e8bec8ea6398370b63899
SHA512 a0d2a847b98a4a09f15cb1c5ab026daa486f760c07e9be76d1f80d0f1c4f8be9696b4b1ab552711d06ae8c959c95274467d5a27ef9e357baf01e40fc9e628439

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 042405fa128dfaf2195452593f2c1224
SHA1 2d4bd0658098702def79b94db4fdb0667b782605
SHA256 73dcdfeae492c240ea58eb1af2152b248a86ca53f9867f21102e5403faa2c6d5
SHA512 8e57ce69b2907ffdec6d76542ba2d27f50a2906197a077b107537d55f818af16fed58af72624c662f5b187446f5aaff09f3f9f5cba34a17c17f5351fc23dc0e1

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 2b1a04fcf2c8429736e6334255f971d0
SHA1 b7c0554d372064f78d4f92d63e40850ca7f90f25
SHA256 806df23a91952389415ef44acd647303a684d26074b0deea820db8d6bbda0268
SHA512 5df005757c0f2ace2bd1972cb08612fa07e1de4e819592416829f2ebd0516b873d45915c914f5012eebff95bcaa55ade0c0e853c612cccffa5a5dd82087367d4

memory/2904-214-0x0000000001F80000-0x0000000001FE2000-memory.dmp

memory/2904-215-0x0000000002100000-0x0000000002160000-memory.dmp

memory/2872-213-0x0000000000CE0000-0x00000000011C0000-memory.dmp

memory/2904-219-0x0000000004990000-0x00000000049D0000-memory.dmp

memory/2904-220-0x0000000004990000-0x00000000049D0000-memory.dmp

memory/2904-217-0x0000000073B10000-0x00000000741FE000-memory.dmp

memory/2904-221-0x0000000004990000-0x00000000049D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 89aecf19e9f3935608678a01aa7026e5
SHA1 b5c386dc7b0aa9e31c814b4c508c095ff58f44bb
SHA256 7cdcec9d30b446a0686b0cac6fe6e728add02eb1c37f6ee3b5f28d61a2d23fe1
SHA512 12d87dd0d73e38ec169b25522c5765fa0a85d16f350264c764c8fe3e4fc1f114558ba39f7f877b6b869eb5a5a82d486151d66a87f3803890c9b9173222205315

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 79df2123a79d10fa564e09961e47b25e
SHA1 22ed1a1fea3b0ef83caf923accd7a76f4252e0ce
SHA256 eed06f81a75988c74b1621c88442d61f861d86417ba9255a8d25c944b01d7470
SHA512 3ea828a7c5b781a9c0287f52b7b5ab386e11f26ab46ae1c362fc988eb84ff1e7113b31e2e881b92a41cc28bdc43a512d08eb4dc84b793af10472ee71650bda81

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 73ff1368321b9f1171b253259937c025
SHA1 76d37a1d33d17a3e4c99e86d6ea0b5c4a35a77f6
SHA256 35b69a3567fcac2bbc0874adcfc9bd3edffd4021a0c40bb6871b9134f28e1b6c
SHA512 b7d52adc4c6f6f9e2b0ef09cb4061eb0e8c292e0587eefe3eb69459b17a6ed9aad52ff601f5b4bd07d15b667a735bf445af6bfcefc643ad5f79908f2ede860e4

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 aacdda646df7e2fbeef73a5abaa5b30e
SHA1 233c641eef29f2be1e01a259ef3005173041cf5a
SHA256 5ea84384914812455b88912242da0aded419271a18317203cd0ba0a8f066f7e8
SHA512 8dbbc951451708c34dafb11ee784b9f60a940a7db5b2b8cc5e86bf5719a3f944c008e930c8b1eb2b86bc879f8817bcca75ebf6965c4dbd1dbae58fbf09a831ed

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 e58be773e7a3b340b23e113dd7cee62f
SHA1 67af02dd5154d74e1734fbffe73b617f9edd2124
SHA256 a0a7d9409b5fcac0bbd4fced4cfa56101116ee18d8c3becc67a98f6a4539cc99
SHA512 79cb23238f6abc5e98f088fe409202dbcce685fd8e8a4dec33820afb0020269ddffa54a0c0b884a96a5acdc048a6b7d5964691479e7fee984f319a1b14211662

memory/1640-228-0x0000000000890000-0x0000000000E08000-memory.dmp

memory/2904-227-0x00000000023A0000-0x00000000043A0000-memory.dmp

\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 fc0493c78a9b0fda5178331961ec957f
SHA1 7e35a372bdcf06db8e313f682a51276930f0da06
SHA256 ec054fc99fe21ac466b66ee20310de155d5288151c8ccbebe01630ee7e74b9d0
SHA512 05aa5de43fe735af95d1a38255a4dabbc45bb294ecd8cd43212d62a8579a9238dab19580e04b967611fb158c6f58641ae6e5d592567b4e77647f2d3c8d6b3633

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 2063393453797278537baf1302502962
SHA1 d63db8b5e887a88ba8c97f83950d3da834bdff13
SHA256 dcbae4288803c2311154ef264871841023998e9bde30c5cc83197cd5b29289e9
SHA512 9f519fac34975d0c5bc16c63267d758390867154bd6e5a4701d4fcb18f97fc94769c1372d6a2f97ec2251cca063dd14e94831bd59c80892206690b533fcbc6e1

\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 f731dcbbbffb24dbee8a6e5076e4a12b
SHA1 9c94262ec6175336477dc972d582d546db00a76d
SHA256 e54d6a4ab742a88956b44962757e3afc54152a5b11d0171a1996767d6f05c8a8
SHA512 c288f578904b6d16fde4bc3b3d45d78fa6552336904c2ca5eca179f1abaf898816710052bc4d9cdf4b35f499a475deebeec717ca276bf8048252fe39035f7f30

memory/2824-244-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

MD5 abc76527e9e1f27e87b0b858d230f06d
SHA1 ed43ee84a1865fe0342a59d5684a219c41619175
SHA256 671dc3395a27e133a89e2af3c50eccd3716f4fd1cea1a1b132f6d5d2e665952e
SHA512 d2b235e2f39ea87116e87e169536cb8050e1461daa0108208f3b0e218bd33f7865680c3c71611fb4e8af0846e77752b0e613ff02e92f49e1e509ee9f073b6fe8

memory/2824-245-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2824-248-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2824-247-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2824-249-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

MD5 523aebb092eca25c161d85caa59d6799
SHA1 7020ca9e6d43feaa6d5ba087a0575ea51725a8ed
SHA256 61cf3726c1a16e0542c01bce3f40d457aebf8d009e78351e408d9ce790773ee7
SHA512 88e3fd295cab7b541958bf900f25229fc5e33dcf8ff3c1a5ce4d9b5ed8966df3abda1d958c58a1a6b812f32c00e7dcfd1b5f4f3d3a06cf3a74a16ea7cc62086d

memory/2824-256-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2824-254-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1572-261-0x0000000004E80000-0x000000000502C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1572-265-0x0000000004CD0000-0x0000000004E7C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 f3b0344dd7d3744ac1a5bb31d99755b5
SHA1 0afbe39efa1b7e9931b0b23ae5af9c89cab641ae
SHA256 7d61e805c2f1a9ca4fbeb2ed158fd9dda588de8d4d32e4f6366d2b0712ef8607
SHA512 4a8dace29d3d5c9b3a2593251656568e9b520d4b2b5e93edb53eda969004034bc867ce1e9def656d2e042bca8d005828d3f0a85cb91016ac14fb8fcfa1d3a606

memory/1572-264-0x0000000073B10000-0x00000000741FE000-memory.dmp

memory/1096-278-0x0000000000370000-0x0000000000778000-memory.dmp

memory/1572-277-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/2824-276-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1572-279-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/2824-280-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1572-275-0x0000000004C90000-0x0000000004CD0000-memory.dmp

memory/2824-285-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2824-287-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1572-293-0x0000000004CD0000-0x0000000004E75000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 2effebc0b9266a2e5e9e2df11a641d1f
SHA1 e29e15734fee3001ed0b9d1b34a4af1240972033
SHA256 3aaf41d9c773aed83f4a0ebc26ec44592996a8dd75dd72bd5eb46fd36dcade78
SHA512 aede1bc2c18f313a3a690bb814eb88a888f9e1cee794e3fe0ad27cdee48f7fb39255343f6a487559a824060d71577576344529c2b779c0553e59e085ab2c2cdb

memory/2068-296-0x0000000000DC0000-0x0000000000E42000-memory.dmp

memory/1572-307-0x0000000004CD0000-0x0000000004E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 960c05b7714918c4034cc11076d30eb2
SHA1 28fee289647d4876b62c1c8f7d673203e0e1c99b
SHA256 35f267624daab166c42737893edae46465d14d46272fad735b70290ae9c80b78
SHA512 4d76275daa3f93b02b528d525a80d076642e64e576685455301fa6b5e33f159ea98b2bf1a2bacbb52439394b94112d76ff400047d2129db3c6f76979fba4c549

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 a5adf924d82f06e158e368abe42e31eb
SHA1 d78064ff16ec515fd26220d7302d2902d5558cb4
SHA256 86d4744033dc89cdc4a7a31420689e4b0114d9b4ecb2b27f0902d6fccc73d42e
SHA512 d67736b639c71afe4a336b4a08fe39967ea8eff7622b03ff2b17c29a6f0d3e090d487a6010468cbec1a79cfe900d64aa1aabc34c57b069a503fd0b814b4fa7c0

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 58ab970a7c5bc99ee0b3329870caad88
SHA1 9f0106ef849bcd4196ca3e91af8b6cc18d2156ce
SHA256 941b9b8b0b2e7a252c50c9c0fec203566e1bd895137f66ff4bbfb8715f86beec
SHA512 aee9795990a7c5ba5cbe364bcecece715df92ed1c86dbb8c87e5ac283ed571343f0fd10ad76bb72f3fa4273a61a641dc34e39762ef0a9f1c5dc9d36914b99a05

memory/1572-288-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/1572-310-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/1572-284-0x0000000004CD0000-0x0000000004E75000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 59e22046be049665b491f53e63dd6e2a
SHA1 191561fc8bacc77683783e38376517f804e0a88c
SHA256 4a86a2d4ff0739fa62327d5ad90d9f13be93fadb896864bcb0b2366e88cb52ac
SHA512 7ba7bbebe706836460c21b7fa5b9a9d9dd273e8e4d30395d253b2ae783f3852a79e58f55c1fafc4c57209047c304de33eddf910de349ffdcfd22bd19e4c639a6

memory/2824-283-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1572-317-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/1572-319-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/1572-331-0x0000000004CD0000-0x0000000004E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

MD5 e885e99150d313a49099ff990718b5fa
SHA1 3626d02c9f67f50b2e6ee4ca7a1e1f0bf64f6d05
SHA256 b8c8dd86fa3e8b58e150f7fea80eca3b28e1faae00ee537bcc84adf810192b97
SHA512 bcdf8099b91f0a04e080db861e5b92d214d06b8d8962f3e24acf85b4d116a9cbb6714b5caa9abaa6392bbb989cfb3b63ec24c2e566ae6870741fc2c04f922ffe

memory/1572-333-0x0000000004CD0000-0x0000000004E75000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

MD5 fbf7da0c67b54c55e96a6d6c9017994c
SHA1 e3237cf750f86ad7da9f7087b4d8b5863007e188
SHA256 fcf266705e8db7feeeee6de1adb9d2336904d5e4e673452f92031f0e5c19ad75
SHA512 c3ec67037a7382945bb526e14a749d008d6fbc78d2c89daaa10be495d253bdad99d472c837a752ab7c02c473e0890483de8d26b8cafa868fda9a72541dd1f007

memory/1572-342-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/2148-341-0x0000000000870000-0x00000000008C2000-memory.dmp

memory/1572-346-0x0000000004CD0000-0x0000000004E75000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

MD5 a6b106011f9ce7830e74f6e02ebfa20a
SHA1 e79b129d3031f3c0a9ad54500deb73ca1555fe96
SHA256 33e354860a02af0870c136f4ce1113582fc26b11fea666bb9c5637dc44ec687e
SHA512 0404ac44424c30e02ff997a6f553e4b4e2e6ec6c1ecf864f481cb8bde6c92def85c4ea5f9a6cbb3ab2fd567aa46454261ed1301a28c4db06b18a6c06b9623c3c

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

MD5 93b99d7cb16108da01740ce7ba4c7e7d
SHA1 3fd8da9cef8bea3b9247f289be2f2fdde2894cf7
SHA256 e9b5e6cf61c6752d41b81ce892e129af840e4d1b4cfbc4f3999185b407748eb9
SHA512 04c0657d2f12134c4b7cb184f4e73c0aac2986825babe1ad4bb0efb262014a201265429f62a983c423e31f760bbca65d7850f851492540b29345a8a3e4082ac7

memory/1572-358-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/2120-359-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2120-362-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2032-378-0x0000000000F00000-0x0000000000F08000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/1572-363-0x0000000004CD0000-0x0000000004E75000-memory.dmp

memory/2120-357-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2264-388-0x0000000000F80000-0x0000000000FEC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 b28d681dd76794218872bfe1d30dd7c4
SHA1 07dccd70b3c16e6bb58cd37b989f1621f7a852dc
SHA256 48a0c3a7d23e51a9edeb5d4eeda4e5b33a15296b353bdfc2fe86fb483d70d5e2
SHA512 90812db7c80d9a6a64baedbdd189d4264cfc61ba78c8c2ef892b82de1b8137d968e1f5ced74c8e68a35f78f4167a79195e209785684ec9b50012aa5de3774ec3

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 eb3d858fd5aa8193c066169f7a102cfe
SHA1 c641adb28c0208ddd0f404f610884715939ca590
SHA256 baff16bc89af5e7f8f8b448017b8d46639114c08a314fec358a3e789b44c9e36
SHA512 30a6df043c25924033070deba32716b001262dccecd98e8f1d70df03f7a71f01bff70cb120998b7278932920243a00f7592abb2aa89127264452fcb7e5497b5b

memory/2068-411-0x0000000073B10000-0x00000000741FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 c1793881007fe313b986d875a51f461c
SHA1 3ee63897900a925984354c7f0ba3210c3dfb911b
SHA256 e685c8631542864c54abf388a8edbcc594152819fbaeb4665ea66a2073a04164
SHA512 01124228e6e68e59499e5920f97ffa776f1da51bd66bba4f24b827ff4d7994ebe14720540c55355baf901fd330f080209141b938ba2a507f4fd89930030aebe5

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 139590060fd9eecca9f47d78650aac04
SHA1 9da597cf3011729d40581e042ff44df4d8557ea4
SHA256 e46942f4eb80734f205d2982911e634a507679e2ed0f1d54a3f649d2923dbca1
SHA512 3cb1eb08dfcde7ebab1e0e9ba04da364e31c4d826e9a00c83da14d6d46f9340c6442874dd61c1166ab1aca08e1eeeab2e644c97c87498e96b2d51a4b8a253ef0

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 222ef14bb87ae3de3fe565a4f1e263b9
SHA1 52a0e058da268ef212fded1525fd22c135883266
SHA256 ea2431169f8df739b2f397880ae1724b61c193764dfea6175601395aa05dc4ea
SHA512 0a952075818c64b9b9333d0117afb27e968f7ee7ab98bbdf09cca6d9066f18aaa814aa5acb6dd8e2572352a867e6318568608b3c3c5facf85384886c580461a7

memory/2120-424-0x0000000000400000-0x0000000000454000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 f546681b03001a326fbd1fa473228011
SHA1 8305c5def42ae518f385c6b03a0ab0592493b5cb
SHA256 a1517eaa440870b017a22408da4d053a59b3999d0a948dfb4437114f6eca3b05
SHA512 558ab788deb031a14e18f8f2a9b9594d71cf64f02712f1e77dda55d9a5d44c284843d7dbd3535b0cc04732bb376b6d012bc0df7d8d310c512bfda7b200e23606

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 3ea07a7fc177ab26962298ab43270317
SHA1 76fe2441f687540ee616780e07eae7e0af878d1c
SHA256 9b9cc55f1781562ea474757873d9aea0639e0963f5dfc6b0b420c69bfd41ff7c
SHA512 e340f2784eb9b263124456e63fecf20b9af00b131991bf68e0d0c48fdf2e42966828c645287fe870addc3865dae3bdc66b737981794070efff8080e147226624

memory/2000-320-0x0000000000210000-0x0000000000264000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

memory/2824-257-0x00000000000B0000-0x00000000000D0000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

MD5 51e4fabfdd8c967ecaee44388904b664
SHA1 d22d0f560a5853e7fab51902ff31871f0ab1e7b6
SHA256 40e236d1a7a7a52f57dc95ee84f5d31bdc04f606ae3b4b5aa7ac07c3d3fad6c7
SHA512 f4549a1d6d3d8d1db483a4bdc136f5bbc3ec634bdf3a55fe54ef0f101023cb7bb900eba7f1e1b6bb0c5276ecd45e76d84a1d47b2a6cc360e6aa25fa032011a7c

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 a3cbf2955eccfc0b948015b04f923a51
SHA1 6f9c574f5ba0fa692669bef5cf792231fbc7b484
SHA256 fc53680e636b6af809bc513e2d360c9fa9131ff875b2d1130b1c4842c9302676
SHA512 d3fdedd9ea57e6a0a46d8b08a10116a08a700a3734ce1eb2b8e38ddf1f2bbe327c2304f23f19a4de2b5eb0faea9bff5fde31790729b34d3ccc4561381c24fdca

C:\Users\Admin\AppData\Local\Temp\1000764001\moto.exe

MD5 abbf5adfdc2387f18ff3e7feb0bcc254
SHA1 21deb9f65edbd4a5f1e2e39cd0aa302419ece3da
SHA256 3ab61446a923843471844795bdd72ac7abe664319dd271b2d6ed426504b70d39
SHA512 5575573b15611a01e733f7a360c20e35ee26988d1608ec0e207b7dd428776461a3fe2f156f68db9e5f3416ccaa66dbb7a6a13c9faa0c3bd0ab32f0d246262bd3

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 64025c1011864b163029dea9c630d439
SHA1 e58e9e3025a0254a9984524c568f8fd534183eb3
SHA256 f016cab6c386c9cf909211c43f12b5d386c105f0e877a84d5f290772ed88bbd7
SHA512 3b3f69cf8b183db182cf083ee8d27a4c20160c06bd8cdcfca62fd59b91d3bb53081fb7222bd7af9a341a8c8990a8a56aaa31593b60b976f8e4a3c68628befe19

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 22b3ef4e37f2496fd846b4dcad4f11a3
SHA1 5af27e2bc9cc61d936e4e2156096341c0217d966
SHA256 1ae39fae1e0d5dd592e027ed737647e2f1f3f10b5a0d9ee48b5e2bdb048e6b0f
SHA512 23ebbbefc4b24a26db45d332cdf188b552ab2bfccea0379c3bb21ed9c7d7c8cfb5aa571f84f2e705421b2620548d13ec16948dd40434bfad6004c3216d47b9c1

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 8ad8e129a4da878bbc4674f515174973
SHA1 9973c33705bb39ebddb02914fea548b2ea9226df
SHA256 2e708eddc1c516790de8c0da2a4b3d4ce193ccf866815676d01da9ed95d285ab
SHA512 75fa56003b6fbfd5f7fe7b0346f3c49f775f1fbffda70ee4c96cc22caebfcdf6d14a4244a3af31b74fef9e126c7fdc634161ef121a80d64d67bc1691b99e495b

C:\Users\Admin\AppData\Local\Temp\nsyBAE7.tmp\INetC.dll

MD5 8d5448f1fc5906e9c88c09b94a47da5b
SHA1 bfe6af03f4be3196daa975d3c76e4ec7e3fbef24
SHA256 8f69d9b63f1687215a3ed0abaf8a93dd3db6fd83ac188c389181d823fe608b49
SHA512 05b21c39941c2ee7b008de4e6210361b5be23f05f85fddb10c3fc6a26378ae3b34aade556cdf2a8f17222bf72035ed4cdc5948a741552709d93cac8c76ad2a58

C:\Users\Admin\AppData\Local\Temp\nsdC8BD.tmp

MD5 957e91c09ed53f5e4f9421a2dbc5e450
SHA1 a75d150b72132117ba8a80800e95c322c5604e1f
SHA256 88de2b971186380f6a6fed5ad00a8a4f7e8ad01a260b254fe7f2b9b0a22be484
SHA512 b68726c8897b16d06eff193f09c17456a16718b74ecd7bebf7813d30d46561dcbf7989f6938cc4d9f1eee2f4f4f64f4cd6896354e92529656aab390fe1056d17

C:\Users\Admin\AppData\Local\Temp\CabE800.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarEF73.tmp

MD5 1922e3eb4462d460c5b1861af80cbd33
SHA1 1afe9f0381c1d95dd632f551f4dd76206874ac51
SHA256 9962a7b6901ad10c6d26cccc1f2d0a9477313e2090096b76efa96c1834a7a145
SHA512 6c8bae649ea8d9ecf53330041cfe9ad37e3a51e57715dad81efc4ab6eddc339b87d531c0f0976c02496915e755a97a1622632b57f00f003b529960de93fa12ce

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 06:03

Reported

2024-01-30 06:06

Platform

win10v2004-20231215-en

Max time kernel

57s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe N/A
N/A N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\WerFault.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\WerFault.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\WerFault.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\SysWOW64\WerFault.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\SysWOW64\WerFault.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe N/A
N/A N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 4264 wrote to memory of 3640 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3640 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 3640 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 3640 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3780 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3640 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe
PID 3640 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe
PID 3640 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
PID 3640 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
PID 3640 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2476 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4404 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 4404 wrote to memory of 5068 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 3640 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
PID 3640 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
PID 3640 wrote to memory of 364 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
PID 3640 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 3640 wrote to memory of 1712 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\WerFault.exe
PID 1788 wrote to memory of 4540 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 1788 wrote to memory of 4540 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 1788 wrote to memory of 4540 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 1788 wrote to memory of 4540 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 1788 wrote to memory of 4540 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1712 wrote to memory of 4820 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3640 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
PID 3640 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
PID 3640 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe
PID 3640 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
PID 3640 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
PID 3640 wrote to memory of 812 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
PID 3640 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
PID 3640 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
PID 3640 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
PID 812 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4572 -ip 4572

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 1256

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1072 -ip 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1072 -ip 1072

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1104

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1072 -s 1064

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4496 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4496 -ip 4496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 964 -ip 964

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 260

C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp

C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 740

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1432 -ip 1432

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 1328

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 964 -ip 964

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 756

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 632

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 628

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 936

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 964 -ip 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 964 -s 888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 340

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 776

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 536 -ip 536

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 892

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 980

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 952

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3312 -ip 3312

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 1168

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
DE 185.225.200.120:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 120.200.225.185.in-addr.arpa udp
US 172.67.152.52:443 tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 52.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 168.213.67.172.in-addr.arpa udp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 52.137.106.217:443 tcp
US 8.8.8.8:53 52.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
US 172.67.182.52:443 tcp
US 104.21.47.178:443 tcp
DE 20.79.30.95:33223 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 95.30.79.20.in-addr.arpa udp
NL 94.156.67.230:13781 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
NL 80.79.4.61:18236 tcp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 modestessayevenmilwek.shop udp
US 104.21.78.62:443 modestessayevenmilwek.shop tcp
US 172.67.152.52:443 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 144.76.1.85:25894 tcp
US 172.67.213.168:443 secretionsuitcasenioise.shop tcp
NL 195.20.16.103:20440 tcp
DE 185.172.128.33:8924 tcp
US 13.85.23.206:443 tcp
US 8.8.8.8:53 udp
DE 185.172.128.90:80 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
HK 154.92.15.189:443 tcp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
DE 185.172.128.79:80 185.172.128.79 tcp
AT 5.42.64.33:80 tcp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 13a0306d-eebb-4ab4-82aa-7d3cb005d643.uuid.realupdate.ru udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server9.realupdate.ru udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 stun.ipfire.org udp
US 162.159.135.233:443 cdn.discordapp.com tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
BG 185.82.216.96:443 server9.realupdate.ru tcp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
BG 185.82.216.96:443 server9.realupdate.ru tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 172.67.199.120:443 tcp
US 172.67.182.52:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 173.222.13.40:80 tcp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.179.201:80 tcp
BG 185.82.216.96:443 server9.realupdate.ru tcp

Files

memory/4264-0-0x0000000000580000-0x0000000000988000-memory.dmp

memory/4264-1-0x0000000000580000-0x0000000000988000-memory.dmp

memory/4264-2-0x0000000000580000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 dafba6b93e117bf5477c56a3a30a1a2d
SHA1 9f5b1c990ec15ba2a90377dbc1da6e046d083050
SHA256 594817ca4710a984d7c4720f9a40284233b72da88167263de9bbe3bd3bdd7278
SHA512 eaad64b17f84bbd731c558db139f11c78097070194606b4cc9993538cd73a6b3e00af9a403ba8d61be9287b6945264e0043df34de4d0e81b646ee052c0cd0fcc

memory/4264-14-0x0000000000580000-0x0000000000988000-memory.dmp

memory/3640-16-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/3640-17-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/3780-39-0x0000000000330000-0x000000000039C000-memory.dmp

memory/3780-40-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/3780-41-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

memory/4404-44-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3780-48-0x0000000002920000-0x0000000004920000-memory.dmp

memory/3780-47-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4404-49-0x00000000051E0000-0x00000000051F0000-memory.dmp

memory/4404-50-0x0000000005910000-0x0000000005F28000-memory.dmp

memory/4404-51-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4404-52-0x0000000005330000-0x0000000005342000-memory.dmp

memory/4404-53-0x0000000005460000-0x000000000556A000-memory.dmp

memory/4404-54-0x0000000005390000-0x00000000053CC000-memory.dmp

memory/4404-55-0x00000000053F0000-0x000000000543C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 21b3cdb66660fadba45736665a0ff154
SHA1 3b23ee37190aad70e9010fa08c5fcb394f020a9a
SHA256 8c582dc3a0be35110a53c40dd83fa69f31302a458fe8a3da513ae7a2e4515352
SHA512 a8d15c75ae291af96cac9dafa35ce36b7e7a9618b3078f1d5e0ed32ac5a2f385268a92f6f9e411f511c8ebd7af19629eb6bac45a156e7c0702d3ddad90cb252f

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 8240b06252f50573a3ae42e8dbc7dbbc
SHA1 ad5669c34897063f2e13491f67d9976026de467e
SHA256 56dad02abd308d5d8a7b894773d38aa61b687fa9c84165fe18d377a82cfac256
SHA512 25977c6dc2048a5d786be9608b999dc263095b95cd20a599b2f121c7859ea72984f499fa71e4aeb0b1d50ba3d89edde17a6c89992a1027c77e03088f985c0e59

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 782bd79a7233083a0dafdf6d832b2f4e
SHA1 ac6455a1b1e3d57bff0df9bf6b6f715d9c7db530
SHA256 04091af6d56ac3bd3b8d704c1b0231e265d77b437caaa115d33ff479d814b602
SHA512 8f1426a46e564777ab9b55801d9222aad43e44b9bef7d1d0de7948651a08f80865f5c0a0c1d052bc2a13444810b4118e047b74914584fb82db25abcd8396f4d7

memory/3352-75-0x0000000002CF0000-0x0000000002D4E000-memory.dmp

memory/4404-76-0x0000000005760000-0x00000000057C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 1756062967375c5e57de7c7cbceb1def
SHA1 3e092dca1c558b2c0b5e43065a7da744e543ec2d
SHA256 1075c329f6e324dcc573e5afe11f771fc7ea50bd72cfa031b81d3fd0c0af8280
SHA512 e1d246835172f00c2e64a55d0389d6b5e441614fdd15bf723ec82cf931dc507cd41d05b80a419f45b2bc8fcd03632371b646c4ca1e5d8af21da330d28646f43c

memory/4404-87-0x0000000006290000-0x0000000006322000-memory.dmp

memory/4404-88-0x00000000063B0000-0x0000000006426000-memory.dmp

memory/4404-77-0x0000000006730000-0x0000000006CD4000-memory.dmp

memory/4404-92-0x0000000006570000-0x000000000658E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 4feeb9741d58f2aaab11d6788e637e0e
SHA1 8fd5ffe0f34c0209fdca2a0edf2643cd61dad9bd
SHA256 961a18f14f1175d3ffb55d986f86619aad60c6d8827efb7a405dc2db40a5e345
SHA512 c24f0d3db52fe65bc18a2b18046afac48983bc6ba8f6038e87ecc3d01b8b11e0decb969da348eb5caab590d23f864133556af2f7c0e066590895419844ba19a5

C:\Users\Admin\AppData\Local\Temp\1000753001\redline1234.exe

MD5 11c0ee9bbb98d3e4b72e545f1d12d37e
SHA1 d7894a42ca6e95f4d7c516a9c675d27c9bdb6f72
SHA256 66147d8610339fac3335a1d04f71ff679e912c07c0b2f179c51671266478891b
SHA512 8c6a629ca33170d6620e1d8ee7b4c37f60074ffaa152d3ea7f8d0dbfd8584c205aee7cca4cdad768c5bf0a8e8f95301e9bb18108a9930046c24c4caca1230755

memory/4404-97-0x00000000075C0000-0x0000000007610000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 2ab9d92e16694f0f626cdd866fee7627
SHA1 09ced5a8452da7476f066324b1fc19a7d0d1f4b7
SHA256 8bf7d914747e3144121f48c4cbc9b9f0958103542618cb772ccb5aee4b358084
SHA512 6dfe227412ae474254100f4cae9f00da135f262c74feb2ec3d05c07d06ed46ed8290bc263fed4cd865ed04b5ddd88fc2b9e78e94e5496b7720e0329225a93201

memory/1816-100-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/4404-99-0x0000000007A10000-0x0000000007BD2000-memory.dmp

memory/1816-102-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1816-105-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/4404-106-0x0000000008110000-0x000000000863C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 48f6447bfc32b84fe9b3bcbbe5a72922
SHA1 618c2f541fd9b79004303556686b7139ce8cdff3
SHA256 03de9d2ce591a18948bd6f45b3c7d527dff03f5897f49e1ff3cfb189e910ba1c
SHA512 8fab4e98dfe1c5ee58341b634d763f6d54d097ecb29623efde49a220eb608a2a9d06a08eb01fe844949911cc176c6882103cd10dd9555d9456a6cb8fc3ca3fbe

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 cc5f64ef514b2c1e2eb625bcd90d862e
SHA1 e43c5f1e8f5a90b276ca4f006096b4b6ba50d2af
SHA256 10b1bb81fc55c680fc4d26762d6280bc4365d190844502458ab392002784488c
SHA512 2b62b88a03cd788d80b5d504815c591e5ec565b2d85c17067674a1fc4d38f1d1c5c09bc14306fa52293db1fceae9e5ef60478c1e213b4a9023827596f7b0cfa8

C:\Users\Admin\AppData\Local\Temp\1000754001\mrk1234.exe

MD5 92fcf86b51e867d825fb7f2b641dd496
SHA1 d902278a9581be8d05a256ca406564c4c1d8162f
SHA256 fc50eecf117651f2ed01b45f05060873c4659a7bfef44ae64c9e11588b462c74
SHA512 a274a4dae459e3fe5e2d14fd097675120edfb88e5553309ac42d53f130e69eb81c6938d3bc9753d0c4a8c375947dd041f5f2cf8595a83b02e6fa7b887352225c

memory/2476-136-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/2476-137-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2476-138-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2476-135-0x0000000004BF0000-0x0000000004C88000-memory.dmp

memory/2476-141-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/2476-142-0x0000000004B40000-0x0000000004B50000-memory.dmp

memory/4572-145-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4572-148-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3640-140-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/2476-139-0x0000000004B50000-0x0000000004BE8000-memory.dmp

memory/2476-151-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/2476-152-0x0000000002590000-0x0000000004590000-memory.dmp

memory/4572-153-0x0000000001390000-0x00000000013D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4572-166-0x00000000014B0000-0x00000000014E2000-memory.dmp

memory/5068-167-0x0000000000410000-0x0000000000418000-memory.dmp

memory/4572-169-0x00000000014B0000-0x00000000014E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 ce7e7642cfc6aa2cfed843b615ad6053
SHA1 1e7483ea2c68063b0a088a03e29dd2231443394b
SHA256 d4508b74c36711a4cb2f60f7e835217c7f82a1f50a97cf5ac3241b9259e9c43e
SHA512 e7479f08a1997f92c0d49367356e1d8b5a4181c4da4277c93bf55b33d27db8634d4551f1df99b2db0b739889ef5b3ac78cbb77d9c707b4424244f34ce97b8e78

memory/4572-163-0x00000000014B0000-0x00000000014E2000-memory.dmp

memory/4404-179-0x00000000735F0000-0x0000000073DA0000-memory.dmp

memory/4572-156-0x0000000001390000-0x00000000013D0000-memory.dmp

memory/5068-180-0x00007FF813D70000-0x00007FF814831000-memory.dmp

memory/4572-183-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 46107703f19a352a0ff8c8f5243b4389
SHA1 a9b36a2e614a422346668018852e608f02dac9f3
SHA256 beb2903dc42fa9120cd3f082ab7112c2fd0a54d04c555c778ac5a2e95c733bef
SHA512 28deda1315a53fcdf7288bc5c7eb965f9bac0ef30f1ffee32bd042e658e1ed632ff0236ed1b133827068f5375e219d0b5f9d8bb1fc233767771c7fb6b6bd2782

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 5d0128c066c20f4d6bde23e12365b0d6
SHA1 44657ac3f24e4b243e4c14fe07f100256702dfe3
SHA256 fd795614970e7cff0ae2c2733963c0d9689511bf79461341a07f31ac02754dc0
SHA512 b43dac4a615d90e64b740b4165cc6c1be00705cf5a3e210df67f45e7df0a394d9cbe96116b8e118930ec0a0ce2084e420df812815f6406be7379793a0ad78138

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 be7d728e4c054a32cb8df2df0b89b372
SHA1 9ed79e08d5979c1c8af823d2e90d596284f1730c
SHA256 a40235a6455d5d423f673c0a442c712241d55e78321d5e52c65f9d23303a7673
SHA512 d35cc47350044d38fa07141e7af7f55ffc4d7f7303f7efb1944b5eb4f9930d6a4ec1d471428d14764b509c32adcdfb7c042d91cb389cb11b8d4b8eb52686bceb

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 810da00c69d55e89dca3bfe9a6f6a420
SHA1 ca02bdce48ac20f7b40ab720079009894f369990
SHA256 64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80
SHA512 453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034

memory/3640-224-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1712-226-0x00000000049B0000-0x0000000004A12000-memory.dmp

memory/4540-223-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4540-225-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1712-228-0x0000000005000000-0x0000000005060000-memory.dmp

memory/4540-227-0x0000000140000000-0x0000000140848000-memory.dmp

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 64a48e48fc058204464f5ecdef31e2af
SHA1 cbbf1fbf923fa8c1cad2b6f749bbc2023b42a859
SHA256 6e2573c49c6af020201d9f797552bf72c1c77ead8699ccb335025d99b1a587eb
SHA512 02e4ec86a520e3241ab02a766f8a3d45180e477047b53e56c6fabca2e29243dd12a3e3220aad3b4c50b71805d9ac18e1dad7760a4d72068555b5c4b6b392207b

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 e593f9f9987473036d1791b3162563aa
SHA1 ebc39c3639c2804f1c5e9b937ff22a69bf10d249
SHA256 aab3fd1ead51c67792ef40e1bab04bbf3abd1b3bb9e742883778c3b5d6bd31bb
SHA512 7d3781978db904e0953f504ef3e91289685fa686c5d97ecea051ab2472bff16ef1301b9510be441be61fae585bd07f29e9decaf2982ba1855d4b28caee28b5d5

memory/3780-231-0x0000000002920000-0x0000000004920000-memory.dmp

memory/4540-229-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4540-230-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1712-236-0x0000000002320000-0x0000000002330000-memory.dmp

memory/4540-234-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4540-237-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4540-251-0x0000000000990000-0x00000000009B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1712-241-0x0000000002320000-0x0000000002330000-memory.dmp

memory/1712-239-0x0000000002320000-0x0000000002330000-memory.dmp

memory/4820-238-0x0000000000400000-0x0000000000452000-memory.dmp

memory/1712-235-0x0000000073480000-0x0000000073C30000-memory.dmp

memory/4540-255-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1712-257-0x0000000002570000-0x0000000004570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

MD5 1bc668e7b4a0125a1e47b542f8e76d91
SHA1 29351bf900ccd0f048da907358a3febaa64c8fe0
SHA256 2aa267a8bacfe85ea74c7d19756ea8d6e096f75eab21e6ace12dbe60c8ce371f
SHA512 9170225a7988d576837711ef02aaa25135d748c6e6d75c18984b22bcc0fa5363170b209abb82c9611226b7424e78fd3558486cde115d3b62290d612f145a6d7d

memory/4540-256-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4540-265-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4540-266-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

C:\Users\Admin\AppData\Local\Temp\1000757001\alex.exe

MD5 f7784dc12d69a586a6dda5c8579cddc3
SHA1 b8652830113acbfef679da8e35f6abc62c45ed49
SHA256 bdbad6ca84ed3de37d5eeaf173f7ead6013338f4a07af42b2167aec0467a40c7
SHA512 69bd4e94bcbdc3e6851822eb61d16bf9c472700b6f382f1232e08c356a655f2f097db5e6b765903539b252b57a36d8549d3d85a0b44d060e692e2883aac00ad4

memory/1712-270-0x0000000073480000-0x0000000073C30000-memory.dmp

memory/1084-272-0x00000000051B0000-0x000000000535C000-memory.dmp

memory/1084-273-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/4820-271-0x0000000073480000-0x0000000073C30000-memory.dmp

memory/1084-276-0x0000000005000000-0x00000000051AC000-memory.dmp

memory/1084-277-0x0000000004FF0000-0x0000000005000000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 84773bb9bd7e1306b965928fba6455dd
SHA1 6a6dec2ab38262374b68faa0bf35ddacc6180dae
SHA256 bfadbc4525b44560fa291135344e14279fc18f2b1e5aade05e86174a788103fd
SHA512 c387383ede84fc814920a3d9b3219f4b38f97f4ec9d657a17a70a28773c62292208e7aa5b2a00861a9bcc0a9a809dfbf4a87b03e0fd9062704700a0a2c781646

memory/4820-275-0x00000000051C0000-0x00000000051CA000-memory.dmp

memory/1084-288-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-287-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-289-0x0000000073480000-0x0000000073C30000-memory.dmp

memory/1084-298-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-274-0x0000000004FF0000-0x0000000005000000-memory.dmp

memory/812-305-0x0000000000580000-0x0000000000602000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 4b2ef4a7e1405871d4b949bc931fe3d3
SHA1 a4d89294551c5bf709a1f78094b810d83ee3d76f
SHA256 7bed0d2c23c8b62c9d5d8e464abcbf6ad605e2fb63e812bcdf03c098b5659d3d
SHA512 eab8a794f14371c5da53e69dc870f3c5b785fbacdd724d036c85134c800b993daba9fe96fcea95b3da60703d9de605e8422c3a82d101b29a54afbe7724e7d6b5

memory/4820-303-0x0000000008010000-0x000000000805C000-memory.dmp

memory/1084-307-0x0000000005000000-0x00000000051A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 0f72d96741104aafe69e16df5297156e
SHA1 aa907d828f9cce95ca785177b90aac673134d401
SHA256 913e3d085a0f83ec0a848d3c6662679de6b36c0562bfbe9149d2fde0d661abd9
SHA512 3a4d70467c01f708a39651dac048647a8750e85638298fd2d241567bd0fb81f1b1bdb8d0ef6b7d1a3a6e323db456a4944118de5b26973ba098c75587e66f03db

memory/1084-311-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-301-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-313-0x0000000005000000-0x00000000051A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 533d3519e44987c0d817571da9e2dbd6
SHA1 b08d928be38431aa3e2b49f5049054b92e25c15e
SHA256 b4d0c3c2c3c44aae42d6b70af00ba91259336a83685db65c7da3e3801cc971e2
SHA512 5b5b0fc8f5c508574e6be2480eccd5158cff475ee8aa917d43340ee0b19883294bd5f103b7c47ceb36efa3904386551d80ddb1eee068ad42a95b5dc1f867a9d4

memory/1084-324-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/4540-269-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1084-334-0x0000000005000000-0x00000000051A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 9a2eca3a996358b1a94b2a124675d9a1
SHA1 76e524a27da50b4481b5f7bd0a0e84f7ec8c49bd
SHA256 669ec335427c969b7554f7e8ce23ee2755e53946c80407cd00afc54c68b28ba1
SHA512 8522429d903ceed44cf069c43b24ac6163ff5b391deebefe3923825528735103bab64ea9c9ff577b19d511474740c366bfd1d965ee87ffacffda73886e55a4a2

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 4ca7cfff3f4626013ed0f1c4a6a2f7b0
SHA1 eb8b9a9d56babae1a7c2c85c68046f346f950248
SHA256 29d35ed0664e368510ffe9b2ed769fc6345110fdf2e20cc731ff9bd694adbe66
SHA512 4e2214927f3acd7fa6916eb336eae04787d9fa89dc2235e026685ebd54e0294c82540193898b54e8cd725a9b2d7557edc410f8df0bb82de007a3713f8dbb2646

memory/1084-341-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1888-343-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1084-345-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-358-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-361-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-374-0x0000000005000000-0x00000000051A5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

MD5 93b99d7cb16108da01740ce7ba4c7e7d
SHA1 3fd8da9cef8bea3b9247f289be2f2fdde2894cf7
SHA256 e9b5e6cf61c6752d41b81ce892e129af840e4d1b4cfbc4f3999185b407748eb9
SHA512 04c0657d2f12134c4b7cb184f4e73c0aac2986825babe1ad4bb0efb262014a201265429f62a983c423e31f760bbca65d7850f851492540b29345a8a3e4082ac7

C:\Users\Admin\AppData\Local\Temp\1000760001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

memory/1084-389-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/3640-392-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/1084-400-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-407-0x0000000005000000-0x00000000051A5000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 14838158250b616353f821ee351eef2d
SHA1 4f95a81a47cebefbe5b61435eccddf6541d19536
SHA256 ea621488bc8834b1cd59ac1d333092ce511b2c5f561d09f0713dcf42f212b615
SHA512 fcc348c29776da6d4f5573f19a33b3a92c1156b2356b54ea609939379a598ce4db834d7acc7db0561fa0111f5c3f2d50c17a7f4e8e98a9ceaab373ce3efe123b

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 318da36d542117eae6ea120fa8c41e48
SHA1 5e47b5fc97c181eb9e141da7223cce9011730ab6
SHA256 fcca43777c193e75099357933c4bea850cd81a202bf3b9914799f9a431212a86
SHA512 5854b2838cffeacc8f439801bf76eb2d06dd3544eff0d2a6835712e9cdbf1510de674cc7475580ab9be69b79c6aa67f3ab8bc59657c262916c0de0b48ea6e5ce

memory/1084-410-0x0000000005000000-0x00000000051A5000-memory.dmp

memory/1084-414-0x0000000005000000-0x00000000051A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 6dc8a46d8bf8b88649b73f55e3eca7b7
SHA1 198dbcece164dec90bb14248a311d4d261dfc009
SHA256 47b1e535822bc9ce9fa94e2c758a927162381720132b942b645e9bc8de3d695f
SHA512 5802b33c9a2885dc39ea3aadb758f92d4f468a6f82b88eb7e16eba5a75776cd6c45a3a6c8183f9c4356dd048d5e0de6ad9b162bb6e9c738716f7752e960ef05e

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 2f199b2d3b35d52e1910ffe65fe55cf7
SHA1 7eb7e965842cce28c5045725aaecdd9f10fa4f85
SHA256 b8b9f562eaa9c64b2f7d141e655027fcaba3fb8d2e3aabac4d0dde0a1161a062
SHA512 5217aa85ded85cbf16d0a5f8cf332e0204777fb0877bc4156f43c57b3d6d4088baa473c291b563f8326b39c593aa1ac17ae16440d51ac6d1f9c2449e84e7916c

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 47cc6395af087812be10774baaab90f0
SHA1 4fa7ea7b1843b3c4d8c742b25f86fd66ec7a10e3
SHA256 fb3eaff4b0e3727c3e9b1fbdef587e785b556ef093f5fabd602a882759c908b1
SHA512 88d098e14025296ee995505ab9be457a5b2311d34ab7b65b5e067f1bb69bf203c3b38909bfde78afc68da08edb55f49aeb331e434149c7ccf588689743bc4e55

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 4c69c60b347e5a861e4ba4b57af40b5f
SHA1 65fdae417d4ab98d745bd5cb6af8bf2c177f5e0a
SHA256 97ecd71283f795e56f75f9d4df69fe267915cfcfda77f0ee69a219b8bd42bf5d
SHA512 2a212ce31646d3e37dea9825369f260324fde43278624ac5bac4a60667f64e7739efc35050b271d2883be1f634b2c5b82e7128dd5eef9678da59514d4f728a82

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 332dc2c8681255db1d421b2e1dc1316c
SHA1 9b92ac4d76590febf20e85c5deac0fd426a88917
SHA256 9d1067569b52e6a72093bb517bbcccc1d6964451c2a24c60d5beab4743d1eacf
SHA512 cb4ea9fa44aa923511910894c806bcc0488f84bf6cd8d756f7711e0c4dcc8ae1981010dc09c8f4188667a92e9c58f3f65b105615a6880b97e11a7cba0fbd063b

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 12c75eb915a110e10722cdc66e709c64
SHA1 ccc7133274bf68e8df8ba3f3b3e1110e50661c4d
SHA256 18126c1f6c048a13038f94624c831489d73e499c384ea232df503c2b372c617e
SHA512 b0ee066d413bdb35824753bea7ba0b3accd6ac5cc46056ea6e0df98a784e4422ae18dcb0636cc0365ff903daad5044b207f48af86715725f863a668e14badef0

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 3058f10b2fe431d9f8a487a35cd89ba3
SHA1 adf31cfada940e96a02305177bea754d4ee41861
SHA256 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30
SHA512 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 794cec9e8db825915673ea52be715a17
SHA1 1967650874fa347cfd1c5e762db8a85013694729
SHA256 686eabd2374cf5d68ce415aa960e0f2ad2a1ebdfe7c47fca5011ff2609d2d27f
SHA512 7fc6275effab7f1f1b50283175e8fe9c498bc6ee5d6a67f1c98c978f4ff6370cc9842d779d96d14d09c5afd576a9f4bf2fb4f9c61ce0026d342d66fc9a4a79ab

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 5ea776e43112b097b024104d6319b6dc
SHA1 abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256 cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA512 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 7c67997e1ab6c59d1a55fd548dc5dd2b
SHA1 a74e25e6b35a482331391125f97b509cd7d7da90
SHA256 629c6af26f47c12b30d3f08e9d902d7727aabc46a3daadf3132b5e9e79e0c1bb
SHA512 da8c57d5a24c1dd390c1436997ce8432d62630ee49c1ea8beaeb33472e99e511a1f9a1faeda51631f8699609862dbb3075fff22b9f5a3ac79ed9efbc36b02df6

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 484dd41c0ac2b855a786ce79ea15e4f2
SHA1 1c57b7737ea40859655c65447bb137fed257f239
SHA256 48fe7600b68bb298be12565e9085913fab1448bf45ebc99bb3e3552bb36ce62d
SHA512 84cc87b7ada36713ef5e8ccf2fc65b125aa68f4de087b137bc78c800fd444d0b3630e68066ea2f3cbdaec1475d739028db629ea7fcfe53bae0f1d70f9a66fd6b

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 bb148ae4daa2331b15689a4197344217
SHA1 2aad9650bbd7b6a4ca57162cefe2d69a3a0c23dc
SHA256 c741d8f3345a64dcd50aac9896125a264d5fb6fe265de4e70e64bc80d70e1598
SHA512 f40d4cdb7dd250ca2f6dd8bb92a2dfd3f5b5af031c303491f0039f7516e2a2602ded6402df557754adaeefac9999351891cf2e0b486f0093f0046618ded07d13

C:\Users\Admin\AppData\Local\Temp\1000764001\moto.exe

MD5 9b76168059e86c2c05ced61d6b2f5895
SHA1 c567e510b758c3475f70a5916c14d8162160129d
SHA256 122316a895eb278f69276374b0e3a20186dc996033c898c3852af6e0bd26d482
SHA512 bdaaf370d4f76c87e5517a7ca9d788be8a57108af5a18bf819b1dce90af8334d85858dab0c704f813f27e1c5da7463373bf1a275a14da673e200a5e515721190

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 406773681ddaf37c14aa7f2a743ab626
SHA1 a0186da6dfb9a8f3c2a98092705db8d9a0fb647c
SHA256 2cdbd99cfb1f63807aae89d43c8dbfd283b0e67cfa7020d29bff937167becdf4
SHA512 58d1caff1a84bcc39d8a4100f2593f5b863a0ce3add96e2b1991b928860702f6be17c21791e66467209c2fef3b5d44ea219c828f34e4ea31abe0bd805e7291a1

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 a5f696f7347ad8affb60e6bf7705b38d
SHA1 854b2df5a766a94321753b9efbbf7c900c296a96
SHA256 fcf542a68cad00eb4816c66f161baee7f7189961255d30012c36fea3c3ee2673
SHA512 8f510ca7da1ee5b59f810360f2aac93806b4c10b52baf1a02fe106e51301f097200cc8cb2428893f3ddaf52e449d2d37a4ce410fa2c4f5eeadef9b8e15eed874

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 d56381ea0f2e4f38e6e86de163897d9e
SHA1 d65075048802324f2bb75008c56fcd2b6ebf5dcc
SHA256 79be6077a86ab039eb5d6b97c9660084ae072b8cd5b1cd97211d03a6afa951f2
SHA512 8144b3f28b75c3e0ebc364ba54392b5d311867e1fd759086342b1f52b7c885706a763b799f8eaee9868258114e9516ad97b7142978a661540fb0f3486aaa0224

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 16dadb34182cf37ff26b7c9a3acf755f
SHA1 f22558c610bdad9411fdaa6981e2de1feb197801
SHA256 1ba9280d440c54bb8469dddd6ede6755203348ea539342151fce225357fc146f
SHA512 64ed7da22e1ba873ae1094210d7923d928ef0baabf8330ea9c2ae286a7c1ef2ac9d62806359bd0c2a38134043364656767c7fe3a8b3e7c0044b48869fa53b1fa

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 3e1032fee91199ec67322a59ceca9d80
SHA1 e29797b426190364adca88b05435ffd2394bd503
SHA256 2c066488dc75a5429a9328ffc099aa3017e6b473c314a53005c0f6dc3b238afa
SHA512 7c396259844b336fb406104afd9670f4b77b775719b2ff3c20ac56818bedb8327432d916650edbb6a4cba90b4ab98987036f9db469919227536a5827e2618256

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 1d3976879d2a98ddbb49151ef652c3d7
SHA1 3b17be2f1a63eafe589911b7e6461b9b94e9f424
SHA256 f7cd23f9e6b47e319b2dd8d96acd8b57a6989051367065f973f463d70bca9c50
SHA512 b9f77d933f6dde3457cca2c6e5ce7da9d8b0dfb3d68bc8b977dd5df485ad52cd487d52cd838e9d6f37701ccf67bdc873bc0bd02c918061ec9229f414f67457e3

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 0857eb718ec9afa477d59a64bd5efb34
SHA1 3ba85e7d9d15404b73768dadcd0640a8154863d4
SHA256 cc0e18045e21b6b00059083c630f090bda1b3e71abfb45677d7d1ab44f76bc2a
SHA512 a6f2e5f07645e3bd7f6748ca1a097d298eb2d9adf6b07c060a6b6ef17eb3d25c3f75cdca2ac63d0239ab8b45ff14715b567206324b64a5b42c990317b3a5d439

C:\Users\Admin\AppData\Local\Temp\nsb914.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 cc48a6eba2c0ed0002ab92d5c93fbc08
SHA1 df8bcfb71ec1ee3a48c6e6ff9b522d81a5390b4c
SHA256 4ba7fbee4cb981b8b6c621314bdd822484817c72f8266ed9ec240a09449b02f5
SHA512 99c229faa952cd474f8658fa1b45c3c11e1a7a7d41a0f9f37417b8a72cc50d33bd79fd50eae9b3e922cb3cf4ecccb6c91795fdf5fdecaa201e36f506ce6617fa

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3086775360ce33afb7ac97271b975751
SHA1 5cde3365a925d625ae557876748020e156d7e01a
SHA256 0abe7997f8c971b7e64150258b143e15e2956c8cbf871c3828c041338785e36e
SHA512 b23b9fabafb078b0d877e7c542808dd95870af7987044ecbe3a2cea3d578076280bdbaebbdfc401f184447c5faccf769a065be2cc4e78fc8954201d0ddacdd1e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b6b18dfb2eea7955e77319e8888ae296
SHA1 a069ffac5cc49f99656ec2654cc7359f9edb5ea1
SHA256 66c247dfb7da266647c8544baa274070d91b50e4aef6f85916030ef67b980675
SHA512 fbed0a0be1ba13202d56b70827653465c6b4ed13ea66044336ad8c933b25a3b31654c8a284669bb1991415dcfe4f0bc791243b0c45e495dc318eac5308d8ca14

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 9ee899895acbfd9e0c34d5a5b46b6205
SHA1 0e7be92b824f98ccbd37fab7affb8c9efdb1ef5d
SHA256 e85361387ac726f8636ac24e9027a92cafad3a8d039a7a8809f76e0dbee2c7a1
SHA512 1e10169b60d623c0acf43a2196ce1e75dbc72f8a8458cd4c205aab01b1437764bc0cde0e53cc6140c03934ebc717ea54e55de13df423986074ba1b68220fee8f

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 3a7936f508992db4c82bbbcd0554897e
SHA1 9a9aa0d4a4af4eb16339c43218ee83386c71ca03
SHA256 9a8283e40a20037f14c4b8f1885ce653e70790efa7ce2f4b420b8d15d4add252
SHA512 9e0250ab4ef52f7f9f788be8ad542c4276c30f893ddea5b6b8cc6d5d308ede8e9da0e45ced24dd5faa016cb62edf28e0b0a6113d9bf5e7ea73d164b9c489fefb

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 84d7c3f3863cda5065fd83d35842280a
SHA1 3d1f69135752845b8fdab448d44f4d5e06fd8ddc
SHA256 684539de7ac46e0aeb57d7bfe372b55933222d1b52cbe16b2d1650c16cd5e79d
SHA512 f3a282e1bf14f6e67e3e3635f923bf5e827ea60b4ad8818a87818d06a5f23246b8e9a5a31c117d38d124300c617d496e62a295ea57a1eeaf3067b61f73b97a9f

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 7ce61f14584011ca6e799b88e3c7c65f
SHA1 a2174044738768cab128597deccefca62832ded8
SHA256 8054549b7f9650a44d781581a4ddc4ea8d195918902dcf904a5858a245b29c8d
SHA512 54db7c046f849800cf47d5a68446e1e2c0fa610b5a7acfc992e6a33199e61b626af838a985a14e4021ea80edf3e045e53e2ec7856611207951864daadc2d89cf

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 a1470335c14e84fd1f158878a5776ae1
SHA1 98ff4297b83233ce26c0a116abe76312af645398
SHA256 8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5
SHA512 cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d6fae01454cb734aed85ff8ee62e098e
SHA1 2de1d99906151d35e7a953b3e72800d030697bca
SHA256 2250b981416e1077f42664fa6bbf2d082bb8b6a7c7e5175d8455ddf72b6207ff
SHA512 cf0fda17af2c714ea8e183ac4bab673a2dbdc53fb675bc49156c5b70d0f0a20bd3b346532572d0483c285a40f1f5b390181d58859962ca318053250b02f1a887

C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp

MD5 abcf7804c518938c705350fb4f7c93e2
SHA1 957958826c15b71f99995cdd1d599706e9c86897
SHA256 f79b7e675422dfe8e52c36f9efdd5f21fc337a3836e5e4bc626b28ec53bf4dfd
SHA512 fd7c3cb085f7a5a9d263c9dbfbe2742edb3e6df1584c2ae109327a355216224f02772590897e40f59dd8fb2d4d03d32656bcbfce8d9682664adf34abb89683b1

C:\Users\Admin\AppData\Local\Temp\nsa1356.tmp

MD5 6fc891fa64027819ad3625d5b2ccb25a
SHA1 c81c8d355cb7a3083e868197532fb85be0633793
SHA256 cbfbee6920c03d82a2e13f3a5e3f33f7457f875afce90e651d791cd56f8f8f7b
SHA512 48e16cc6663b4080574b6beba6a2893402c6fd2aaacfb6b4c6aa9869486011d9ec0e4861649e019e664f7b1ccfc838f2982d0804f6997146b855a8b4ab128c1b

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\nsb914.tmp\INetC.dll

MD5 82fef98c93873c84201d7c470ab7a5a8
SHA1 0bd913811db221efc9b1b5391e3eb45949b6fa4e
SHA256 906fa5e581bb91307be26ce99ca9fe2d96da4f82146f61dca6f596b8e1144819
SHA512 c78f75ed69c263d3812b3cd30156163cc133d2751200771d4a4c2baa0948354ee7e14d9202565cc66e3399921b212237d638b0d295dbe1d0f2bfbe03e1023dbc

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wtqcwle1.zhm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b9fd85bc156db52c72a9c4583761d028
SHA1 c544a7926dc7639dd30ab5b687c886a7a22b736f
SHA256 70f44c49eaee6e8bc17570fdda58e9819e6615390753b07dd36c7f75f893ac53
SHA512 e443dc95fcaa01fc825161bcf48963836072350d0b7ed61f3c2ea87d5ecbc44f40de5ad8da45e1c88d2af34f8110563176be5a9ebd06b13c00c7e102a027d2af

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 a8184b1cacdf7b45acf203cdca1f8350
SHA1 70dbd34716bbcc3c39ae2e66e94585f4c9dcc3a8
SHA256 e435cb7a53481a934ef04124528065b2787c6e4b14746b4396ed3dfc12c61b7a
SHA512 26c4ee726a7ac14337c9f774d2e386b8609c5d417e9115886dcd068eeae70a0a5d6ae62dffe134c1c3ff63bb82886a390aff50b1309ebbd2b472605acbf736a5