Analysis Overview
SHA256
f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e
Threat Level: Known bad
The file fe5aa71a9083e8e8afe13394c10f01df.exe was found to be: Known bad.
Malicious Activity Summary
Glupteba payload
ZGRat
Detect ZGRat V1
Glupteba
Amadey
RisePro
RedLine
xmrig
RedLine payload
XMRig Miner payload
Modifies boot configuration data using bcdedit
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Stops running service(s)
Creates new service(s)
Downloads MZ/PE file
Identifies Wine through registry keys
Checks BIOS information in registry
Loads dropped DLL
.NET Reactor proctector
UPX packed file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks computer location settings
Executes dropped EXE
Accesses Microsoft Outlook profiles
Checks installed software on the system
Adds Run key to start application
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Drops file in Windows directory
Checks for VirtualBox DLLs, possible anti-VM trick
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious behavior: LoadsDriver
outlook_win_path
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Checks SCSI registry key(s)
outlook_office_path
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 17:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 17:26
Reported
2024-01-30 17:28
Platform
win7-20231129-en
Max time kernel
0s
Max time network
147s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe
"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 596
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 96
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp
C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240130172633.log C:\Windows\Logs\CBS\CbsPersist_20240130172633.cab
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 596
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {4FF03CE8-535D-4D4C-AD0F-78B88D0E0087} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 612
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| DE | 144.76.1.85:25894 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 185.172.128.19:80 | tcp | |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| NL | 195.20.16.103:20440 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.205:80 | apps.identrust.com | tcp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 173.222.13.40:80 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| FR | 2.21.225.223:80 | www.microsoft.com | tcp |
| HK | 154.92.15.189:80 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| DE | 95.179.241.203:80 | tcp | |
| US | 8.8.8.8:53 | 8bc3278c-2d8a-4312-984a-1d397a5a69ba.uuid.realupdate.ru | udp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| AT | 5.42.64.33:80 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| DE | 185.172.128.90:80 | tcp | |
| RU | 5.42.64.4:80 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard58.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard58.blob.core.windows.net | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | stun4.l.google.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | server12.realupdate.ru | udp |
| JP | 74.125.27.12:19302 | stun4.l.google.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server12.realupdate.ru | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.2:443 | walkinglate.com | tcp |
| BG | 185.82.216.96:443 | server12.realupdate.ru | tcp |
| NL | 94.156.67.230:13781 | tcp |
Files
memory/2360-1-0x0000000001370000-0x0000000001778000-memory.dmp
memory/2360-2-0x0000000001370000-0x0000000001778000-memory.dmp
memory/2360-4-0x00000000008F0000-0x00000000008F1000-memory.dmp
memory/2360-13-0x0000000001370000-0x0000000001778000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | fe5aa71a9083e8e8afe13394c10f01df |
| SHA1 | 62111b0428acfc13dd5f8d6b23c14c56f7c20e06 |
| SHA256 | f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e |
| SHA512 | 6de7fef22f295e8d4548c4c60da98f129e8ad4e0d761dc5ba15c74fb18f8ffe9e5f3b9487a26917dc9e8d81d78a2bc17722781adb7b81e20ed1f0c1ee3de6617 |
memory/1644-14-0x0000000000EA0000-0x00000000012A8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 3853abb35ab617a117144f119cdc9808 |
| SHA1 | 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae |
| SHA256 | f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef |
| SHA512 | 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8 |
memory/1644-17-0x0000000000EA0000-0x00000000012A8000-memory.dmp
memory/1644-18-0x0000000000EA0000-0x00000000012A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | 7bd4583fb25a0c7858c53a7653ad0609 |
| SHA1 | c49f7e95d7930219842e072b1342b049967db5ad |
| SHA256 | 9c72fa69017c0363078b3a00bc2df7fed9e329783a96fc4a9949765521060c8d |
| SHA512 | eff245353feb048306338c2727274bc82656d4fe4c5ecae301b6b72c2497409ef42c80a6063ed4c35c9b7c85dcfdd7427a866607dfb050123b1311516e8a3f41 |
memory/1644-34-0x0000000005670000-0x0000000005B50000-memory.dmp
memory/2912-35-0x0000000000220000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | aa49ea298191bac3817b0ad7fc03ee03 |
| SHA1 | 7fe33ba100cafba57f79e2915135658b86afde3f |
| SHA256 | 11d175e4920572f17b7165e940eca5897fec4a8962a32fc0e334abd4a07d69b0 |
| SHA512 | f93a693e6d5855946d52d3994570b0e7dfe222b9b2fa3792cbd09114cd28e7b3ac749639a095eb847e1c8defceaf5b3fec67335e4d070c8c2223d10dc3012a02 |
\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | 7d38d5c58c71a1eedde14273eb24b027 |
| SHA1 | 39407f31d0b46afbed8a25ccaa6691d53ba652b1 |
| SHA256 | aeae044b79b21c232f42aaa2f1a17da531360a372bd631de810709e8ea2fb9bf |
| SHA512 | 1ad45a448985d620fc49fa2497182f81a46163e107d225403653f0eb812ee2413c1515a7ce257529aaa9b1d3fdfc5f8836e98efe5f575f3d6413aceb7e6d6242 |
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
| MD5 | 96bbf8e8e15d60757a86975151a86661 |
| SHA1 | 300b92bf21dbfaf696a441c8536f0a49b083e11d |
| SHA256 | 5d8f546bb51b8080cc129b7e18c60276614668c4cbdc44c74901e5ea6fd733a9 |
| SHA512 | 91a994da630b971a79c8598437bee77f00d4208fffa4d1dbd483eb354d4ea2ed7fe15949c7d6224689f3a84c93448a362a1d5499e367c829aa1c2b35b380f97d |
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
| MD5 | 9a52c8f0c72b6655321d981269352787 |
| SHA1 | b868c5b9430fa8801a3f59e1f884e5f808dd45e5 |
| SHA256 | 6de8d91d6b21e88fa13855667bfaf1ec05218d47db5a9dcb53f99181fd9dd97b |
| SHA512 | c73b6b911570f81158352731cda0b6aeebd8aed9cd52a75e49cc0ff623cc62a30b7b0a62f64c1bf8b5014a490ce6275081264a05dbf4623fdde02f4a8da0f82b |
memory/1644-52-0x0000000005670000-0x0000000005BFD000-memory.dmp
memory/2064-53-0x0000000000BE0000-0x000000000116D000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
| MD5 | be9219bbeebf6d358e40a49f1b629c9b |
| SHA1 | f36b401f77bd0663978afed950e9099a0444a393 |
| SHA256 | 583b34e6929d7e9f28640b8ef026a5ed987e8e42d2e496ea848516be39d5026e |
| SHA512 | d1e35c24dd9d80e8216102212193aab1138d6cef265b7fdcc438bda48c98f10d71ccfa18e757c944271f9686cf00b65e3f36a04d0887aba4fc8209d98bde23b7 |
memory/2064-54-0x0000000077800000-0x0000000077802000-memory.dmp
memory/2064-59-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
memory/2064-58-0x00000000029C0000-0x00000000029C1000-memory.dmp
memory/2064-67-0x0000000002FA0000-0x0000000002FA2000-memory.dmp
memory/2064-66-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
memory/2064-65-0x0000000002620000-0x0000000002621000-memory.dmp
memory/2064-64-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/2064-63-0x0000000002BD0000-0x0000000002BD1000-memory.dmp
memory/2064-62-0x0000000002E80000-0x0000000002E81000-memory.dmp
memory/2064-61-0x00000000026A0000-0x00000000026A1000-memory.dmp
memory/2064-60-0x0000000000BE0000-0x000000000116D000-memory.dmp
memory/2064-57-0x00000000029B0000-0x00000000029B1000-memory.dmp
memory/2064-56-0x0000000002570000-0x0000000002571000-memory.dmp
memory/2064-55-0x0000000002690000-0x0000000002692000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | ffe31eb8fbb7597ceb0db093260f2c80 |
| SHA1 | 60b6dbea9bd1c62766c44b59917bbfeaa90cb1fb |
| SHA256 | 543bcd146b056fedf4b229bf784c77b19595d3b72ed76475e9e94ad66304f4db |
| SHA512 | a32d83d44f50a3d7b86ea48bc93cb6adbe855007a6fdccbfb623780678c3e4c4775d5c54c2848dbbc3cc338b90ee1a7cd255a0b5c66e18d857d6e83e234218b8 |
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | a8603f57e993364eadde4c9f1c2a6ee1 |
| SHA1 | 9363ae1359c564b1666f13227edffb7b83f49bf9 |
| SHA256 | 8aff1dc86628f1b815bf2b77527246f3786b901386f78fde793db240da7e44d0 |
| SHA512 | 603f3ea0f4801cdea328f94bdf19aacdad90c2dd4ff15d03a56b610fa5f05ffbf1cc48f7025d266e28b38a98c9b4a6e357bcd055e6fe1c25270b2e186615ec54 |
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | f921f12f49cc173a2d7ff4e063c10a2e |
| SHA1 | 577b2b58dcb7a3b6c334fbc1342d4da9e71841ae |
| SHA256 | 5698a94dcdc68f50f23c293470f5dd83d4e9739c5001013a19ceb0009b206f64 |
| SHA512 | 26799feb2496c7708a072ce4c2b923ba334b82f7131acc4db793989981e5867d6ee64db231765bb6953f898ce143c8d5a92b90cff8e7a14fcdb5c5762c17866d |
memory/2180-83-0x0000000000BF0000-0x0000000000C5C000-memory.dmp
memory/2180-85-0x0000000000360000-0x00000000003A0000-memory.dmp
memory/2180-84-0x0000000073F50000-0x000000007463E000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | b60e528c6210a5ffc5bbecdf68d1c7e6 |
| SHA1 | ca7ac8e04c51190bd978885824250b92feb00b33 |
| SHA256 | 66561531b070104d30b76093cd9095f8d6aafe0ecd68e08e69abf785ae22077e |
| SHA512 | db634ad85c4c9528674599c660b870f501dbec71ab13515af8df0ff6672979ef97f9c89d86741d7c1ead9cf6d770cf64f8c51537d05d5f4adce9be8b790f2638 |
memory/2180-88-0x0000000002200000-0x0000000004200000-memory.dmp
memory/1636-89-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1636-91-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1636-93-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1636-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1636-94-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1636-97-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1636-99-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2180-103-0x0000000073F50000-0x000000007463E000-memory.dmp
memory/1636-102-0x0000000000400000-0x000000000045A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | bf314d9db863cc6baf19289763421690 |
| SHA1 | ce1e010e0c694c2c23727f4b56312b01df9f1c30 |
| SHA256 | df2e12067c99deafe8943b6c744a65f09a297e6964c633ed74096bf4a961ec21 |
| SHA512 | 8d193056bca9860d50ad400b67f7e2fd81383e35b6382f9c871f03b8e922e2b197f8ff0757fdd2fdfac44e8ca554380b493c2c2caa9abbbf2cd7209e7994e2e0 |
\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 3c5b71d92bec88824f34c1e977f66291 |
| SHA1 | 2af240505255133ee9c16c0995b1940ea0d8208a |
| SHA256 | 233244ad15ec28234a05737fc2b770b958d2c35a7c32c99cc718c78fb8be877f |
| SHA512 | c3c4bc114d7e6eaa3d21c3cabf788d17a725262e59cab8dd26803143380281401c8ffb980893a6397bb4adf4feba9a0651273846475879754f0c9b59345d24b4 |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | b64e5f3b40d2cffdfb57e8ed5ec27ca1 |
| SHA1 | 2696f290f354b00c44fea8af3af1e3f0830ef306 |
| SHA256 | 5189db7370dfa1af97336aa8eead25e4c94d777afe9f3de5afccb5bb0568c48e |
| SHA512 | 123ad6dac78a88472e2c5a0fff39efb12353b3fe14ab177d55bb06213277b8e1e25381f8f33c2b6c442a5fe63a270d4af41c144da53db4d1502b7cc7b00f845b |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | e157fe80807e638fa0cf63ce1572cb83 |
| SHA1 | 36d4895ddb87edd7c3295e34be0f8ba7532eb869 |
| SHA256 | 21012b1f9078397c43a956bd6c0e35fd9e8cfdb215a306f863c1ce0943c5ce89 |
| SHA512 | 8d8ff848c0d7f705dbfa6f63b682bab79d1d0ceae9256b26f667c58011b9af3a4e4c65f165e83bdcfd62351b9df28a5b17485a24b8669e9897b3ca9fcf13fa27 |
\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 0db14549438390feda062383b33e2502 |
| SHA1 | bab0b3869c640b934b9a0ae5a112f602340df92b |
| SHA256 | 0f0cccddd8785b76a4fa57adbefc2e05e7ec583c2a7de1a35375d01cb36c369a |
| SHA512 | 55b1c0d2977f42cebdd56609bc5fd49bacbc332f73780db23e31494c5b5b8282d44745632b0fccd333967ac7a1ac8c2cefb6953fc199c3e9048171d02e92ae84 |
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | ad4b33b790f588bdb1a0346278382823 |
| SHA1 | 8f4d9209c79fabf186e2edb08f3269608d5feac1 |
| SHA256 | bc4dc9f82300eb02931714e271876f1e46d40a6285d416ac8a887ccf84fa1cce |
| SHA512 | a39fa07eda12a8cdf8a96c9b9d2e948f1805dfc7a01a54e52cabaab3a3b03c865a9581ad64e23cb269b699a145894674ed063bd4fb466841b7d300b2ccd0ee2a |
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 3969215cb0b8dd9daf4845d9de7812f6 |
| SHA1 | e5ab92fe7b5cd7efdc482bba4479e2b3c957a8ac |
| SHA256 | ea2213358f5472165de4db10fcb02a84738a8a695020e893aa22445a8b545271 |
| SHA512 | 0a0ffdf01f62ea3d816ace78dc9e1fc324f379d59292c471a802aecaf2deeee3606d1dcc14b65c073abb077aea25d1b3c5f8caf9852327977d5c5617fb3c87ed |
\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 18630f1453e32228f659974dfe0feafc |
| SHA1 | 6df1c41fde1f93c9db1d5a3d243b006ed0526679 |
| SHA256 | 15bb0deb508098afb9c42bbc499552cf47804c13996d11cf74b30ce947c6a7bc |
| SHA512 | 7bc09065c98fa3948fa99f9d8fc3a32879e076effbb9ad1d0d8926eb64f153e0bfa5afff2ede907cb730bbea2efe078dfc04b649134d06d7b0df520aa1c6b878 |
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | 01f9cb97107e44147cd0b13d656f6dd5 |
| SHA1 | e6bfb7a3025c4e0c0b3c013f34df8ff85cbd3e62 |
| SHA256 | d113424928a274d7bd4dbab1201344fcbdd4db8cd5fc7b7752a5dd4a8f57d3e7 |
| SHA512 | cf833d0afe0e5da8ab952009ad1f1c117ba0fc7c9ca525f27cc74641302f5fa621b75b1c1df846278ac0fa012ff16d41f436b6da202a8e285124d200d520e3f6 |
memory/1328-147-0x0000000001FD0000-0x0000000002032000-memory.dmp
memory/1644-149-0x0000000000EA0000-0x00000000012A8000-memory.dmp
memory/1328-150-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/1328-151-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/1328-148-0x0000000002200000-0x0000000002260000-memory.dmp
memory/1328-153-0x00000000048B0000-0x00000000048F0000-memory.dmp
\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/1328-164-0x00000000022B0000-0x00000000042B0000-memory.dmp
memory/1644-166-0x0000000005670000-0x0000000005B50000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | bdbfb3afd7700669cd5bec25261cd024 |
| SHA1 | 8fbf55f1bd7527c6e65413d9da719946c03b779b |
| SHA256 | 775f4d4b35334f9f14fd1660a93dbfcf425abaab88de695c3258023c0c8bf668 |
| SHA512 | edc5c4b75e1c32352fcaa906f72f722dd0d3c3310ad9539551b9fa643cf32af19d53fb9e6b367e4331ff3f3167769009f8dc4104edeaf63133d3165ece3439ad |
\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | 556dfea946f3bc8869eb9b409f8997b3 |
| SHA1 | 25132fe13874e5835cf85ed3e052b94bc1c4b3f9 |
| SHA256 | eaaa0a6f41207ec52b22b85ba9894e8edfd04d11af1c7eeb61d798358a4ef6aa |
| SHA512 | 831112ecf59d6092b9b250ef9a558d163524f52e10d92a0f9eb8bc9332e8af0bfd13c61c3110ee717423bb92a820862ceb2b47cf02c9817669cf709b8585fcde |
\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | e58be773e7a3b340b23e113dd7cee62f |
| SHA1 | 67af02dd5154d74e1734fbffe73b617f9edd2124 |
| SHA256 | a0a7d9409b5fcac0bbd4fced4cfa56101116ee18d8c3becc67a98f6a4539cc99 |
| SHA512 | 79cb23238f6abc5e98f088fe409202dbcce685fd8e8a4dec33820afb0020269ddffa54a0c0b884a96a5acdc048a6b7d5964691479e7fee984f319a1b14211662 |
memory/692-181-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp
memory/2064-183-0x0000000000BE0000-0x000000000116D000-memory.dmp
memory/1644-182-0x0000000005670000-0x0000000005BFD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 1c75a09e48f4edc214edae5475b6e80e |
| SHA1 | 70e682df441a42ef0cd65ac5d4e6af5978c4e796 |
| SHA256 | 5fadaca1be561cde3df97b8b85002816f1943b6235b0c247eb5c2ec95b6ffda7 |
| SHA512 | 1f0cd8d97bdf433bfa9e94d875b90239a7897998886b8f6666dd0dfef023f72865d881ac513d64a1354d80c5f5c6a54a28d2c1a81b19221a879db08512cc06fe |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | 7351eab9151ff39df787b324f22d6a78 |
| SHA1 | 5d0b5b09bc9c80ffcc261665a66377029c3f0b5b |
| SHA256 | a4879384c7254a7eb0046ef107d9848aa8b4987b39df8ee162d67034e4183e83 |
| SHA512 | 62e3362a11ff14df8b4bd4eaf177be185b01e2f0f68361a7baffbc25abaf3c6dc5ca45772d2ce09678822f289b883e688db0c2d5fa6e122bd787bb19fd0a8d12 |
memory/2144-199-0x0000000001250000-0x00000000012D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 66975505cb8d8f60c21b3b51b169342b |
| SHA1 | c23f92d4dc3117e40f44bf2dcf2994846d0ecd2c |
| SHA256 | ad1210cd8b1dc97f3ab8077476d4aa6569418dca73d6485936f1a4259368dcf8 |
| SHA512 | ac1b7d4c5c5a021830efb55e9b00f2ed473cc42bf190a1db656ea1a050bae598414f254ef434395a718d4d8d9f1f80a46c685248e6439f1a6bea1726c0b887b5 |
memory/2144-200-0x0000000073510000-0x0000000073BFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 0bd96453f241cd4cdd61d95dba46556e |
| SHA1 | d67388a88612701c73d78e202814a5d64a90ce91 |
| SHA256 | b346e6bbac8bab6b455288791c52ccde44d39312ba0c83d84e3ac9c002638d55 |
| SHA512 | 22f3328a196fe7448d4045d80d12bbdcca0b7aee5d5c81d21de33f4c0344eba81c8eed907c724977f727f34d5c7fe1b3892a1c03d43b309d4145d47f1a12a8ef |
\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 94a5806ed5631cd6dbb6e07965d68147 |
| SHA1 | 8a7002149f9bf0da74d479519b3a2f9665578964 |
| SHA256 | b20483c5fac20c88eeffee1fc0b9c3c89c4de7ebfec58a5b68e32b70f2515209 |
| SHA512 | 52cbb5d011c0ae4fa540810c1bf16cb6256ea7987f1da18d31929afae0a1488ae02afec370bac8d246f1c6c3637902e5e23aac0caf57d2f3350d9d50387f8265 |
memory/2064-201-0x0000000000BE0000-0x000000000116D000-memory.dmp
memory/3052-207-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2144-210-0x00000000026E0000-0x00000000046E0000-memory.dmp
memory/3052-209-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/3052-212-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3052-208-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3052-206-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3052-205-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2144-203-0x0000000000AA0000-0x0000000000AE0000-memory.dmp
memory/3052-215-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2144-218-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/3052-217-0x0000000000400000-0x0000000000454000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | 5470a78e2347c4840ba56f7dc26ea18a |
| SHA1 | 955bdafca44b198be17c5bc6f7a7800fd84b72cf |
| SHA256 | eb367275a2851353427ae2fc12831dd9a8cd4199d40a53ef494df7faaec8d19b |
| SHA512 | 26221e8961aecf3d01751f44c715cc8e0e919dbdfff71f3abdd6cfb01b608cedcc0ebacc94b0c726b4d10daf981df310337518f8489ad54c64c418769787d48a |
memory/2912-167-0x0000000000220000-0x0000000000700000-memory.dmp
memory/1644-165-0x0000000000EA0000-0x00000000012A8000-memory.dmp
memory/692-163-0x0000000000FA0000-0x0000000000FA8000-memory.dmp
memory/1328-157-0x00000000048B0000-0x00000000048F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 8dd8ce1089a4fa8a8b5c479f28923f7e |
| SHA1 | 8cb8701c9fb5178b6a973e0e1ecea6b2356dd2d7 |
| SHA256 | e938fab69225943022009fafff7444a2e1e4cc9e0026c6a9dfc5a56f78f78f75 |
| SHA512 | d8a6f12fa65634825fd65d973ef16313d0aa6bd882e254e3e39534a9ea135123f71214de98fb3efbf9d5f86fcf05ec186d621b8fdc800816e7487839211894ce |
memory/1644-156-0x0000000000EA0000-0x00000000012A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | 810da00c69d55e89dca3bfe9a6f6a420 |
| SHA1 | ca02bdce48ac20f7b40ab720079009894f369990 |
| SHA256 | 64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80 |
| SHA512 | 453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034 |
memory/2512-234-0x0000000000FA0000-0x0000000000FF4000-memory.dmp
memory/2512-237-0x0000000000E90000-0x0000000000ED0000-memory.dmp
memory/2512-236-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/2912-235-0x0000000000220000-0x0000000000700000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 8709a7a91f6a6e9ec1e596add8237a36 |
| SHA1 | 655e47527764b8d60a96c5a8cd0431abe5d78ce3 |
| SHA256 | 00277d2bf5dbe1213cbfc66aa981a98dba0b565485cd70c679ca8a43e89d972d |
| SHA512 | a00beff1e798970ae59d75ad11f8014963049f30dd49ac63ae5d098231f0cff8fb16928d722e84f1cfa87b8cecc3b9553724d6de93dd85e84ecd6d34b9a2e5c5 |
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 845d2be3f1f1efc1afb9397727a7a057 |
| SHA1 | dc4f0f1ad7cfc466b5e50ad23017de96e5dde00e |
| SHA256 | b4529230a2426af084ee9d207023805533cd6c098ee65dc03df8ed2306ff05a6 |
| SHA512 | 4ec641ef071df83f778a6a4b2b68c84586b45d5f7b2bb442a655680f11edb6475bcb65cadd066ff0ee598604be57dcba0da5ca0f3c632a450c6f26d7ac9d40cf |
\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 5a6358bb95f251ab50b99305958a4c98 |
| SHA1 | c7efa3847114e6fa410c5b2d3056c052a69cda01 |
| SHA256 | 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5 |
| SHA512 | 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0 |
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
| MD5 | b4e3a1a4c27a37190570a2a10554fdaa |
| SHA1 | 9ca304cb8294b5b6070859de7afd0b2f8b23cc1c |
| SHA256 | f1bf7a33139ad6ef58bf3a739ae73ad14e780a5908dfff27e9f59e23eaa33b8c |
| SHA512 | 483abd4d45bd5da557f9c9aab770fc82192e6647960191d0a41f4aace447dfb6ef0a057cd097aca8159c23acc7094aaeb3b89f4292ea3d95b03cbe525de389a2 |
memory/1328-254-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/2848-255-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/1328-257-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/1328-258-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/1328-260-0x00000000048B0000-0x00000000048F0000-memory.dmp
memory/2848-253-0x0000000000240000-0x00000000002AC000-memory.dmp
memory/1328-263-0x00000000022B0000-0x00000000042B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
| MD5 | b0b50421cde9c88de135f33495148568 |
| SHA1 | d6efdacd4ed7ae70b6cb312821262861bc639f7c |
| SHA256 | e3a7b22dd5b9c12cff2eae6eb86d16ebcbfd6bc6d860df035433e2279e4a458c |
| SHA512 | 2b736078c852028ac69b1614e80d8e3a80d3f1eca1528d3f7be38884e719aeec9ae153013f652a4000cafa6a617dd07376cdede68a1ae44c285b49641cd0c8dc |
memory/2848-266-0x0000000002110000-0x0000000004110000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
| MD5 | abc91b60f898abfb80b522fd8819483e |
| SHA1 | d006651117b6c25b3627e19244a0feda24f2c310 |
| SHA256 | 26f8582035c444688777cd82264ae0e6e94f55c1272fad968d69aab7bd1d86e1 |
| SHA512 | 1cb9c876a31d6d9f3325705a707843d2f7a7b70399e7c02340f9cfe115d91365690124113cb6b0bdb9ab86c83bfe4537854b53f42614753260430d586b5e30f5 |
memory/1524-268-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | b226e0679b4f93acd69c33f1e9d239f8 |
| SHA1 | 759b77628ea99d7d57bc7a78fa43e068882ec803 |
| SHA256 | 8dc3d539c6657fe248c63ebadae6341fd73b99b0b6b129d982d499ed7467acb4 |
| SHA512 | 6d3ab7b68ed70a870dfbfcbfb778e7a1d57096c63230e7f4b3d547fade6ca2da32b14f3aec4bb789b05b5739099bf7dcb9e8ed637794812328f969df1b1d7a8f |
memory/2848-284-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/2296-291-0x0000000001E10000-0x0000000001E52000-memory.dmp
memory/2296-293-0x00000000020A0000-0x00000000020DE000-memory.dmp
memory/2296-294-0x0000000073510000-0x0000000073BFE000-memory.dmp
memory/2064-292-0x0000000000BE0000-0x000000000116D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | f6080f9b71fd61a049c86024d3ec694a |
| SHA1 | 3eb9b4d933f15a2cd22fa25079aa4a5258c0b906 |
| SHA256 | 160f9d86d4a1de19a81e80360b4902a66d81c6985d2b5ff26474a350761b2c51 |
| SHA512 | 6b6dbdd86edcdd9659aea5f7c14801ea6e09c73c0eb28e36e90fcd2a01b23f19d6f66cc136ab07cd48ff64067f2c496c3892ef1d58c3b2588e17abcae5e95476 |
\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | 5dc846240b8cd8c05f36c8ad7adab51c |
| SHA1 | 0fb83ee8be31879ceff12035b0ef1f8ff742c35b |
| SHA256 | 761324204c8614114ba6a2bd3e470ee22dde1dbe19d2f9fa1f77b4eb144409c7 |
| SHA512 | 500e4896918654d8819ecb33e2ef2985257ce5d338ee39d4704a0919be60db49a917f90e5b3e903dc7cf3a85406a99e7441d336069a6123475403e6e03477c58 |
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | fed49d57527d280c804060ab64a8564a |
| SHA1 | f92e96f10d61cba84f8a38dfffed52e32ca31bd5 |
| SHA256 | df560641ebe2ef1708836f31cf15baf071ccd7a6d5c9d7c4c78f69a22a46076e |
| SHA512 | 16aa563cf2fa1123e0a49faaa04fecb85d7581c87132486cd724617defc0cfe1e7839b6752e0eea445ce67843f35667c7c2c2326bca23cc34c01a89618419217 |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | d2245067313908915de6047c74acced1 |
| SHA1 | ea67900a2419388ebafd78c71ad5ff122e110267 |
| SHA256 | b6a324ab6dfa87ad0fbf8ffa1de66a231adca36c74e9bd50cd6d08da684bb08d |
| SHA512 | 4ecb06a061ed9e95a706f72f07d4e7ee68c556b67c6dd0cc13c555aed0c8d762ba982a3b34073a453733673f743ee6baaca813379db48b2acd6949e3dd68098b |
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 1930302afa28f98d58906dbb173248db |
| SHA1 | a5f467b99fdfc9a25c29bbeae8c2a28a225bcb0b |
| SHA256 | ae798fc3e89e7263457c1e961cd9d9c0cae6b3dacdce6c1ab8f97699014936de |
| SHA512 | cfe0e2ebd11c2b63c145fc2698e7440902af19e15e4cea396dca9c8892398def18dfa1107acb1e615b4f39606595d3311bd55178c8d82ce62bd6aeff15dbf5b6 |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | afcc44cf96fbd683f6fc8820bdb36a9e |
| SHA1 | 8aa67f2960f01c26e486476a6073fb77d71bc778 |
| SHA256 | c194c9e27c977133127637fbfceb8ec9da3bdc02a02c47ffc5d05a3e8e5162ce |
| SHA512 | b5c5ce0dcd6a0380b369f063e013a98f3f95c55bae8e1787830e8d5df64ae99de5581f7a7b4fed3a4ea7b03a557958c7fe5016048d1e7425e3505eeba17d04c7 |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 012d5149ee69742e4c113fba2eb66a00 |
| SHA1 | 235c50d581be5f5b55cd3cf4a915e201dffcf2f5 |
| SHA256 | 58b6cfd06c52207a3cb6486d7b201d40df7453455016f93b6d0426d74d26ce93 |
| SHA512 | 863af1ed8b49b3107a04efc0085fac2dfbfc98dbfbda9945e66b688a4c2d0fd94ae4b8416b8e0bc49a17b4433d2c956e41cd1ae45ef28696b811fb269d15f1c0 |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 5bb9e7adefeac3fb03908b7fd840624e |
| SHA1 | e892d61c1fd90f168757cf220ac3ec273b9341b8 |
| SHA256 | 0d99dfe58845c193f159ac0e3324fcb14d131172f808bfd3ff932e2998b90a59 |
| SHA512 | b87be099218460cb9c7efd15eb12acaddb23b8db87a401282dd732615fb65d4d20e871f9dc1c3d0ec7f74bdb1f0915458087cd205bd6e70cc2adaad28b456fab |
memory/2352-316-0x0000000000230000-0x00000000002B9000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 505875045901c243e4db09f74b212492 |
| SHA1 | 096ff6e303db9c0ce2e29064686de27e0d6a1b38 |
| SHA256 | 95e34e8add9da5d63de8114b17ecc463cbf6e346a62546b5c099f3d7af9b5988 |
| SHA512 | 3d19f26aba20b4f758d64aadd182d57cc82bbe5c0a269c987c64e9524a33228688dfadbd158f77b20bf11796726c2bad6d327f4414557e79e6d9197868a45362 |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 50586cb226934a110ef62de6faced48f |
| SHA1 | 9d025bc7ac7b369a439ee922649862ad52e880d6 |
| SHA256 | a1c6b5b9d60eda7c53369751ee3d062500b121bd6f2c060dd50376ede79ace0e |
| SHA512 | fa4124ae88cd3fb41d2b3ed592bbb1fb67832315354872c685b52523e2e15f5a0e6bee846212aabd5fbc2ac4478429f91fb9dcbd23cc39488b6e60e4f7b47af5 |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 5b8920f182552adf5e487ed5da70bf7f |
| SHA1 | bbf0870abe29bba850bc0a19365250bd5f257a99 |
| SHA256 | 9f94ec194a130d237ea48e9fa3c2de7c4d44355f04429bf1996fbf42dacda4dc |
| SHA512 | 5303165c9a4292fc13d73e913f6ede42dfe491a5cffd2d53e87e9333596e2b4fd6b6effcf8c4bde9e2c7749fea94ae77955d59598d7b9130fdbe4aea69ae241a |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 9314037cf7352c3152a1a2b188d1431e |
| SHA1 | ea4662f8c2e58faa52fa88d5ebd00f1901fda225 |
| SHA256 | 1f45a83786ef9d084ecc3f90fe3dd675cb2a7268fe952c5dc2917b3f22f13372 |
| SHA512 | 76966c20a619eef1d8bfd2029554e7c1777782582c7cf3e0daa1aab7610932613a6b8a208c49f249e2b90a9a9bc3ecf4c276748ce3741f12293f06a2676f0b81 |
\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | e170491a69ebb14dbd8c5d2e6f6eee43 |
| SHA1 | 0721ee11cfa5a581c74d27d9b225642497e5f11c |
| SHA256 | f48dc85838b008c57d5dd8017bbf593f1cc6f1d45db2b268cb9b42bceb53177f |
| SHA512 | e76ec185ba66bcf7eb3002c04bc53ad04e22e27ac233421bf73bc1b21a5d09b623ebf9c66db1bac6f79f4bbf83e1cc482d964432a58cb17766ee80c2a957b3a6 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 2162391f5caea08b72fd2fad4ad94b1c |
| SHA1 | f1dfcbeae4eb857250ca18d5351a9dba8b5852df |
| SHA256 | 3abb2cc21a424c8649ad4ecb27b9f6ba622e69d748b5551ab39809810ce12e1f |
| SHA512 | bb3e68395349ca4468ce42e7f0fa1c38d4f2d5f446aeb84ea8e1907439853e704cd89c09aa3685cc5c8ca739b46176a83b266d1525c49b4babd16188c42ef7c2 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 56c1958ee4303bb234c1443652fc01b6 |
| SHA1 | 23a41073ca2794b291c9f6d9be52715acd3a5cb4 |
| SHA256 | 067f8a780e74219d43339c7ec04868c8c146dfca408b7d19f3438098ea8818d9 |
| SHA512 | 257266d871426f17ab1a32b52a8ff84caeb8eed7705ef25109742bd0e115d44ccb4a8b208fe0cecae43ee57b07c24a8badac7dcbf7a51b17de6a759c6fea8530 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | c116aac593f8bf11047b45b2f36678bb |
| SHA1 | bc624e2439bc7096b22dbcb59dbf7bf6019a7d1f |
| SHA256 | c2d6b9dceac14b4fdddcc0b102d338039364448303628714d27a7af199c583d4 |
| SHA512 | e44524322534a107a486d7af6a472eb1de433ca5a70a03f13202747cc179f9a14c371136665979816d1be3a9f49dc1f6d54622bb8114a37097b065a6a6758ffe |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 7148571e9bed61a633558005663a0990 |
| SHA1 | cc65c9f6866f395fd45f04f50fa67c4b45e8bbf6 |
| SHA256 | 56327305d5f12ac7fe66655c9e78b78c56a7caefd4afd59ed75c89ab79d46137 |
| SHA512 | 3e8bd7ecf743f7d6620ca0f6f9057561e87ee5a9ca3cb05b9e04f00d11d7e1e6396cdb6a43862fff2767b347ee02a4956ba351978b02378a9f283b850776817d |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | b570f310df28887536c021c751aeb72c |
| SHA1 | 50639ef5835673275f8650c33beb38065211fd4f |
| SHA256 | 280ed5f579f005ed50316d9c4d660c8a9f9ef4fa7652d039134803c381f1b26f |
| SHA512 | bab22c2e547a0fc0c8157447fcb514c8a972e3e95dfe20d5be98e85c982214b7cb8139ad0bec8a125492f18a3ba030267cc85377d96c95dfec884a23f47c565e |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 438ff0ba7fc17c6997e2b96b4497380a |
| SHA1 | eaf9a3a28d2478531536ea217b9c4d6929bb6685 |
| SHA256 | f10fb96ebd8057981075072530597deb34736f79ab9706560c9137e169e134c8 |
| SHA512 | f88afedbab4f0ff677eef4c33fbb133401350a4afd7da6ac4cc1fb554d8ac4fbea5f5e0f31db4b35a42a90a7a5bb3b2aa705f1e706587840451c34e90e58106e |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 1ce12ca7c96523b781f143f91ad24297 |
| SHA1 | 96343158c128814e00c5a812f57dd55ca9bda8ec |
| SHA256 | 24e2511784ba4115f1797679e248dcb523b091c0099f7db69ae4f6dc37ead8fa |
| SHA512 | ee33e315dc67843e135d374bfdec95b6478578630324d1732fa66bb5f37681931abe2b18488d8565799861864a0e03b164522309fb373bfb58c45ae93230606e |
memory/1072-384-0x0000000000400000-0x000000000045C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 076c7d95645ae02dc27d4ae64319d1d9 |
| SHA1 | 7bc546e24ef6724eb7504a4e9ec802d203e0daef |
| SHA256 | 83912dcf6cbd638bb2a2e81d5b4fd9aed852f9c89135d4cdd0917d2dba1bad3d |
| SHA512 | 84b22514a2129f136ccdf7f806f004a6555326d758a36e8017869282038eb92daed69c3cee9b42d166b7d3d858e9f52f69ef127cee49d8da607b3dfa619481fc |
\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | a42256603f2cb71f44ddf1b73322c401 |
| SHA1 | 679d064f6ab7f48d6df55cacd2d4f04d70f4bf1b |
| SHA256 | 567c8092aa720746610acc5a335032a33422938fe2ca3816708812a2b805f59e |
| SHA512 | 4c782fb7d943da5ae524107b3538e8cef06408aecd98bdebf0c4a8c888fff8fdbf71316c20f817fe05706dad56aee9e99fecb371e75e083c2c2a93813db7f54f |
memory/1532-383-0x0000000000E60000-0x0000000001258000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 9a326cdd5336483f0cd679058b729d57 |
| SHA1 | 59ec4df2479b7939c857c4a16195a86ab20e09c3 |
| SHA256 | 7e01f2065992cae59ca598615268d7e2bb3603d0d59a354ca0a99b1032d7b9ac |
| SHA512 | 64a6cc0192cd5ab3c033b17a27251b68e3e78f1c643ac2c5aaf06209bdc1611226649bb84e44fcaa494053ba45d1792c468c12d652e566114e16db03c9331b82 |
\Users\Admin\AppData\Local\Temp\nst50C0.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5a799fd4ab17d7e9e93367d976ed5262 |
| SHA1 | 04886043e1f3dd909cb2b6dfe547885a0ef82c67 |
| SHA256 | 88dae1b26fb82071a0af8e12c1d793dd3ee5009977988bd4b349d62e682e028b |
| SHA512 | fafe1684d42b1a56bf37afdc7e750a245bc61bc8729e07c318aaf004ffc4dde1904c99a6ebeda3541a014934f9b5f168524ee080b8b9cfd9fc5fe8e65bbcc373 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | eb4c2b9c4e26f18f6800dce46e0005dc |
| SHA1 | cc7de8b4e194a7e8eadbe61dc4dd7c61baf9f81a |
| SHA256 | 3e4689f53b3c5b3b3e2b0eed0f1657b32a94a9c1ff6c90a6de94775d233a5d43 |
| SHA512 | a7fbdd728d864f10442114597dde1a630dda8e919612a50226ee0ee641edd4786c456ca428390ac1a55ac75d7b5b393cc73231fcea6c01b879d37b260dd2c346 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2655da509bd45b9667d4a9e9e8eeea5d |
| SHA1 | c221b6a16b7f3872874b032541edfe566a63a106 |
| SHA256 | c5bf82f6a369ddc146854f57957629af6a716d88488e81287cac7135b8bcec17 |
| SHA512 | 476aeaae845f4e8bb93e2bc48c99ac12e4b430aa5ad8fe1e1894853be45b9a7c25030d68300f739ec25f1d4176ace4f74d9148b74ff029dd67402dacb2319532 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 597b05c6285d8ac92b0d8bd1b3606057 |
| SHA1 | c0146e00c28d29eacd66dff66e6eee44409146e7 |
| SHA256 | dd90a146e70aac46eab9c49ecb5a0082d792cdb6bbdba842bfff943c7e189c32 |
| SHA512 | df4c1085b194b5ec3b7c5f48398362dc405fd5570a73f5289fbb26008e764aea95b8893576aadc74675d9d39a30301cba90165dcc5fecbf92f5f644d4e3cc116 |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 60cf6a740805cddd03820563077abf63 |
| SHA1 | 868ae7f00d3d45bfdaa3c724e2e6eb4a9c2107aa |
| SHA256 | 6e2234b6b25ffd937ddf7042d337ed68f41090149de26f8ed36c45b3b64152d9 |
| SHA512 | f8a08153dd05846ad13601c9705b645052f1bdd54bd8b3a1d10b0194b3d1a7d146d0d9a98ce533ff8a50aabe46e425bb2e0b6b84bece057498eb16ecfa015cf0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | a11097de6dbae2c6c72cd1ae7e1f7bc9 |
| SHA1 | 5012ddbccac7ee7cd17d772f9254da80a46e4e49 |
| SHA256 | 65ced98c2de7477e18ef10581224d26c60372c7871cbc3cf9af6ab5eb105fc9c |
| SHA512 | ce3e8801931ba7db0c03a33902a314708e14cc43352fca653fad51e5f37976e9a75d89fabbac62f9554c03b260917df2c6a6136952b08a341c9dbc4dbd3c7073 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 3ddfdbc462b8e18f741fe8cdd09209cb |
| SHA1 | 1a2d6a19b798f7cb652f2ea613146b8d64f976d4 |
| SHA256 | a1029958b67b533ec8661e2da1d547cd23411561165d192aa16a24ce1fb5e315 |
| SHA512 | bc4fc97aeb79a3875041334bf3bd93e776ac9447616a73a276d76046ff220f12c7a9de3e304b81550c8da83f1ee769d2f758f262dc98ed6fb37c0148e3134521 |
C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp
| MD5 | 4d1536443c0c72543ce312195f21e784 |
| SHA1 | b10e6254076b4a2ccc137baedd64f9d6605d12e8 |
| SHA256 | 0371fbd1376855c5dc8e6202ed99834a4a085e5d9c0a180084a4513303b6ae70 |
| SHA512 | 7932e6530c64e6c4ed2d401f7334ca5adcfb17b01d5101244863a12dc79b70f3b789e2ae02ca458503c5cb9abe2823bad06df709bd0dbf4131955faa192ba103 |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 2f9e46d40c599ab8767bfe534a456382 |
| SHA1 | c3f8dcc3b06a881e24e189ccbd39ac6c54bd83aa |
| SHA256 | a06a5129c65931958b6f0542fd972653755fc3ffaadf9394cf6a6624485e410e |
| SHA512 | c805a0409ec793a1369a138f1dc83af0061f21d20410cf1ca0785b0be41117f74d262a7d6eba718a57e5057ee8715ff7e631a66c59ee8bcd00908413b1b58372 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | 2c3aaf57dab5f3eda80c56a003990ea4 |
| SHA1 | c13c9a10e2b648dff91fcfb754a50bc289f314b4 |
| SHA256 | 13f18d39f7dd5792c749980134574d2ddf3599b6893759f3aacff26a31e08992 |
| SHA512 | de710d03c5111fba3c95537b8b84769d4cf41f882b36a64887437e0585b6d5253135f34689fb7596ff909e9ca9e48f60587514b784b54b46ee8639ed2347721f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar680B.tmp
| MD5 | 6d3f0ded4a479b2b88af6f3ef2a43a74 |
| SHA1 | 045f7fb13de9c238da84b513f908555e9aba0368 |
| SHA256 | 21cdf3c241b8a2c078949e489252340443ca2b38a0fa542038799adee6c14f75 |
| SHA512 | f0387cc2a303afc3163c83ff42debe224b176ed1b80c113d1dc46bdad53a908d9bf72c259c5ea7aab9f337f3979abb036a2558110ec3b0e99578bdafab477696 |
memory/1532-500-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2380-504-0x0000000000FF0000-0x00000000013E8000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 8f88f9bb06c9ab8caa47b38330da336d |
| SHA1 | 3ea0ce362778563746ca66ba3ded7304dbeb5385 |
| SHA256 | 56db070bd9b8533d35d18c470ca7fd3eab32883d23a235636bf026188d6e8b81 |
| SHA512 | 2e35605bea814130d8c2217fc5fa37633bf76ce6ac0601868fd1fb164413cee1d7b4ac648133d0cc0be9a94c65ef006b5e789be7fe72bf437713623a863f9687 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
memory/1776-580-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-581-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-582-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-583-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-584-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-589-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-590-0x0000000000200000-0x0000000000220000-memory.dmp
memory/1776-585-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-591-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-592-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-607-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-610-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1776-611-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 575c2da98fc97cbb59876c6a8529ee57 |
| SHA1 | b6e76b42eb9a15b3aee4e677133e6cf19e8741bf |
| SHA256 | 5fd94db2533ccfe5b1aeab7ec686b9a4be1e659bf79a1972afe6ba8be7fec4e3 |
| SHA512 | d6d9ec290d9aa083671e3de2f8630b73a1bca104076ba05c0646f6cd76a0998f6096672f30648cdbbea211e3adf7f8d192a2f09ce4b60d3226c76c01be61a684 |
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 9d0a5bd7aae5f3aaaaea215402a573c3 |
| SHA1 | f068df4c806df1264ed3e2965f1126338ea09dda |
| SHA256 | ac29a825e1cc821b3aef6e843cc40bcd76c1de050775b7fd7ec5b6caa1f69fb0 |
| SHA512 | e0049be3eeb6dc0e8e80ef3e6108ccc1cefe2fc02711a5bf7bae5cfa900a29ce230d0b2a7d26a0bb37808a207306c0c3260ff73d57541d1684150dcd9517237d |
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | e601bc0698a98534b7be32f2748e2629 |
| SHA1 | f25f97decfe1c4ae483e0d33577b60a61d1ceeaf |
| SHA256 | 7440ae392022609d772e2ba471f438db9416e8392c38320382410d63965f65c1 |
| SHA512 | 4c6a085582c32654e9b29b17425b6bb3543d23c1119af814a11fb556ae1ceb87cefbc8860744bce96055be6921ff6000c3b99e69636850a70a69bba2e11422d4 |
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 868df6a113093e0fd658582566af3e6d |
| SHA1 | 905a8b527ac6b2290a67824ce4ec3e3cd3c5feb1 |
| SHA256 | 3e942e3e13ceb78bfee247410d3a14874841a2b5b55345f93190ae0ea19e9e0e |
| SHA512 | acb28691c2902f7e3a7cf9f5792962a88650413918b177a0599564a24f1ea6f4351544e47e4fac08e4f615584412fab729ec4324b908f6bac736afbb66e6e5df |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 1afff8d5352aecef2ecd47ffa02d7f7d |
| SHA1 | 8b115b84efdb3a1b87f750d35822b2609e665bef |
| SHA256 | c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1 |
| SHA512 | e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | c5189a041155ec61a7c7041d0e253083 |
| SHA1 | 07282e9faed71a024624b20d045e5593ab632874 |
| SHA256 | 574e8d81d8a60fede367554ffdaa5292ffb74578ee55e08640b8714e7d2a2c07 |
| SHA512 | 8da8b4000cf5387341e82bbe7f7be92b3ba46feebf0c640969c79124a0e64dcff9b7e40d87797e130b38ab4074acbca1d3ef3a1af4cd973c5639015313765aa0 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | 8f5fbf476f453cd6ef553a809b3ecb3a |
| SHA1 | a964f837a86103fd01abd279ed3b47fa0e1e54f7 |
| SHA256 | 79a44df3a2f92f96994229b6e43fe797f87f83524bcb23edca70a47da0d70f84 |
| SHA512 | 6364cc85a2808edc0b6e646e56266d21c3b3ca305a879abadbfad59cc705a196c31eaf28604e701dd2e4475a0bba6e67dda4731ce0f155ff6e3690bb719f2ac8 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | 5da3a881ef991e8010deed799f1a5aaf |
| SHA1 | fea1acea7ed96d7c9788783781e90a2ea48c1a53 |
| SHA256 | f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4 |
| SHA512 | 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 17:26
Reported
2024-01-30 17:28
Platform
win10v2004-20231215-en
Max time kernel
94s
Max time network
154s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | N/A | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000735001\\lada.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WerFault.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Windows\system32\cmd.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\sc.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\sc.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" | C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe
"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe"
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3404 -ip 3404
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1072
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5000 -ip 5000
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 348
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3404 -ip 3404
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1120
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 396
C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp
C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4964 -ip 4964
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 408
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4964 -ip 4964
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\explorer.exe
explorer.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 752
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 760
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2580 -ip 2580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2580 -ip 2580
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1188
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1200
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 900
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 796
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 916
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 716
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4964 -ip 4964
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 820
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 936
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 764
C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4964 -ip 4964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2924 -ip 2924
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 348
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 696
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1228 -ip 1228
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 720
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 728
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1228 -ip 1228
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 744
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 784
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 640
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 888
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 956
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1012
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4624 -ip 4624
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2364
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| DE | 185.225.200.120:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 64.185.227.156:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 120.200.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 156.227.185.64.in-addr.arpa | udp |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.211.95.141.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | 95.30.79.20.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | 61.4.79.80.in-addr.arpa | udp |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 188.114.97.2:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 188.114.96.2:443 | secretionsuitcasenioise.shop | tcp |
| US | 8.8.8.8:53 | claimconcessionrebe.shop | udp |
| US | 172.67.199.120:443 | claimconcessionrebe.shop | tcp |
| US | 8.8.8.8:53 | 171.80.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabilityarrangemenyit.shop | udp |
| US | 104.21.83.220:443 | liabilityarrangemenyit.shop | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 185.172.128.90:80 | tcp | |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.15.92.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| NL | 195.20.16.103:20440 | tcp | |
| US | 104.21.80.171:443 | tcp | |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 172.67.149.126:443 | mealroomrallpassiveer.shop | tcp |
| US | 104.21.80.171:443 | tcp | |
| US | 188.114.96.2:443 | secretionsuitcasenioise.shop | tcp |
| DE | 185.172.128.79:80 | tcp | |
| US | 172.67.199.120:443 | claimconcessionrebe.shop | tcp |
| PL | 93.184.221.240:80 | tcp | |
| DE | 45.76.89.70:80 | tcp | |
| US | 104.21.83.220:443 | liabilityarrangemenyit.shop | tcp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 4.64.42.5.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| RU | 5.42.65.31:48396 | tcp | |
| DE | 185.172.128.33:8924 | tcp | |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| DE | 45.76.89.70:80 | tcp | |
| US | 8.8.8.8:53 | 109.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ji.alie3ksgdd.com | udp |
| HK | 154.92.15.189:80 | ji.alie3ksgdd.com | tcp |
| DE | 95.179.241.203:80 | tcp | |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| HK | 154.92.15.189:443 | ji.alie3ksgdd.com | tcp |
| DE | 95.179.241.203:80 | tcp | |
| DE | 95.179.241.203:80 | tcp | |
| US | 8.8.8.8:53 | 201.178.17.96.in-addr.arpa | udp |
| DE | 95.179.241.203:80 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| HK | 154.92.15.189:80 | ji.alie3ksgdd.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 02585e3d-3a43-4ece-83c0-3b08bbbca099.uuid.realupdate.ru | udp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | server12.realupdate.ru | udp |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.133.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.96:443 | server12.realupdate.ru | tcp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.2:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.133.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| BG | 185.82.216.96:443 | server12.realupdate.ru | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| NL | 94.156.67.230:13781 | tcp |
Files
memory/3916-0-0x0000000000960000-0x0000000000D68000-memory.dmp
memory/3916-1-0x0000000000960000-0x0000000000D68000-memory.dmp
memory/3916-2-0x0000000000960000-0x0000000000D68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | fe5aa71a9083e8e8afe13394c10f01df |
| SHA1 | 62111b0428acfc13dd5f8d6b23c14c56f7c20e06 |
| SHA256 | f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e |
| SHA512 | 6de7fef22f295e8d4548c4c60da98f129e8ad4e0d761dc5ba15c74fb18f8ffe9e5f3b9487a26917dc9e8d81d78a2bc17722781adb7b81e20ed1f0c1ee3de6617 |
memory/3916-13-0x0000000000960000-0x0000000000D68000-memory.dmp
memory/2784-15-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/2784-16-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/2784-17-0x0000000000830000-0x0000000000C38000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 3853abb35ab617a117144f119cdc9808 |
| SHA1 | 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae |
| SHA256 | f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef |
| SHA512 | 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8 |
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | 00fb5f05cc6a22902de878ee3bbefbd5 |
| SHA1 | 21d3958b179d18c64483d8c59dda67d07dc6588e |
| SHA256 | b9ce041fddf5072392de32ea719cf2b2b6f69b4cdf8837ee57ae8097510c1a09 |
| SHA512 | 05bedf542a21ef882af6b20fa92e8f16ab43885b00afef527850709d9518c819769fc80aee9b1495f8e74d572f1b608e76a05bdc4962881fd394b098619a3729 |
memory/548-36-0x0000000000FD0000-0x00000000014B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
| MD5 | 783c514fa6189d91ac625ac6f16a7c6c |
| SHA1 | 96d0e6a06eaeec0b37ead78c097c0d623f592102 |
| SHA256 | 20e9e19afba5b79ceeb2ac276295f12a0b966860ba07fe6b80a8b69da857f98d |
| SHA512 | 5d3a5ffb5f8bfc7de16e75298166d1b77e0f90770dfba8463deeead11d86e971ea12ccd456db1624b1309c70aeae20d86582cf029c8b0f05503aa193fd7b2974 |
memory/4372-58-0x0000000000960000-0x0000000000EED000-memory.dmp
memory/4372-59-0x0000000077734000-0x0000000077736000-memory.dmp
memory/4372-60-0x0000000005430000-0x0000000005431000-memory.dmp
memory/4372-61-0x0000000005410000-0x0000000005411000-memory.dmp
memory/4372-62-0x0000000005400000-0x0000000005401000-memory.dmp
memory/4372-63-0x0000000005470000-0x0000000005471000-memory.dmp
memory/4372-64-0x0000000000960000-0x0000000000EED000-memory.dmp
memory/4372-66-0x0000000005440000-0x0000000005441000-memory.dmp
memory/4372-67-0x0000000005490000-0x0000000005491000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/4372-80-0x00000000054B0000-0x00000000054B2000-memory.dmp
memory/4372-79-0x0000000005480000-0x0000000005481000-memory.dmp
memory/4372-78-0x0000000005450000-0x0000000005451000-memory.dmp
memory/4372-77-0x0000000005420000-0x0000000005421000-memory.dmp
memory/4372-65-0x00000000053F0000-0x00000000053F1000-memory.dmp
memory/1692-91-0x0000000000120000-0x000000000018C000-memory.dmp
memory/1692-92-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/1692-93-0x0000000004CA0000-0x0000000004CB0000-memory.dmp
memory/744-96-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1692-99-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/1692-100-0x0000000002680000-0x0000000004680000-memory.dmp
memory/744-101-0x0000000005790000-0x00000000057A0000-memory.dmp
memory/744-102-0x0000000005DC0000-0x00000000063D8000-memory.dmp
memory/744-103-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/744-113-0x00000000057A0000-0x00000000057B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 33cbaa6d2a1b610ed621fb711da014df |
| SHA1 | cd0b04aa27b9121a1fb8b367dcbf91ffc14dd159 |
| SHA256 | d50fb42d9f0298c85b07c107bbfc54e272edd97d713452a677ebf3d2d55ea7f1 |
| SHA512 | 8134fd33c31d765f4cbde5b9ab0300f1c6c12a9245669906166b2692a00621311d93b5ecd3d771fdc2410797aa24e5345839679a57706ec30c3b03b9eeefcf2f |
memory/744-114-0x00000000058D0000-0x00000000059DA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 8068fd90488c53533435b207e687ed39 |
| SHA1 | 0712715635fc8245d0f828ea9fb8929c1e287195 |
| SHA256 | cb622ff0142517c9b3e146e0cd249026bb882e4058f3f4802f626ad91adbbc1c |
| SHA512 | adfeb3e636b937c4652986593b4683ad3dd03df9b6847e08a74718ef2a880e4b194e92956f15989501a8fc1d64227f822cb78b55edb25dd7639fbb18a152539a |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 5ad4f386075b6c455ad7e7de4213dc56 |
| SHA1 | be468fc950b2fb5a90a715ee1c621a3fb81c8751 |
| SHA256 | 1e2e6411cc5c8d8b8d7643035a24a841c11dca60e5d1b332a17394e08b45a9e3 |
| SHA512 | 5444875e85b85e71256dcbd7d33f81ff9c4b2c719f97d710dc344d6563684a7e4dceb68059d99fa7430b6764433bbfcb087d9680f06fa0567b24b4e233fe86b0 |
memory/744-125-0x0000000005800000-0x000000000583C000-memory.dmp
memory/3380-126-0x0000000003120000-0x000000000317E000-memory.dmp
memory/744-127-0x0000000005850000-0x000000000589C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 87bac70c88db5a4f6022e72cf400c61b |
| SHA1 | d9470f4f7bbdce18f7a9feafaaac820a2580096b |
| SHA256 | 048132b1fb9567f03f424971a16832c4c95d94fd568500fa4ccd66becd5a6be5 |
| SHA512 | c52a87fd7e282f88487249dc30add581c486cd091b8b205540222aaa83808ccab355e083543b6f266c6499b8134b4c6eb6a3d333b1679ca54970e073939252b3 |
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 52b664f21bdfc3981881dabe4eb1d1a7 |
| SHA1 | d28f126945db84b2b83f8e72042e26401dd7916b |
| SHA256 | a7e4e6d52e10a44eee97a065543d4c0c1e9c2bc6e1347a2bf0f4afa4d6f939d9 |
| SHA512 | d554ded13f051b4ca076f30305e964e8107dc1a49751b3b45ea7827d466ac727b8fc1c9739504313175cc1be6f8583e75031131b9b1c975878791db9bf500590 |
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 7557bc6b88318b8ca26d1b467e2e45c8 |
| SHA1 | 5aabdf7d08d3e087c255ab15ba20b36710c3f12c |
| SHA256 | e5014ac1e7c1e0ac672c131857a8dd818eba40af641b601687f20db61ec9d522 |
| SHA512 | f999c4c0c2e7483890842b6e903012db5dde69c9552a2e0e50497fb01d093e5b68d27b0c7728b3207e732d0c9d88030029da725536a46c72e6cc018a0ad87c2b |
memory/744-147-0x0000000005BC0000-0x0000000005C26000-memory.dmp
memory/744-157-0x0000000006B90000-0x0000000007134000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | 810da00c69d55e89dca3bfe9a6f6a420 |
| SHA1 | ca02bdce48ac20f7b40ab720079009894f369990 |
| SHA256 | 64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80 |
| SHA512 | 453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034 |
memory/744-158-0x00000000066F0000-0x0000000006782000-memory.dmp
memory/744-169-0x0000000006790000-0x0000000006806000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe
| MD5 | e955394816239fb3e4142ff955e88bfc |
| SHA1 | e62f7cda63e9cd19cbf4baf6513474d6f6495797 |
| SHA256 | 7a39eb239f9c42ae2edc541a56921783378a0ada9d2f86cb6aada8539897a7ca |
| SHA512 | 5ff3f48ec882c0f5eda30c78b949e7ee2afafaa724a55ee477dfd2a1dcd549cbce0fd0b3683c686f56eb4ebe172c2a19a2746ede0d9e23a06d3e429548683d16 |
memory/4000-170-0x0000000002520000-0x0000000002582000-memory.dmp
memory/2784-171-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/4000-172-0x0000000004A10000-0x0000000004A70000-memory.dmp
memory/4000-174-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4000-176-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/2784-178-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/4440-181-0x0000000000400000-0x0000000000452000-memory.dmp
memory/548-182-0x0000000000FD0000-0x00000000014B0000-memory.dmp
memory/4000-180-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/4000-179-0x0000000004AD0000-0x0000000004AE0000-memory.dmp
memory/744-177-0x00000000068E0000-0x00000000068FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 81d642b6b5ce82dd48b4b652be33ef0b |
| SHA1 | 3ca39aef5f56839895a6b802bc05cce464ea89d5 |
| SHA256 | 07cf174b1309fcd24b03e2252449799c72c70826d692ce65f5e1c4aa9ee06031 |
| SHA512 | 9267a78e24bf70d7569e553bf37c9919907016cbe8ccd33887e446c06fb453e8af3e11e31d4a199de61cc3a1ace13a2bba0ca40e73db601cfc483f48ea45cb3a |
memory/4000-187-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4440-186-0x0000000004FE0000-0x0000000004FEA000-memory.dmp
memory/4000-197-0x0000000002590000-0x0000000004590000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/744-185-0x0000000007A50000-0x0000000007AA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | b2f3f214e959043b7a6b623b82c95946 |
| SHA1 | 4924ee55c541809f9ba20fd508f2dd98168ffdc7 |
| SHA256 | 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29 |
| SHA512 | c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67 |
memory/3904-216-0x00000000009F0000-0x0000000000A72000-memory.dmp
memory/4372-219-0x0000000000960000-0x0000000000EED000-memory.dmp
memory/744-218-0x0000000008250000-0x0000000008412000-memory.dmp
memory/4440-221-0x0000000005260000-0x0000000005270000-memory.dmp
memory/744-220-0x0000000008950000-0x0000000008E7C000-memory.dmp
memory/4440-217-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/3904-225-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/548-236-0x0000000000FD0000-0x00000000014B0000-memory.dmp
memory/3904-241-0x00000000053E0000-0x00000000053F0000-memory.dmp
memory/1084-250-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | c53008e60ad81bdabdc16eb8d27b0b18 |
| SHA1 | 5239d012b6d701c903ba326e27fc5ca220a9b8d6 |
| SHA256 | 2cb5be789fbf15a8521fdac7253f19c2416fde182e2427d7f7a47f08f67ab6ac |
| SHA512 | 49f45c027067ac9cdc8463ffe29549d84c234d3681073666c0f150beac824bbfed5ef5106fd3ab067347d192149857d6b5e6d3b1b2cfd11b0c2e5340aa374d23 |
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 5a6358bb95f251ab50b99305958a4c98 |
| SHA1 | c7efa3847114e6fa410c5b2d3056c052a69cda01 |
| SHA256 | 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5 |
| SHA512 | 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0 |
memory/3064-257-0x0000000000A20000-0x0000000000A74000-memory.dmp
memory/3904-268-0x0000000002CC0000-0x0000000004CC0000-memory.dmp
memory/3904-269-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/1084-279-0x00000000730E0000-0x0000000073890000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/4372-283-0x0000000000960000-0x0000000000EED000-memory.dmp
memory/3064-284-0x0000000005460000-0x0000000005470000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/4372-287-0x0000000000960000-0x0000000000EED000-memory.dmp
memory/1084-294-0x0000000005470000-0x0000000005480000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1305705ab4eb7a8ff5a73874670d91f4 |
| SHA1 | a118cf0ba2d4ac47473b9140c0aa7745efc6aac7 |
| SHA256 | d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b |
| SHA512 | 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64 |
memory/1708-285-0x00000000052D0000-0x00000000052E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 51f06b46b3a0d18378ced767d82ab29a |
| SHA1 | b9a14a18c4f5447e7a4092fe67df5488837004e0 |
| SHA256 | 3b4b7a94afbad56a690b3244665e86179be635d78d97fb29fd263be3d445f691 |
| SHA512 | 8425edb84a89b3e2547306ee7e2660a984538d411088b9e407b6a402ca38c7356ff8ef0fc29b5d89be06b66d6cfe5786721abbc1bd5df5fc341d76c97e41e745 |
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 4d4dfb48b507912cde25efd6234d7dac |
| SHA1 | d775bdceb80792a462e96b67edd0be34ee6c67ee |
| SHA256 | 7c9e03d2bb488bda0ae8d30cec7b147a42a9b80e461617d12975e6a947947fd5 |
| SHA512 | 3b936f5843665091d19b5f8047fcd2cc7e232e07c9706f866d3f66731f3bcd8fd15196d054b5416dfd516918a6c89129033141cc08c47bc6b716488114e6324a |
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 0056fa740e7bdb737c7ef1699eae57a3 |
| SHA1 | 9910bedef4e5c2b1727f8cbe2032ae6bade6a7e4 |
| SHA256 | fcf7ac7a28e4b059ba60026a04c30c759c2ad4bc86f11dbf42d965ab31ad877e |
| SHA512 | 8a22a845b8183918f05e31f36edaafbd84031f9266bd573dd87611c92cd20e5afd423a3bfac7385121ade1bbf83337c8d166e20df249416f0fbe33a063ee8bf7 |
memory/3404-354-0x0000000000610000-0x0000000000699000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 5310ec6a08a2439e3d1f95171fd80377 |
| SHA1 | 5d06c04524b152799b85d9f265abb8d9082e1fb4 |
| SHA256 | 7f2fa496fe5d905f7e103f747416753751e7950ff4c52f58097269c75e4fd2ab |
| SHA512 | 3374eb77ed1ed33e3bb3cb2cdeececb79f8ffa00ed9cd4c97d30b2b3da2909d2611df928afbf5c6c39d9eed6c2755383713fe21f5d06a6f2202423cb4d2dfb9b |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | f22b0415c679ea3cdbc04055ba495d10 |
| SHA1 | 4fa9dc29069fb282d5750df4d7c9e7956082d08b |
| SHA256 | 53fca573963e6776b7c41ae86d655e6315bb4580b4f2dcdb1eb1350047b9b522 |
| SHA512 | 942ebd7e802094cffda1796cd596fec19af7212ae742fec05657f44a29b41db71294cacf6e4f8df0819dfd0fb956d8620a26d84d4dc865f3545808a448370037 |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | f8395be734a1e57d14bfa8004dad040d |
| SHA1 | 9a38ae0a38e1d9a8ee2d3818505a8301ca392f82 |
| SHA256 | ba315b8ece56ea78cf7504a7cbaffec6bfa7cac0a040e38fb517d059a3fba0ad |
| SHA512 | d410b067c9851490c7e6887d5f0cea6e790faea297d150cca817ec82f68d20cf39a0984a980453f415e9d683f0a28ec646608d87063e5379e94880caa00ce815 |
memory/2784-380-0x0000000000830000-0x0000000000C38000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | f0b1dbf7b7f27ba5b7177724f80293fd |
| SHA1 | 6451089babcd465ef366d7a7ba07a297ec5188a1 |
| SHA256 | baf727506df169762669ea9298bb83849abfd4dac035b20af4e42688406d6dd8 |
| SHA512 | adeaf336b6ef16728ac529c9a7025768442cc4ac68fe386191ebfaeef04c00af7813f36ff20e8d603b03ea8042a673757f1c7120835d24236487a5b17f2f7890 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 09bb58965bc904f65f2c288f3449ffa3 |
| SHA1 | d6d302cd48b739d13b37963a06e3732d44a97f1d |
| SHA256 | 819e94c0a1930dd569acc17d8931a1a378532288430dd68073d6b235224638d6 |
| SHA512 | 13e698c88121fd8cd56c7554a8efa43ea08dbafe3f80c458a2aaa307e0670289a7561e98e6929f8253e928883b12c5aaff91ae10888fefde28080e2f7f253a5d |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | d35abde6c7161184ea22b6d383f881a0 |
| SHA1 | 6b44b715837335cad97e6fb3b55e61772aeffe54 |
| SHA256 | 2bfae2d6e94c33ca29dbf420b8b77356529e7416414a83e272cbd8b9f2f2e521 |
| SHA512 | a05a70907f4d5370de584cb093cf39e8a72844eb3fb5d390864ac83b410876ccb58702baa092252573aee8e0c3580f6c4921502c0d9f00cba2fdc24e2a8c696d |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | a1470335c14e84fd1f158878a5776ae1 |
| SHA1 | 98ff4297b83233ce26c0a116abe76312af645398 |
| SHA256 | 8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5 |
| SHA512 | cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 3228b50902bf06fd90c7ec763c6c55a9 |
| SHA1 | 07a2c29a6e2bdb4c8b210c45430e0aa18ca20829 |
| SHA256 | 6b51a6e0d464e5266d6cdfa269ee27ca4c57a34191402d1c1849a6f03186fcd8 |
| SHA512 | 3e94fab45a81149b2a11b66ee328d482c2d7b471145cadb4ae8a97ff8fae8d51c031822e2e400aaedaea90d205c1d910aae0c1ed00010b4be2b7c0aed69b6ac5 |
C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 2706e54160f0d13f18e16b179a9ff54f |
| SHA1 | a1371674239cd0dabfab6e7d99d119d75eb8d120 |
| SHA256 | f4e4a1493eda761d98ff91b56f5a2d741410a04d8c01cb6a3df180a5d6078280 |
| SHA512 | e81007bd177857b1d94813719522dedd965c56e8836221598488ca5d8ef02345a7b7df18dfd16b0b61559ba5e44c0c5fac483bf9aaae0d93522bc87d5754e4f6 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 06085332e3f39811251ad4c3a04bf5ee |
| SHA1 | d82effd0fa041013cb46e95f240a3f0efd23d877 |
| SHA256 | 0f5b20e005a51310f375077bf14f19c8a19e38734c125db7f6c6b41117708217 |
| SHA512 | 65373110edc3af7bd92bb0bafa48d45e83f0eb2142ae2283d31a7b8e69d66509203f7a5ef1cfbb6b18112a0a9931e210134e4ab53bd35dca3ee9073e5262cf0d |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 3e30790cc9414db7223b841be88ad4d1 |
| SHA1 | df8449db29ea69fd7deb60984cb36642ebe9af7b |
| SHA256 | 55caf366eed404b54ecea7d5c910d089e9dd2c3edae826b537e8ef16c7063abe |
| SHA512 | 843785fd2b969f614df800e48ff2b0efd8707bfe820adb88fb84fc12cd775d51e406fc9e24da1f67e4884402dbc50edb3329f3124d6426fd7e38c79cf718a9bc |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 5fc3833765e0d0a94d226bc480931a19 |
| SHA1 | 239778d5c4dddba969c7c10f3697f690e01814e2 |
| SHA256 | c1c48c533ea6736332f9c6906f13b18cab5ed3ea5e81a1aa472044d43e7abdb6 |
| SHA512 | f6d9b45cb5008a1bc9de01f1da215a82383d4768f07c0357bb82307554091c52655ecd006ed43b702c2282c136582394757e64862622614ec425dd1b68a74e9f |
memory/548-425-0x0000000000FD0000-0x00000000014B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 0b374be36fee0eae8b1e305f1e4073f5 |
| SHA1 | 3e5f24441b9f00c3e5beb7ef2438d1868259d852 |
| SHA256 | bbd48c58bc41696a56c317d9650057c725642e5c1dee71a8b4f0b9cbd9095ad4 |
| SHA512 | f8abf77020dfe9cba6c8afb6535a86338a8923dac7d3a81ce78110302708611109c3b80104178ec6dcd95ce7d9e60829fa8b88c7411aa726699aec04eaaccb9c |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | f39190b7b1b71c46422bda88310fc7ea |
| SHA1 | 6896e5307f7cbbba35ca8328db82325458122dfc |
| SHA256 | 2db182f76ad1f6c00daba3e80bc78756739e7005873ba3c73eb17eb0aa1d5881 |
| SHA512 | 6c3a76fa005f30384c4191339bb2980c01a9bd9556a0dd50f113423b49e7fd9162e80623b2445131540ab93b186d971b8e5d077dd40c2a0527e884c0bc9c8625 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | b5c71e949a63ca8386a33c851002d51f |
| SHA1 | 7b5b97c75aceb0eb7f8d137ee449fec23e06404d |
| SHA256 | 23d9cdbf7e44149a1cb1aaf4aa096b293c5cc5045a805f4fbfadb7cfc9637259 |
| SHA512 | b9132a7b51b223d684fafc0c135d91f378e220d75a6da7a8169f4f1d5faf3570a44d662497b66d1e2571eb63546ad0fcbede74c0d355dd1cfb688f12382499c6 |
memory/4372-465-0x0000000000960000-0x0000000000EED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | b8449f91ecd64b2e6fe9c8607f348669 |
| SHA1 | 1b288d0d2a6a04c8f704ad95640e01596521e5f7 |
| SHA256 | aa10dc154d1d230bfb428ea04dacc89c7076f5a6658e36e34f1cdde9190a6a54 |
| SHA512 | 41e6e0939a4afd84a446e4e65f420c09b6c026afca826b85178e464fbe2584e2a61f651d8a029a07bd8a77fb8bc4ba915b756e8fdddd697b72b813fe1ae9c418 |
C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp
| MD5 | 4d1536443c0c72543ce312195f21e784 |
| SHA1 | b10e6254076b4a2ccc137baedd64f9d6605d12e8 |
| SHA256 | 0371fbd1376855c5dc8e6202ed99834a4a085e5d9c0a180084a4513303b6ae70 |
| SHA512 | 7932e6530c64e6c4ed2d401f7334ca5adcfb17b01d5101244863a12dc79b70f3b789e2ae02ca458503c5cb9abe2823bad06df709bd0dbf4131955faa192ba103 |
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | bf2a3e48b0ea897e1cb01f8e2d37a995 |
| SHA1 | 4e7cd01f8126099d550e126ff1c44b9f60f79b70 |
| SHA256 | 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3 |
| SHA512 | 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91 |
memory/3404-531-0x0000000000610000-0x0000000000699000-memory.dmp
memory/2580-542-0x0000000000400000-0x000000000048A000-memory.dmp
memory/2580-547-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | a54e442c0ba096e239ae84b881ac5431 |
| SHA1 | b6a2a0bdda4fcf342170647e9950ef2d3faacb05 |
| SHA256 | e1fd64dc0919fc314f81422b0ce8da5358b2e7f304bc87bc7a6eb21f66bdeaa3 |
| SHA512 | 2a7d19558633d011673a26e8664f78c8aa6a0a7205fe33772325640522d6f0fd78d31b779670cac3533c2f367fb561e5caa85ee4eadd9e08748c9936bfcfae7a |
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 9edebe77d8a38db11eaa01aea66c0bfe |
| SHA1 | b1e8ae274513d903672dd8d9a564bcfd51b393ef |
| SHA256 | 1faca181d7856ea9eda636d8791a9a45b58fbf1ac22d041dd2c444ec4fbe60a4 |
| SHA512 | bd22d71e51bbb472ee763ba06fa1b452badd34e4a5460270ac5c37f70348a5b8ff57f5e56dcaa25e96841fc8e9e0b02ed366bbf6750c59a09336dc6c01600157 |
memory/4452-566-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2784-569-0x0000000000830000-0x0000000000C38000-memory.dmp
memory/4452-570-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-567-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-571-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-572-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-573-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-574-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-575-0x0000000001080000-0x00000000010A0000-memory.dmp
memory/4452-576-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-577-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-578-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-579-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4452-580-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 07d72a32daa65d79cb4a475c8563b65b |
| SHA1 | 6b89a42b2690641d2b52f7a76ff9243fc4b3ea42 |
| SHA256 | 5715ba704a64082291960f971600e57d1bee120365c0f832fc6cb5f8e9a7335d |
| SHA512 | 8a4c9888859c494b64faee165b0340af894418528f069b4b9835cc46db994a3b84c6a30d2bd19696bff448f201db2f8f0750a0b8543347bd6fa0cfbbf937befe |
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | e67cbb5370aa1e0cc7df4ce62dc5f82d |
| SHA1 | d470d4a877c84b009a5ea438b95e92fac7d4911c |
| SHA256 | 50847dadf9e3065478f004cd35e99f3ddc6032f97c01cb2e1ecb9a81da1eccc6 |
| SHA512 | 4891fb2d3dc7e1d82e5d87b7537a8ac805eb9199b6a248513968803fab5a15b1d1788dcca8f879add5bd6fadd2adc46b1904f04181182d5ea04e0a977f3adf63 |
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | f0148aace93a5d316fcaab79eb9a52a1 |
| SHA1 | 05708ed64cbdca02904cf81ed80cd6b5af6fb099 |
| SHA256 | 4d696f6d8f6b0e158e56c123f91a3da3a1665b5acbe38db686dfa54bc41745db |
| SHA512 | fcbec064d97d9812d405b0a2a9e9fb9df78beb60ffc92fb112bbdba740602ce5c018a2f6a93d281d4864d6281e36b451ef68551d7d258cf4cd687e38611022cb |
memory/548-603-0x0000000000FD0000-0x00000000014B0000-memory.dmp
memory/1472-604-0x0000000000400000-0x00000000008E2000-memory.dmp
memory/4964-605-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 2ee8ae9a18ae8148086566c941472012 |
| SHA1 | 8abea4bc078bdbf191f587073604ad20bc0205e3 |
| SHA256 | 6e4168ccd4846a770dde9433ab2ada4b525528e90f4f0a4536d37497cb483824 |
| SHA512 | b1b7a22f398900279530ba417de07c5266459763cb28f3480507ae581b24dfe0f3e4993a4330d88b855f3353690887318616d928b87d98a76270734d95b41291 |
memory/4436-608-0x00007FF672440000-0x00007FF672E7D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 150aaf12e9400bdbaa61ae427215a49a |
| SHA1 | 61f448c80bc48362d3c1a74051b7922f3ade206c |
| SHA256 | 2e9d5d086395519d605c03a5113921e630a3bc45a3f439dbdf04908d4ec8bf9e |
| SHA512 | fa33c3bc45f2fa430c89d30afd1a94c967c9d1c585cbb089bab59d668fad7214467e92fcdc130524255e6b195588061e7c7a2cf52f735a93be2abbc449452f09 |
memory/4372-630-0x0000000000960000-0x0000000000EED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 9455125717632ae8f21a2172a2610eee |
| SHA1 | 67f13bf6cef3da84a9c746fabe5b3c08c31152d6 |
| SHA256 | aff4a80096c94459486e953fd57dc0ffb39ba340b9cbf7548fada58a4deef42e |
| SHA512 | 78791a44f260a01202894ad9d7de4d637a11e35f0ce07ab58a73f3a8c7d9dfa373532b9928f57b31c2851944ee37f7bd5b8f0d600570504fe36f150e2886eac1 |
memory/1648-648-0x0000000005760000-0x0000000005905000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 008f67b36b9be44885346e2b58aa8fdd |
| SHA1 | 748d68315388cb0874ddfedee3dca5c235ced7d3 |
| SHA256 | 651502e37667ad19128bb7e92365b5421150e4b64ef1108f0486ab9681579166 |
| SHA512 | a207a8f618d989613ba3daac6d5bec99f7193c36bea6aaa7bfab91a1e1f7edac820278e3e103f01f4fb7265fa87890fe2db0fc9d0ef868e1bebab16b14db0c2a |
memory/1648-667-0x0000000005760000-0x0000000005905000-memory.dmp
memory/1648-675-0x0000000005760000-0x0000000005905000-memory.dmp
memory/1648-680-0x0000000005760000-0x0000000005905000-memory.dmp
memory/1648-684-0x0000000005760000-0x0000000005905000-memory.dmp
memory/4440-683-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4440-681-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4440-679-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4440-674-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4440-676-0x0000000140000000-0x000000014000D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 26b0e1817c946b08d79bf5fa9463e09c |
| SHA1 | fe1fe0eea55a567351cc00df77f4c814a0fb61bd |
| SHA256 | c027c16cad90e9445faa2e1c0e220dac7adc8fe813f30fdc026ae90abcf7acd6 |
| SHA512 | b5d0fd44d0394dc94723cdc36c1e6534ff6d718a0ac18fcb78545fee878f8d41f7b7ac2e4dca86ca415ff1413970b2d033a51ae204b6f351f6de09e18d7e8896 |
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | e192ed56e9f5156b30ac5b5764f1eea1 |
| SHA1 | cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5 |
| SHA256 | be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3 |
| SHA512 | a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 97650dcd02840df3d852404dbcd7b6fe |
| SHA1 | 89dfe504c083d9b6ef13dc03708ac4c626b2199d |
| SHA256 | 3df2467733d9ec8420449d9fa074927afdac005b35da2c028a57decfd49be1e1 |
| SHA512 | dcad292278471b3f007edddff6d72e1bd01f74e9a03986620033831d5f0695644781f8540e62dd39ab4d3237a83c4412b0d337b0ed339e0a850e8bcfebf64213 |
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 7dfc17f5285ffc263ad707fb6961be7b |
| SHA1 | 74682ac3e422945a2877cb9d929f0ff5a468a3fd |
| SHA256 | 247a2246e66716badcd95844b6343f753819a1a9e6c4612027a8515208e97bd9 |
| SHA512 | 46bc4bf05c58d171fbfdac739c0d0c4ea03b36fd2fc8f542b8f018dba6bffcd28b5f2ae1497a78a0ae83794e05231790cdae56af4ada82e3a1a0c04ad0ed5d2f |
memory/1648-653-0x0000000005760000-0x0000000005905000-memory.dmp
memory/4452-649-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 36cdae10478c115fa64c36d80dd83b2d |
| SHA1 | 57de5b99dd48d35569fb12e7454c1b6f4b55e267 |
| SHA256 | 50755f295af8188d4169790291795a25cf8e73c1d6ace2c27faf62e4cb7f2c34 |
| SHA512 | 8bc676477cefa732a78f613344cefd04f183b22113779b169beeca57246a0c5bcc7b5296162f72f53a2ecf1b6d12399568d90565086bbbf88e8780af5be6cadd |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 5ea776e43112b097b024104d6319b6dc |
| SHA1 | abd48a2ec2163a85fc71be96914b73f3abef994c |
| SHA256 | cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341 |
| SHA512 | 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2 |
C:\Users\Admin\AppData\Local\Temp\398549320365
| MD5 | c7c53db43db6390c4d099dde400d765a |
| SHA1 | 3e5723809205beaae9fba0daf5a939578d03bc4f |
| SHA256 | fad0910cb41893dcef4d10bbaa2dc8a6767cb4708de262475a23bbd29c94ac4b |
| SHA512 | 60056f908ef781433efa3f6e3f85a21070a7718708b185da6ca07713600cf5403e28cefb2ed82670a61dd43da199b8540af881e4e6a887c4176aaf48d408ea5d |
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
| MD5 | 3459e4e3b8c2023cb721b547fda205f6 |
| SHA1 | c4cc7eb4d2e016b762e685a87b16144fda258f9c |
| SHA256 | 9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd |
| SHA512 | eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agnuvtpu.ewz.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
| MD5 | 5fd7aff48d27771ca0aec6776afefb93 |
| SHA1 | 5d57e1e85a836b736d3b3c2056d500d1d2b92dd2 |
| SHA256 | a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b |
| SHA512 | aea36265cf13aa252ee06086b22002165401fed256d1bdfd26aee61f4b26e7c29b430237a6941a5a09f923b246cf84cf75b110aad9f01c694e992c6b076bc293 |
C:\Windows\Temp\zamrbllfjgdb.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c39c4a68c1baf0a4b7e4691e3eeab4d3
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |