Malware Analysis Report

2025-01-22 10:26

Sample ID 240130-vzvbzabegr
Target fe5aa71a9083e8e8afe13394c10f01df.exe
SHA256 f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e
Tags
amadey glupteba redline risepro xmrig zgrat @pixelscloud livetraffic dropper evasion infostealer loader miner persistence ransomware rat stealer trojan upx 2024 @rlreborn cloud (tg: @fatherofcarders) collection discovery spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e

Threat Level: Known bad

The file fe5aa71a9083e8e8afe13394c10f01df.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline risepro xmrig zgrat @pixelscloud livetraffic dropper evasion infostealer loader miner persistence ransomware rat stealer trojan upx 2024 @rlreborn cloud (tg: @fatherofcarders) collection discovery spyware

Glupteba payload

ZGRat

Detect ZGRat V1

Glupteba

Amadey

RisePro

RedLine

xmrig

RedLine payload

XMRig Miner payload

Modifies boot configuration data using bcdedit

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Stops running service(s)

Creates new service(s)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Loads dropped DLL

.NET Reactor proctector

UPX packed file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses Microsoft Outlook profiles

Checks installed software on the system

Adds Run key to start application

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious behavior: LoadsDriver

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

outlook_office_path

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 17:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 17:26

Reported

2024-01-30 17:28

Platform

win7-20231129-en

Max time kernel

0s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe

"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 596

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 96

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp

C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240130172633.log C:\Windows\Logs\CBS\CbsPersist_20240130172633.cab

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1232 -s 596

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {4FF03CE8-535D-4D4C-AD0F-78B88D0E0087} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 612

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 144.76.1.85:25894 tcp
NL 94.156.67.230:13781 tcp
DE 20.79.30.95:33223 tcp
DE 144.76.1.85:25894 tcp
NL 80.79.4.61:18236 tcp
DE 185.172.128.19:80 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
NL 195.20.16.103:20440 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 173.222.13.40:80 tcp
HK 154.92.15.189:443 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
FR 2.21.225.223:80 www.microsoft.com tcp
HK 154.92.15.189:80 tcp
DE 20.79.30.95:33223 tcp
NL 94.156.67.230:13781 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
DE 95.179.241.203:80 tcp
US 8.8.8.8:53 8bc3278c-2d8a-4312-984a-1d397a5a69ba.uuid.realupdate.ru udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
NL 94.156.67.230:13781 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
AT 5.42.64.33:80 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
DE 185.172.128.90:80 tcp
RU 5.42.64.4:80 tcp
US 8.8.8.8:53 vsblobprodscussu5shard58.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard58.blob.core.windows.net tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 stun4.l.google.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 server12.realupdate.ru udp
JP 74.125.27.12:19302 stun4.l.google.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server12.realupdate.ru tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.2:443 walkinglate.com tcp
BG 185.82.216.96:443 server12.realupdate.ru tcp
NL 94.156.67.230:13781 tcp

Files

memory/2360-1-0x0000000001370000-0x0000000001778000-memory.dmp

memory/2360-2-0x0000000001370000-0x0000000001778000-memory.dmp

memory/2360-4-0x00000000008F0000-0x00000000008F1000-memory.dmp

memory/2360-13-0x0000000001370000-0x0000000001778000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fe5aa71a9083e8e8afe13394c10f01df
SHA1 62111b0428acfc13dd5f8d6b23c14c56f7c20e06
SHA256 f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e
SHA512 6de7fef22f295e8d4548c4c60da98f129e8ad4e0d761dc5ba15c74fb18f8ffe9e5f3b9487a26917dc9e8d81d78a2bc17722781adb7b81e20ed1f0c1ee3de6617

memory/1644-14-0x0000000000EA0000-0x00000000012A8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

memory/1644-17-0x0000000000EA0000-0x00000000012A8000-memory.dmp

memory/1644-18-0x0000000000EA0000-0x00000000012A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 7bd4583fb25a0c7858c53a7653ad0609
SHA1 c49f7e95d7930219842e072b1342b049967db5ad
SHA256 9c72fa69017c0363078b3a00bc2df7fed9e329783a96fc4a9949765521060c8d
SHA512 eff245353feb048306338c2727274bc82656d4fe4c5ecae301b6b72c2497409ef42c80a6063ed4c35c9b7c85dcfdd7427a866607dfb050123b1311516e8a3f41

memory/1644-34-0x0000000005670000-0x0000000005B50000-memory.dmp

memory/2912-35-0x0000000000220000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 aa49ea298191bac3817b0ad7fc03ee03
SHA1 7fe33ba100cafba57f79e2915135658b86afde3f
SHA256 11d175e4920572f17b7165e940eca5897fec4a8962a32fc0e334abd4a07d69b0
SHA512 f93a693e6d5855946d52d3994570b0e7dfe222b9b2fa3792cbd09114cd28e7b3ac749639a095eb847e1c8defceaf5b3fec67335e4d070c8c2223d10dc3012a02

\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 7d38d5c58c71a1eedde14273eb24b027
SHA1 39407f31d0b46afbed8a25ccaa6691d53ba652b1
SHA256 aeae044b79b21c232f42aaa2f1a17da531360a372bd631de810709e8ea2fb9bf
SHA512 1ad45a448985d620fc49fa2497182f81a46163e107d225403653f0eb812ee2413c1515a7ce257529aaa9b1d3fdfc5f8836e98efe5f575f3d6413aceb7e6d6242

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 96bbf8e8e15d60757a86975151a86661
SHA1 300b92bf21dbfaf696a441c8536f0a49b083e11d
SHA256 5d8f546bb51b8080cc129b7e18c60276614668c4cbdc44c74901e5ea6fd733a9
SHA512 91a994da630b971a79c8598437bee77f00d4208fffa4d1dbd483eb354d4ea2ed7fe15949c7d6224689f3a84c93448a362a1d5499e367c829aa1c2b35b380f97d

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 9a52c8f0c72b6655321d981269352787
SHA1 b868c5b9430fa8801a3f59e1f884e5f808dd45e5
SHA256 6de8d91d6b21e88fa13855667bfaf1ec05218d47db5a9dcb53f99181fd9dd97b
SHA512 c73b6b911570f81158352731cda0b6aeebd8aed9cd52a75e49cc0ff623cc62a30b7b0a62f64c1bf8b5014a490ce6275081264a05dbf4623fdde02f4a8da0f82b

memory/1644-52-0x0000000005670000-0x0000000005BFD000-memory.dmp

memory/2064-53-0x0000000000BE0000-0x000000000116D000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 be9219bbeebf6d358e40a49f1b629c9b
SHA1 f36b401f77bd0663978afed950e9099a0444a393
SHA256 583b34e6929d7e9f28640b8ef026a5ed987e8e42d2e496ea848516be39d5026e
SHA512 d1e35c24dd9d80e8216102212193aab1138d6cef265b7fdcc438bda48c98f10d71ccfa18e757c944271f9686cf00b65e3f36a04d0887aba4fc8209d98bde23b7

memory/2064-54-0x0000000077800000-0x0000000077802000-memory.dmp

memory/2064-59-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

memory/2064-58-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2064-67-0x0000000002FA0000-0x0000000002FA2000-memory.dmp

memory/2064-66-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/2064-65-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2064-64-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

memory/2064-63-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/2064-62-0x0000000002E80000-0x0000000002E81000-memory.dmp

memory/2064-61-0x00000000026A0000-0x00000000026A1000-memory.dmp

memory/2064-60-0x0000000000BE0000-0x000000000116D000-memory.dmp

memory/2064-57-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2064-56-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2064-55-0x0000000002690000-0x0000000002692000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 ffe31eb8fbb7597ceb0db093260f2c80
SHA1 60b6dbea9bd1c62766c44b59917bbfeaa90cb1fb
SHA256 543bcd146b056fedf4b229bf784c77b19595d3b72ed76475e9e94ad66304f4db
SHA512 a32d83d44f50a3d7b86ea48bc93cb6adbe855007a6fdccbfb623780678c3e4c4775d5c54c2848dbbc3cc338b90ee1a7cd255a0b5c66e18d857d6e83e234218b8

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 a8603f57e993364eadde4c9f1c2a6ee1
SHA1 9363ae1359c564b1666f13227edffb7b83f49bf9
SHA256 8aff1dc86628f1b815bf2b77527246f3786b901386f78fde793db240da7e44d0
SHA512 603f3ea0f4801cdea328f94bdf19aacdad90c2dd4ff15d03a56b610fa5f05ffbf1cc48f7025d266e28b38a98c9b4a6e357bcd055e6fe1c25270b2e186615ec54

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 f921f12f49cc173a2d7ff4e063c10a2e
SHA1 577b2b58dcb7a3b6c334fbc1342d4da9e71841ae
SHA256 5698a94dcdc68f50f23c293470f5dd83d4e9739c5001013a19ceb0009b206f64
SHA512 26799feb2496c7708a072ce4c2b923ba334b82f7131acc4db793989981e5867d6ee64db231765bb6953f898ce143c8d5a92b90cff8e7a14fcdb5c5762c17866d

memory/2180-83-0x0000000000BF0000-0x0000000000C5C000-memory.dmp

memory/2180-85-0x0000000000360000-0x00000000003A0000-memory.dmp

memory/2180-84-0x0000000073F50000-0x000000007463E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 b60e528c6210a5ffc5bbecdf68d1c7e6
SHA1 ca7ac8e04c51190bd978885824250b92feb00b33
SHA256 66561531b070104d30b76093cd9095f8d6aafe0ecd68e08e69abf785ae22077e
SHA512 db634ad85c4c9528674599c660b870f501dbec71ab13515af8df0ff6672979ef97f9c89d86741d7c1ead9cf6d770cf64f8c51537d05d5f4adce9be8b790f2638

memory/2180-88-0x0000000002200000-0x0000000004200000-memory.dmp

memory/1636-89-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1636-91-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1636-93-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1636-95-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1636-94-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1636-97-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1636-99-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2180-103-0x0000000073F50000-0x000000007463E000-memory.dmp

memory/1636-102-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 bf314d9db863cc6baf19289763421690
SHA1 ce1e010e0c694c2c23727f4b56312b01df9f1c30
SHA256 df2e12067c99deafe8943b6c744a65f09a297e6964c633ed74096bf4a961ec21
SHA512 8d193056bca9860d50ad400b67f7e2fd81383e35b6382f9c871f03b8e922e2b197f8ff0757fdd2fdfac44e8ca554380b493c2c2caa9abbbf2cd7209e7994e2e0

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 3c5b71d92bec88824f34c1e977f66291
SHA1 2af240505255133ee9c16c0995b1940ea0d8208a
SHA256 233244ad15ec28234a05737fc2b770b958d2c35a7c32c99cc718c78fb8be877f
SHA512 c3c4bc114d7e6eaa3d21c3cabf788d17a725262e59cab8dd26803143380281401c8ffb980893a6397bb4adf4feba9a0651273846475879754f0c9b59345d24b4

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 b64e5f3b40d2cffdfb57e8ed5ec27ca1
SHA1 2696f290f354b00c44fea8af3af1e3f0830ef306
SHA256 5189db7370dfa1af97336aa8eead25e4c94d777afe9f3de5afccb5bb0568c48e
SHA512 123ad6dac78a88472e2c5a0fff39efb12353b3fe14ab177d55bb06213277b8e1e25381f8f33c2b6c442a5fe63a270d4af41c144da53db4d1502b7cc7b00f845b

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 e157fe80807e638fa0cf63ce1572cb83
SHA1 36d4895ddb87edd7c3295e34be0f8ba7532eb869
SHA256 21012b1f9078397c43a956bd6c0e35fd9e8cfdb215a306f863c1ce0943c5ce89
SHA512 8d8ff848c0d7f705dbfa6f63b682bab79d1d0ceae9256b26f667c58011b9af3a4e4c65f165e83bdcfd62351b9df28a5b17485a24b8669e9897b3ca9fcf13fa27

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 0db14549438390feda062383b33e2502
SHA1 bab0b3869c640b934b9a0ae5a112f602340df92b
SHA256 0f0cccddd8785b76a4fa57adbefc2e05e7ec583c2a7de1a35375d01cb36c369a
SHA512 55b1c0d2977f42cebdd56609bc5fd49bacbc332f73780db23e31494c5b5b8282d44745632b0fccd333967ac7a1ac8c2cefb6953fc199c3e9048171d02e92ae84

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 ad4b33b790f588bdb1a0346278382823
SHA1 8f4d9209c79fabf186e2edb08f3269608d5feac1
SHA256 bc4dc9f82300eb02931714e271876f1e46d40a6285d416ac8a887ccf84fa1cce
SHA512 a39fa07eda12a8cdf8a96c9b9d2e948f1805dfc7a01a54e52cabaab3a3b03c865a9581ad64e23cb269b699a145894674ed063bd4fb466841b7d300b2ccd0ee2a

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 3969215cb0b8dd9daf4845d9de7812f6
SHA1 e5ab92fe7b5cd7efdc482bba4479e2b3c957a8ac
SHA256 ea2213358f5472165de4db10fcb02a84738a8a695020e893aa22445a8b545271
SHA512 0a0ffdf01f62ea3d816ace78dc9e1fc324f379d59292c471a802aecaf2deeee3606d1dcc14b65c073abb077aea25d1b3c5f8caf9852327977d5c5617fb3c87ed

\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 18630f1453e32228f659974dfe0feafc
SHA1 6df1c41fde1f93c9db1d5a3d243b006ed0526679
SHA256 15bb0deb508098afb9c42bbc499552cf47804c13996d11cf74b30ce947c6a7bc
SHA512 7bc09065c98fa3948fa99f9d8fc3a32879e076effbb9ad1d0d8926eb64f153e0bfa5afff2ede907cb730bbea2efe078dfc04b649134d06d7b0df520aa1c6b878

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 01f9cb97107e44147cd0b13d656f6dd5
SHA1 e6bfb7a3025c4e0c0b3c013f34df8ff85cbd3e62
SHA256 d113424928a274d7bd4dbab1201344fcbdd4db8cd5fc7b7752a5dd4a8f57d3e7
SHA512 cf833d0afe0e5da8ab952009ad1f1c117ba0fc7c9ca525f27cc74641302f5fa621b75b1c1df846278ac0fa012ff16d41f436b6da202a8e285124d200d520e3f6

memory/1328-147-0x0000000001FD0000-0x0000000002032000-memory.dmp

memory/1644-149-0x0000000000EA0000-0x00000000012A8000-memory.dmp

memory/1328-150-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/1328-151-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/1328-148-0x0000000002200000-0x0000000002260000-memory.dmp

memory/1328-153-0x00000000048B0000-0x00000000048F0000-memory.dmp

\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1328-164-0x00000000022B0000-0x00000000042B0000-memory.dmp

memory/1644-166-0x0000000005670000-0x0000000005B50000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 bdbfb3afd7700669cd5bec25261cd024
SHA1 8fbf55f1bd7527c6e65413d9da719946c03b779b
SHA256 775f4d4b35334f9f14fd1660a93dbfcf425abaab88de695c3258023c0c8bf668
SHA512 edc5c4b75e1c32352fcaa906f72f722dd0d3c3310ad9539551b9fa643cf32af19d53fb9e6b367e4331ff3f3167769009f8dc4104edeaf63133d3165ece3439ad

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 556dfea946f3bc8869eb9b409f8997b3
SHA1 25132fe13874e5835cf85ed3e052b94bc1c4b3f9
SHA256 eaaa0a6f41207ec52b22b85ba9894e8edfd04d11af1c7eeb61d798358a4ef6aa
SHA512 831112ecf59d6092b9b250ef9a558d163524f52e10d92a0f9eb8bc9332e8af0bfd13c61c3110ee717423bb92a820862ceb2b47cf02c9817669cf709b8585fcde

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 e58be773e7a3b340b23e113dd7cee62f
SHA1 67af02dd5154d74e1734fbffe73b617f9edd2124
SHA256 a0a7d9409b5fcac0bbd4fced4cfa56101116ee18d8c3becc67a98f6a4539cc99
SHA512 79cb23238f6abc5e98f088fe409202dbcce685fd8e8a4dec33820afb0020269ddffa54a0c0b884a96a5acdc048a6b7d5964691479e7fee984f319a1b14211662

memory/692-181-0x000007FEF5A60000-0x000007FEF644C000-memory.dmp

memory/2064-183-0x0000000000BE0000-0x000000000116D000-memory.dmp

memory/1644-182-0x0000000005670000-0x0000000005BFD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 1c75a09e48f4edc214edae5475b6e80e
SHA1 70e682df441a42ef0cd65ac5d4e6af5978c4e796
SHA256 5fadaca1be561cde3df97b8b85002816f1943b6235b0c247eb5c2ec95b6ffda7
SHA512 1f0cd8d97bdf433bfa9e94d875b90239a7897998886b8f6666dd0dfef023f72865d881ac513d64a1354d80c5f5c6a54a28d2c1a81b19221a879db08512cc06fe

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 7351eab9151ff39df787b324f22d6a78
SHA1 5d0b5b09bc9c80ffcc261665a66377029c3f0b5b
SHA256 a4879384c7254a7eb0046ef107d9848aa8b4987b39df8ee162d67034e4183e83
SHA512 62e3362a11ff14df8b4bd4eaf177be185b01e2f0f68361a7baffbc25abaf3c6dc5ca45772d2ce09678822f289b883e688db0c2d5fa6e122bd787bb19fd0a8d12

memory/2144-199-0x0000000001250000-0x00000000012D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 66975505cb8d8f60c21b3b51b169342b
SHA1 c23f92d4dc3117e40f44bf2dcf2994846d0ecd2c
SHA256 ad1210cd8b1dc97f3ab8077476d4aa6569418dca73d6485936f1a4259368dcf8
SHA512 ac1b7d4c5c5a021830efb55e9b00f2ed473cc42bf190a1db656ea1a050bae598414f254ef434395a718d4d8d9f1f80a46c685248e6439f1a6bea1726c0b887b5

memory/2144-200-0x0000000073510000-0x0000000073BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 0bd96453f241cd4cdd61d95dba46556e
SHA1 d67388a88612701c73d78e202814a5d64a90ce91
SHA256 b346e6bbac8bab6b455288791c52ccde44d39312ba0c83d84e3ac9c002638d55
SHA512 22f3328a196fe7448d4045d80d12bbdcca0b7aee5d5c81d21de33f4c0344eba81c8eed907c724977f727f34d5c7fe1b3892a1c03d43b309d4145d47f1a12a8ef

\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 94a5806ed5631cd6dbb6e07965d68147
SHA1 8a7002149f9bf0da74d479519b3a2f9665578964
SHA256 b20483c5fac20c88eeffee1fc0b9c3c89c4de7ebfec58a5b68e32b70f2515209
SHA512 52cbb5d011c0ae4fa540810c1bf16cb6256ea7987f1da18d31929afae0a1488ae02afec370bac8d246f1c6c3637902e5e23aac0caf57d2f3350d9d50387f8265

memory/2064-201-0x0000000000BE0000-0x000000000116D000-memory.dmp

memory/3052-207-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2144-210-0x00000000026E0000-0x00000000046E0000-memory.dmp

memory/3052-209-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3052-212-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3052-208-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3052-206-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3052-205-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2144-203-0x0000000000AA0000-0x0000000000AE0000-memory.dmp

memory/3052-215-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2144-218-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/3052-217-0x0000000000400000-0x0000000000454000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 5470a78e2347c4840ba56f7dc26ea18a
SHA1 955bdafca44b198be17c5bc6f7a7800fd84b72cf
SHA256 eb367275a2851353427ae2fc12831dd9a8cd4199d40a53ef494df7faaec8d19b
SHA512 26221e8961aecf3d01751f44c715cc8e0e919dbdfff71f3abdd6cfb01b608cedcc0ebacc94b0c726b4d10daf981df310337518f8489ad54c64c418769787d48a

memory/2912-167-0x0000000000220000-0x0000000000700000-memory.dmp

memory/1644-165-0x0000000000EA0000-0x00000000012A8000-memory.dmp

memory/692-163-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

memory/1328-157-0x00000000048B0000-0x00000000048F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 8dd8ce1089a4fa8a8b5c479f28923f7e
SHA1 8cb8701c9fb5178b6a973e0e1ecea6b2356dd2d7
SHA256 e938fab69225943022009fafff7444a2e1e4cc9e0026c6a9dfc5a56f78f78f75
SHA512 d8a6f12fa65634825fd65d973ef16313d0aa6bd882e254e3e39534a9ea135123f71214de98fb3efbf9d5f86fcf05ec186d621b8fdc800816e7487839211894ce

memory/1644-156-0x0000000000EA0000-0x00000000012A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 810da00c69d55e89dca3bfe9a6f6a420
SHA1 ca02bdce48ac20f7b40ab720079009894f369990
SHA256 64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80
SHA512 453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034

memory/2512-234-0x0000000000FA0000-0x0000000000FF4000-memory.dmp

memory/2512-237-0x0000000000E90000-0x0000000000ED0000-memory.dmp

memory/2512-236-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/2912-235-0x0000000000220000-0x0000000000700000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 8709a7a91f6a6e9ec1e596add8237a36
SHA1 655e47527764b8d60a96c5a8cd0431abe5d78ce3
SHA256 00277d2bf5dbe1213cbfc66aa981a98dba0b565485cd70c679ca8a43e89d972d
SHA512 a00beff1e798970ae59d75ad11f8014963049f30dd49ac63ae5d098231f0cff8fb16928d722e84f1cfa87b8cecc3b9553724d6de93dd85e84ecd6d34b9a2e5c5

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 845d2be3f1f1efc1afb9397727a7a057
SHA1 dc4f0f1ad7cfc466b5e50ad23017de96e5dde00e
SHA256 b4529230a2426af084ee9d207023805533cd6c098ee65dc03df8ed2306ff05a6
SHA512 4ec641ef071df83f778a6a4b2b68c84586b45d5f7b2bb442a655680f11edb6475bcb65cadd066ff0ee598604be57dcba0da5ca0f3c632a450c6f26d7ac9d40cf

\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 b4e3a1a4c27a37190570a2a10554fdaa
SHA1 9ca304cb8294b5b6070859de7afd0b2f8b23cc1c
SHA256 f1bf7a33139ad6ef58bf3a739ae73ad14e780a5908dfff27e9f59e23eaa33b8c
SHA512 483abd4d45bd5da557f9c9aab770fc82192e6647960191d0a41f4aace447dfb6ef0a057cd097aca8159c23acc7094aaeb3b89f4292ea3d95b03cbe525de389a2

memory/1328-254-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/2848-255-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/1328-257-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/1328-258-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/1328-260-0x00000000048B0000-0x00000000048F0000-memory.dmp

memory/2848-253-0x0000000000240000-0x00000000002AC000-memory.dmp

memory/1328-263-0x00000000022B0000-0x00000000042B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 b0b50421cde9c88de135f33495148568
SHA1 d6efdacd4ed7ae70b6cb312821262861bc639f7c
SHA256 e3a7b22dd5b9c12cff2eae6eb86d16ebcbfd6bc6d860df035433e2279e4a458c
SHA512 2b736078c852028ac69b1614e80d8e3a80d3f1eca1528d3f7be38884e719aeec9ae153013f652a4000cafa6a617dd07376cdede68a1ae44c285b49641cd0c8dc

memory/2848-266-0x0000000002110000-0x0000000004110000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 abc91b60f898abfb80b522fd8819483e
SHA1 d006651117b6c25b3627e19244a0feda24f2c310
SHA256 26f8582035c444688777cd82264ae0e6e94f55c1272fad968d69aab7bd1d86e1
SHA512 1cb9c876a31d6d9f3325705a707843d2f7a7b70399e7c02340f9cfe115d91365690124113cb6b0bdb9ab86c83bfe4537854b53f42614753260430d586b5e30f5

memory/1524-268-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 b226e0679b4f93acd69c33f1e9d239f8
SHA1 759b77628ea99d7d57bc7a78fa43e068882ec803
SHA256 8dc3d539c6657fe248c63ebadae6341fd73b99b0b6b129d982d499ed7467acb4
SHA512 6d3ab7b68ed70a870dfbfcbfb778e7a1d57096c63230e7f4b3d547fade6ca2da32b14f3aec4bb789b05b5739099bf7dcb9e8ed637794812328f969df1b1d7a8f

memory/2848-284-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/2296-291-0x0000000001E10000-0x0000000001E52000-memory.dmp

memory/2296-293-0x00000000020A0000-0x00000000020DE000-memory.dmp

memory/2296-294-0x0000000073510000-0x0000000073BFE000-memory.dmp

memory/2064-292-0x0000000000BE0000-0x000000000116D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 f6080f9b71fd61a049c86024d3ec694a
SHA1 3eb9b4d933f15a2cd22fa25079aa4a5258c0b906
SHA256 160f9d86d4a1de19a81e80360b4902a66d81c6985d2b5ff26474a350761b2c51
SHA512 6b6dbdd86edcdd9659aea5f7c14801ea6e09c73c0eb28e36e90fcd2a01b23f19d6f66cc136ab07cd48ff64067f2c496c3892ef1d58c3b2588e17abcae5e95476

\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 5dc846240b8cd8c05f36c8ad7adab51c
SHA1 0fb83ee8be31879ceff12035b0ef1f8ff742c35b
SHA256 761324204c8614114ba6a2bd3e470ee22dde1dbe19d2f9fa1f77b4eb144409c7
SHA512 500e4896918654d8819ecb33e2ef2985257ce5d338ee39d4704a0919be60db49a917f90e5b3e903dc7cf3a85406a99e7441d336069a6123475403e6e03477c58

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 fed49d57527d280c804060ab64a8564a
SHA1 f92e96f10d61cba84f8a38dfffed52e32ca31bd5
SHA256 df560641ebe2ef1708836f31cf15baf071ccd7a6d5c9d7c4c78f69a22a46076e
SHA512 16aa563cf2fa1123e0a49faaa04fecb85d7581c87132486cd724617defc0cfe1e7839b6752e0eea445ce67843f35667c7c2c2326bca23cc34c01a89618419217

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 d2245067313908915de6047c74acced1
SHA1 ea67900a2419388ebafd78c71ad5ff122e110267
SHA256 b6a324ab6dfa87ad0fbf8ffa1de66a231adca36c74e9bd50cd6d08da684bb08d
SHA512 4ecb06a061ed9e95a706f72f07d4e7ee68c556b67c6dd0cc13c555aed0c8d762ba982a3b34073a453733673f743ee6baaca813379db48b2acd6949e3dd68098b

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 1930302afa28f98d58906dbb173248db
SHA1 a5f467b99fdfc9a25c29bbeae8c2a28a225bcb0b
SHA256 ae798fc3e89e7263457c1e961cd9d9c0cae6b3dacdce6c1ab8f97699014936de
SHA512 cfe0e2ebd11c2b63c145fc2698e7440902af19e15e4cea396dca9c8892398def18dfa1107acb1e615b4f39606595d3311bd55178c8d82ce62bd6aeff15dbf5b6

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 afcc44cf96fbd683f6fc8820bdb36a9e
SHA1 8aa67f2960f01c26e486476a6073fb77d71bc778
SHA256 c194c9e27c977133127637fbfceb8ec9da3bdc02a02c47ffc5d05a3e8e5162ce
SHA512 b5c5ce0dcd6a0380b369f063e013a98f3f95c55bae8e1787830e8d5df64ae99de5581f7a7b4fed3a4ea7b03a557958c7fe5016048d1e7425e3505eeba17d04c7

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 012d5149ee69742e4c113fba2eb66a00
SHA1 235c50d581be5f5b55cd3cf4a915e201dffcf2f5
SHA256 58b6cfd06c52207a3cb6486d7b201d40df7453455016f93b6d0426d74d26ce93
SHA512 863af1ed8b49b3107a04efc0085fac2dfbfc98dbfbda9945e66b688a4c2d0fd94ae4b8416b8e0bc49a17b4433d2c956e41cd1ae45ef28696b811fb269d15f1c0

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 5bb9e7adefeac3fb03908b7fd840624e
SHA1 e892d61c1fd90f168757cf220ac3ec273b9341b8
SHA256 0d99dfe58845c193f159ac0e3324fcb14d131172f808bfd3ff932e2998b90a59
SHA512 b87be099218460cb9c7efd15eb12acaddb23b8db87a401282dd732615fb65d4d20e871f9dc1c3d0ec7f74bdb1f0915458087cd205bd6e70cc2adaad28b456fab

memory/2352-316-0x0000000000230000-0x00000000002B9000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 505875045901c243e4db09f74b212492
SHA1 096ff6e303db9c0ce2e29064686de27e0d6a1b38
SHA256 95e34e8add9da5d63de8114b17ecc463cbf6e346a62546b5c099f3d7af9b5988
SHA512 3d19f26aba20b4f758d64aadd182d57cc82bbe5c0a269c987c64e9524a33228688dfadbd158f77b20bf11796726c2bad6d327f4414557e79e6d9197868a45362

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 50586cb226934a110ef62de6faced48f
SHA1 9d025bc7ac7b369a439ee922649862ad52e880d6
SHA256 a1c6b5b9d60eda7c53369751ee3d062500b121bd6f2c060dd50376ede79ace0e
SHA512 fa4124ae88cd3fb41d2b3ed592bbb1fb67832315354872c685b52523e2e15f5a0e6bee846212aabd5fbc2ac4478429f91fb9dcbd23cc39488b6e60e4f7b47af5

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 5b8920f182552adf5e487ed5da70bf7f
SHA1 bbf0870abe29bba850bc0a19365250bd5f257a99
SHA256 9f94ec194a130d237ea48e9fa3c2de7c4d44355f04429bf1996fbf42dacda4dc
SHA512 5303165c9a4292fc13d73e913f6ede42dfe491a5cffd2d53e87e9333596e2b4fd6b6effcf8c4bde9e2c7749fea94ae77955d59598d7b9130fdbe4aea69ae241a

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 9314037cf7352c3152a1a2b188d1431e
SHA1 ea4662f8c2e58faa52fa88d5ebd00f1901fda225
SHA256 1f45a83786ef9d084ecc3f90fe3dd675cb2a7268fe952c5dc2917b3f22f13372
SHA512 76966c20a619eef1d8bfd2029554e7c1777782582c7cf3e0daa1aab7610932613a6b8a208c49f249e2b90a9a9bc3ecf4c276748ce3741f12293f06a2676f0b81

\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 e170491a69ebb14dbd8c5d2e6f6eee43
SHA1 0721ee11cfa5a581c74d27d9b225642497e5f11c
SHA256 f48dc85838b008c57d5dd8017bbf593f1cc6f1d45db2b268cb9b42bceb53177f
SHA512 e76ec185ba66bcf7eb3002c04bc53ad04e22e27ac233421bf73bc1b21a5d09b623ebf9c66db1bac6f79f4bbf83e1cc482d964432a58cb17766ee80c2a957b3a6

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 2162391f5caea08b72fd2fad4ad94b1c
SHA1 f1dfcbeae4eb857250ca18d5351a9dba8b5852df
SHA256 3abb2cc21a424c8649ad4ecb27b9f6ba622e69d748b5551ab39809810ce12e1f
SHA512 bb3e68395349ca4468ce42e7f0fa1c38d4f2d5f446aeb84ea8e1907439853e704cd89c09aa3685cc5c8ca739b46176a83b266d1525c49b4babd16188c42ef7c2

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 56c1958ee4303bb234c1443652fc01b6
SHA1 23a41073ca2794b291c9f6d9be52715acd3a5cb4
SHA256 067f8a780e74219d43339c7ec04868c8c146dfca408b7d19f3438098ea8818d9
SHA512 257266d871426f17ab1a32b52a8ff84caeb8eed7705ef25109742bd0e115d44ccb4a8b208fe0cecae43ee57b07c24a8badac7dcbf7a51b17de6a759c6fea8530

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 c116aac593f8bf11047b45b2f36678bb
SHA1 bc624e2439bc7096b22dbcb59dbf7bf6019a7d1f
SHA256 c2d6b9dceac14b4fdddcc0b102d338039364448303628714d27a7af199c583d4
SHA512 e44524322534a107a486d7af6a472eb1de433ca5a70a03f13202747cc179f9a14c371136665979816d1be3a9f49dc1f6d54622bb8114a37097b065a6a6758ffe

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 7148571e9bed61a633558005663a0990
SHA1 cc65c9f6866f395fd45f04f50fa67c4b45e8bbf6
SHA256 56327305d5f12ac7fe66655c9e78b78c56a7caefd4afd59ed75c89ab79d46137
SHA512 3e8bd7ecf743f7d6620ca0f6f9057561e87ee5a9ca3cb05b9e04f00d11d7e1e6396cdb6a43862fff2767b347ee02a4956ba351978b02378a9f283b850776817d

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 b570f310df28887536c021c751aeb72c
SHA1 50639ef5835673275f8650c33beb38065211fd4f
SHA256 280ed5f579f005ed50316d9c4d660c8a9f9ef4fa7652d039134803c381f1b26f
SHA512 bab22c2e547a0fc0c8157447fcb514c8a972e3e95dfe20d5be98e85c982214b7cb8139ad0bec8a125492f18a3ba030267cc85377d96c95dfec884a23f47c565e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 438ff0ba7fc17c6997e2b96b4497380a
SHA1 eaf9a3a28d2478531536ea217b9c4d6929bb6685
SHA256 f10fb96ebd8057981075072530597deb34736f79ab9706560c9137e169e134c8
SHA512 f88afedbab4f0ff677eef4c33fbb133401350a4afd7da6ac4cc1fb554d8ac4fbea5f5e0f31db4b35a42a90a7a5bb3b2aa705f1e706587840451c34e90e58106e

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 1ce12ca7c96523b781f143f91ad24297
SHA1 96343158c128814e00c5a812f57dd55ca9bda8ec
SHA256 24e2511784ba4115f1797679e248dcb523b091c0099f7db69ae4f6dc37ead8fa
SHA512 ee33e315dc67843e135d374bfdec95b6478578630324d1732fa66bb5f37681931abe2b18488d8565799861864a0e03b164522309fb373bfb58c45ae93230606e

memory/1072-384-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 076c7d95645ae02dc27d4ae64319d1d9
SHA1 7bc546e24ef6724eb7504a4e9ec802d203e0daef
SHA256 83912dcf6cbd638bb2a2e81d5b4fd9aed852f9c89135d4cdd0917d2dba1bad3d
SHA512 84b22514a2129f136ccdf7f806f004a6555326d758a36e8017869282038eb92daed69c3cee9b42d166b7d3d858e9f52f69ef127cee49d8da607b3dfa619481fc

\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 a42256603f2cb71f44ddf1b73322c401
SHA1 679d064f6ab7f48d6df55cacd2d4f04d70f4bf1b
SHA256 567c8092aa720746610acc5a335032a33422938fe2ca3816708812a2b805f59e
SHA512 4c782fb7d943da5ae524107b3538e8cef06408aecd98bdebf0c4a8c888fff8fdbf71316c20f817fe05706dad56aee9e99fecb371e75e083c2c2a93813db7f54f

memory/1532-383-0x0000000000E60000-0x0000000001258000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 9a326cdd5336483f0cd679058b729d57
SHA1 59ec4df2479b7939c857c4a16195a86ab20e09c3
SHA256 7e01f2065992cae59ca598615268d7e2bb3603d0d59a354ca0a99b1032d7b9ac
SHA512 64a6cc0192cd5ab3c033b17a27251b68e3e78f1c643ac2c5aaf06209bdc1611226649bb84e44fcaa494053ba45d1792c468c12d652e566114e16db03c9331b82

\Users\Admin\AppData\Local\Temp\nst50C0.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5a799fd4ab17d7e9e93367d976ed5262
SHA1 04886043e1f3dd909cb2b6dfe547885a0ef82c67
SHA256 88dae1b26fb82071a0af8e12c1d793dd3ee5009977988bd4b349d62e682e028b
SHA512 fafe1684d42b1a56bf37afdc7e750a245bc61bc8729e07c318aaf004ffc4dde1904c99a6ebeda3541a014934f9b5f168524ee080b8b9cfd9fc5fe8e65bbcc373

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 eb4c2b9c4e26f18f6800dce46e0005dc
SHA1 cc7de8b4e194a7e8eadbe61dc4dd7c61baf9f81a
SHA256 3e4689f53b3c5b3b3e2b0eed0f1657b32a94a9c1ff6c90a6de94775d233a5d43
SHA512 a7fbdd728d864f10442114597dde1a630dda8e919612a50226ee0ee641edd4786c456ca428390ac1a55ac75d7b5b393cc73231fcea6c01b879d37b260dd2c346

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2655da509bd45b9667d4a9e9e8eeea5d
SHA1 c221b6a16b7f3872874b032541edfe566a63a106
SHA256 c5bf82f6a369ddc146854f57957629af6a716d88488e81287cac7135b8bcec17
SHA512 476aeaae845f4e8bb93e2bc48c99ac12e4b430aa5ad8fe1e1894853be45b9a7c25030d68300f739ec25f1d4176ace4f74d9148b74ff029dd67402dacb2319532

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 597b05c6285d8ac92b0d8bd1b3606057
SHA1 c0146e00c28d29eacd66dff66e6eee44409146e7
SHA256 dd90a146e70aac46eab9c49ecb5a0082d792cdb6bbdba842bfff943c7e189c32
SHA512 df4c1085b194b5ec3b7c5f48398362dc405fd5570a73f5289fbb26008e764aea95b8893576aadc74675d9d39a30301cba90165dcc5fecbf92f5f644d4e3cc116

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 60cf6a740805cddd03820563077abf63
SHA1 868ae7f00d3d45bfdaa3c724e2e6eb4a9c2107aa
SHA256 6e2234b6b25ffd937ddf7042d337ed68f41090149de26f8ed36c45b3b64152d9
SHA512 f8a08153dd05846ad13601c9705b645052f1bdd54bd8b3a1d10b0194b3d1a7d146d0d9a98ce533ff8a50aabe46e425bb2e0b6b84bece057498eb16ecfa015cf0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 a11097de6dbae2c6c72cd1ae7e1f7bc9
SHA1 5012ddbccac7ee7cd17d772f9254da80a46e4e49
SHA256 65ced98c2de7477e18ef10581224d26c60372c7871cbc3cf9af6ab5eb105fc9c
SHA512 ce3e8801931ba7db0c03a33902a314708e14cc43352fca653fad51e5f37976e9a75d89fabbac62f9554c03b260917df2c6a6136952b08a341c9dbc4dbd3c7073

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 3ddfdbc462b8e18f741fe8cdd09209cb
SHA1 1a2d6a19b798f7cb652f2ea613146b8d64f976d4
SHA256 a1029958b67b533ec8661e2da1d547cd23411561165d192aa16a24ce1fb5e315
SHA512 bc4fc97aeb79a3875041334bf3bd93e776ac9447616a73a276d76046ff220f12c7a9de3e304b81550c8da83f1ee769d2f758f262dc98ed6fb37c0148e3134521

C:\Users\Admin\AppData\Local\Temp\nsy5830.tmp

MD5 4d1536443c0c72543ce312195f21e784
SHA1 b10e6254076b4a2ccc137baedd64f9d6605d12e8
SHA256 0371fbd1376855c5dc8e6202ed99834a4a085e5d9c0a180084a4513303b6ae70
SHA512 7932e6530c64e6c4ed2d401f7334ca5adcfb17b01d5101244863a12dc79b70f3b789e2ae02ca458503c5cb9abe2823bad06df709bd0dbf4131955faa192ba103

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 2f9e46d40c599ab8767bfe534a456382
SHA1 c3f8dcc3b06a881e24e189ccbd39ac6c54bd83aa
SHA256 a06a5129c65931958b6f0542fd972653755fc3ffaadf9394cf6a6624485e410e
SHA512 c805a0409ec793a1369a138f1dc83af0061f21d20410cf1ca0785b0be41117f74d262a7d6eba718a57e5057ee8715ff7e631a66c59ee8bcd00908413b1b58372

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 2c3aaf57dab5f3eda80c56a003990ea4
SHA1 c13c9a10e2b648dff91fcfb754a50bc289f314b4
SHA256 13f18d39f7dd5792c749980134574d2ddf3599b6893759f3aacff26a31e08992
SHA512 de710d03c5111fba3c95537b8b84769d4cf41f882b36a64887437e0585b6d5253135f34689fb7596ff909e9ca9e48f60587514b784b54b46ee8639ed2347721f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar680B.tmp

MD5 6d3f0ded4a479b2b88af6f3ef2a43a74
SHA1 045f7fb13de9c238da84b513f908555e9aba0368
SHA256 21cdf3c241b8a2c078949e489252340443ca2b38a0fa542038799adee6c14f75
SHA512 f0387cc2a303afc3163c83ff42debe224b176ed1b80c113d1dc46bdad53a908d9bf72c259c5ea7aab9f337f3979abb036a2558110ec3b0e99578bdafab477696

memory/1532-500-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2380-504-0x0000000000FF0000-0x00000000013E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8f88f9bb06c9ab8caa47b38330da336d
SHA1 3ea0ce362778563746ca66ba3ded7304dbeb5385
SHA256 56db070bd9b8533d35d18c470ca7fd3eab32883d23a235636bf026188d6e8b81
SHA512 2e35605bea814130d8c2217fc5fa37633bf76ce6ac0601868fd1fb164413cee1d7b4ac648133d0cc0be9a94c65ef006b5e789be7fe72bf437713623a863f9687

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/1776-580-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-581-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-582-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-583-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-584-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-589-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-590-0x0000000000200000-0x0000000000220000-memory.dmp

memory/1776-585-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-591-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-592-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-607-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-610-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1776-611-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 575c2da98fc97cbb59876c6a8529ee57
SHA1 b6e76b42eb9a15b3aee4e677133e6cf19e8741bf
SHA256 5fd94db2533ccfe5b1aeab7ec686b9a4be1e659bf79a1972afe6ba8be7fec4e3
SHA512 d6d9ec290d9aa083671e3de2f8630b73a1bca104076ba05c0646f6cd76a0998f6096672f30648cdbbea211e3adf7f8d192a2f09ce4b60d3226c76c01be61a684

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 9d0a5bd7aae5f3aaaaea215402a573c3
SHA1 f068df4c806df1264ed3e2965f1126338ea09dda
SHA256 ac29a825e1cc821b3aef6e843cc40bcd76c1de050775b7fd7ec5b6caa1f69fb0
SHA512 e0049be3eeb6dc0e8e80ef3e6108ccc1cefe2fc02711a5bf7bae5cfa900a29ce230d0b2a7d26a0bb37808a207306c0c3260ff73d57541d1684150dcd9517237d

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 e601bc0698a98534b7be32f2748e2629
SHA1 f25f97decfe1c4ae483e0d33577b60a61d1ceeaf
SHA256 7440ae392022609d772e2ba471f438db9416e8392c38320382410d63965f65c1
SHA512 4c6a085582c32654e9b29b17425b6bb3543d23c1119af814a11fb556ae1ceb87cefbc8860744bce96055be6921ff6000c3b99e69636850a70a69bba2e11422d4

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 868df6a113093e0fd658582566af3e6d
SHA1 905a8b527ac6b2290a67824ce4ec3e3cd3c5feb1
SHA256 3e942e3e13ceb78bfee247410d3a14874841a2b5b55345f93190ae0ea19e9e0e
SHA512 acb28691c2902f7e3a7cf9f5792962a88650413918b177a0599564a24f1ea6f4351544e47e4fac08e4f615584412fab729ec4324b908f6bac736afbb66e6e5df

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 c5189a041155ec61a7c7041d0e253083
SHA1 07282e9faed71a024624b20d045e5593ab632874
SHA256 574e8d81d8a60fede367554ffdaa5292ffb74578ee55e08640b8714e7d2a2c07
SHA512 8da8b4000cf5387341e82bbe7f7be92b3ba46feebf0c640969c79124a0e64dcff9b7e40d87797e130b38ab4074acbca1d3ef3a1af4cd973c5639015313765aa0

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 8f5fbf476f453cd6ef553a809b3ecb3a
SHA1 a964f837a86103fd01abd279ed3b47fa0e1e54f7
SHA256 79a44df3a2f92f96994229b6e43fe797f87f83524bcb23edca70a47da0d70f84
SHA512 6364cc85a2808edc0b6e646e56266d21c3b3ca305a879abadbfad59cc705a196c31eaf28604e701dd2e4475a0bba6e67dda4731ce0f155ff6e3690bb719f2ac8

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 5da3a881ef991e8010deed799f1a5aaf
SHA1 fea1acea7ed96d7c9788783781e90a2ea48c1a53
SHA256 f18fdb9e03546bfb98397bcb8378b505eaf4ac061749229a7ee92a1c3cf156e4
SHA512 24fbcb5353a3d51ee01f1de1bbb965f9e40e0d00e52c42713d446f12edceeb8d08b086a8687a6188decaa8f256899e24a06c424d8d73adaad910149a9c45ef09

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 17:26

Reported

2024-01-30 17:28

Platform

win10v2004-20231215-en

Max time kernel

94s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion N/A N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000735001\\lada.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Checks installed software on the system

discovery

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WerFault.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WerFault.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 4000 set thread context of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 3904 set thread context of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 1708 set thread context of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2956 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2752 set thread context of 4452 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SYSTEM32\schtasks.exe
PID 3396 set thread context of 4440 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 3396 set thread context of 4828 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\System32\Conhost.exe
PID 2288 set thread context of 2172 N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe
PID 1648 set thread context of 4112 N/A C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4564 set thread context of 4376 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 4224 set thread context of 3352 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe
PID 4544 set thread context of 1980 N/A N/A C:\Windows\system32\conhost.exe
PID 1228 set thread context of 2192 N/A C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe C:\Windows\system32\conhost.exe
PID 4784 set thread context of 4476 N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe C:\Windows\system32\conhost.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Dctooux.job C:\Windows\system32\cmd.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-31 = "Mid-Atlantic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\sc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-932 = "Coordinated Universal Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WerFault.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\sc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time" C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\SysWOW64\WerFault.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\sc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe N/A
N/A N/A C:\Windows\system32\conhost.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3916 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3916 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 3916 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2784 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 4428 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2784 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2784 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2784 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2784 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
PID 2784 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
PID 2784 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe
PID 2784 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 2784 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 2784 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 1692 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\SysWOW64\WerFault.exe
PID 2784 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
PID 2784 wrote to memory of 3424 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
PID 2784 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
PID 2784 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
PID 2784 wrote to memory of 4556 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
PID 2784 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 2784 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 2784 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\System32\Conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 4000 wrote to memory of 4440 N/A C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe
PID 2784 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
PID 2784 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
PID 2784 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
PID 2784 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
PID 2784 wrote to memory of 3064 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 3904 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\sc.exe
PID 2784 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\system32\sc.exe
PID 744 wrote to memory of 1540 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 744 wrote to memory of 1540 N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
PID 1708 wrote to memory of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1708 wrote to memory of 1900 N/A C:\Windows\system32\sc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe

"C:\Users\Admin\AppData\Local\Temp\fe5aa71a9083e8e8afe13394c10f01df.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe"

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

"C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3404 -ip 3404

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1072

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5000 -ip 5000

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 3404 -ip 3404

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 1120

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 396

C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp

C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4964 -ip 4964

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 408

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4964 -ip 4964

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 680

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 760

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 2580 -ip 2580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2580 -ip 2580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 1200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 772

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 796

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 716

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4964 -ip 4964

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 820

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\9957a16fd4\Dctooux.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 764

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4964 -ip 4964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 660

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4964 -ip 4964

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\9957a16fd4\qemu-ga.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2924 -ip 2924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 348

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 696

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 1228 -ip 1228

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1228 -ip 1228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 676

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 800

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 888

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 956

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2972 -ip 2972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2972 -s 1012

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4624 -ip 4624

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4624 -s 2364

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
DE 185.225.200.120:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.156:443 api.ipify.org tcp
US 8.8.8.8:53 120.200.225.185.in-addr.arpa udp
US 8.8.8.8:53 156.227.185.64.in-addr.arpa udp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 95.30.79.20.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 188.114.97.2:443 tcp
US 8.8.8.8:53 udp
US 188.114.96.2:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 171.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 185.172.128.90:80 tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
NL 195.20.16.103:20440 tcp
US 104.21.80.171:443 tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 103.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 172.67.149.126:443 mealroomrallpassiveer.shop tcp
US 104.21.80.171:443 tcp
US 188.114.96.2:443 secretionsuitcasenioise.shop tcp
DE 185.172.128.79:80 tcp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
PL 93.184.221.240:80 tcp
DE 45.76.89.70:80 tcp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
RU 5.42.64.4:80 5.42.64.4 tcp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 4.64.42.5.in-addr.arpa udp
DE 45.76.89.70:80 tcp
NL 94.156.67.230:13781 tcp
DE 20.79.30.95:33223 tcp
RU 5.42.65.31:48396 tcp
DE 185.172.128.33:8924 tcp
RU 5.42.64.4:80 5.42.64.4 tcp
RU 5.42.64.4:80 5.42.64.4 tcp
DE 185.172.128.109:80 185.172.128.109 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 45.76.89.70:80 tcp
US 8.8.8.8:53 109.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 17.118.160.158.in-addr.arpa udp
US 8.8.8.8:53 ji.alie3ksgdd.com udp
HK 154.92.15.189:80 ji.alie3ksgdd.com tcp
DE 95.179.241.203:80 tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
HK 154.92.15.189:443 ji.alie3ksgdd.com tcp
DE 95.179.241.203:80 tcp
DE 95.179.241.203:80 tcp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
DE 95.179.241.203:80 tcp
NL 94.156.67.230:13781 tcp
HK 154.92.15.189:80 ji.alie3ksgdd.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 02585e3d-3a43-4ece-83c0-3b08bbbca099.uuid.realupdate.ru udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 server12.realupdate.ru udp
US 8.8.8.8:53 stun.ipfire.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
BG 185.82.216.96:443 server12.realupdate.ru tcp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.2:443 walkinglate.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 8.8.8.8:53 96.216.82.185.in-addr.arpa udp
AT 5.42.64.33:80 5.42.64.33 tcp
BG 185.82.216.96:443 server12.realupdate.ru tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
NL 94.156.67.230:13781 tcp

Files

memory/3916-0-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/3916-1-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/3916-2-0x0000000000960000-0x0000000000D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 fe5aa71a9083e8e8afe13394c10f01df
SHA1 62111b0428acfc13dd5f8d6b23c14c56f7c20e06
SHA256 f85208dafa53821b234f115339f4c2dfd60a59bf51e3b60753e8790df688e19e
SHA512 6de7fef22f295e8d4548c4c60da98f129e8ad4e0d761dc5ba15c74fb18f8ffe9e5f3b9487a26917dc9e8d81d78a2bc17722781adb7b81e20ed1f0c1ee3de6617

memory/3916-13-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/2784-15-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/2784-16-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/2784-17-0x0000000000830000-0x0000000000C38000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 00fb5f05cc6a22902de878ee3bbefbd5
SHA1 21d3958b179d18c64483d8c59dda67d07dc6588e
SHA256 b9ce041fddf5072392de32ea719cf2b2b6f69b4cdf8837ee57ae8097510c1a09
SHA512 05bedf542a21ef882af6b20fa92e8f16ab43885b00afef527850709d9518c819769fc80aee9b1495f8e74d572f1b608e76a05bdc4962881fd394b098619a3729

memory/548-36-0x0000000000FD0000-0x00000000014B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000735001\lada.exe

MD5 783c514fa6189d91ac625ac6f16a7c6c
SHA1 96d0e6a06eaeec0b37ead78c097c0d623f592102
SHA256 20e9e19afba5b79ceeb2ac276295f12a0b966860ba07fe6b80a8b69da857f98d
SHA512 5d3a5ffb5f8bfc7de16e75298166d1b77e0f90770dfba8463deeead11d86e971ea12ccd456db1624b1309c70aeae20d86582cf029c8b0f05503aa193fd7b2974

memory/4372-58-0x0000000000960000-0x0000000000EED000-memory.dmp

memory/4372-59-0x0000000077734000-0x0000000077736000-memory.dmp

memory/4372-60-0x0000000005430000-0x0000000005431000-memory.dmp

memory/4372-61-0x0000000005410000-0x0000000005411000-memory.dmp

memory/4372-62-0x0000000005400000-0x0000000005401000-memory.dmp

memory/4372-63-0x0000000005470000-0x0000000005471000-memory.dmp

memory/4372-64-0x0000000000960000-0x0000000000EED000-memory.dmp

memory/4372-66-0x0000000005440000-0x0000000005441000-memory.dmp

memory/4372-67-0x0000000005490000-0x0000000005491000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/4372-80-0x00000000054B0000-0x00000000054B2000-memory.dmp

memory/4372-79-0x0000000005480000-0x0000000005481000-memory.dmp

memory/4372-78-0x0000000005450000-0x0000000005451000-memory.dmp

memory/4372-77-0x0000000005420000-0x0000000005421000-memory.dmp

memory/4372-65-0x00000000053F0000-0x00000000053F1000-memory.dmp

memory/1692-91-0x0000000000120000-0x000000000018C000-memory.dmp

memory/1692-92-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/1692-93-0x0000000004CA0000-0x0000000004CB0000-memory.dmp

memory/744-96-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1692-99-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/1692-100-0x0000000002680000-0x0000000004680000-memory.dmp

memory/744-101-0x0000000005790000-0x00000000057A0000-memory.dmp

memory/744-102-0x0000000005DC0000-0x00000000063D8000-memory.dmp

memory/744-103-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/744-113-0x00000000057A0000-0x00000000057B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 33cbaa6d2a1b610ed621fb711da014df
SHA1 cd0b04aa27b9121a1fb8b367dcbf91ffc14dd159
SHA256 d50fb42d9f0298c85b07c107bbfc54e272edd97d713452a677ebf3d2d55ea7f1
SHA512 8134fd33c31d765f4cbde5b9ab0300f1c6c12a9245669906166b2692a00621311d93b5ecd3d771fdc2410797aa24e5345839679a57706ec30c3b03b9eeefcf2f

memory/744-114-0x00000000058D0000-0x00000000059DA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 8068fd90488c53533435b207e687ed39
SHA1 0712715635fc8245d0f828ea9fb8929c1e287195
SHA256 cb622ff0142517c9b3e146e0cd249026bb882e4058f3f4802f626ad91adbbc1c
SHA512 adfeb3e636b937c4652986593b4683ad3dd03df9b6847e08a74718ef2a880e4b194e92956f15989501a8fc1d64227f822cb78b55edb25dd7639fbb18a152539a

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 5ad4f386075b6c455ad7e7de4213dc56
SHA1 be468fc950b2fb5a90a715ee1c621a3fb81c8751
SHA256 1e2e6411cc5c8d8b8d7643035a24a841c11dca60e5d1b332a17394e08b45a9e3
SHA512 5444875e85b85e71256dcbd7d33f81ff9c4b2c719f97d710dc344d6563684a7e4dceb68059d99fa7430b6764433bbfcb087d9680f06fa0567b24b4e233fe86b0

memory/744-125-0x0000000005800000-0x000000000583C000-memory.dmp

memory/3380-126-0x0000000003120000-0x000000000317E000-memory.dmp

memory/744-127-0x0000000005850000-0x000000000589C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 87bac70c88db5a4f6022e72cf400c61b
SHA1 d9470f4f7bbdce18f7a9feafaaac820a2580096b
SHA256 048132b1fb9567f03f424971a16832c4c95d94fd568500fa4ccd66becd5a6be5
SHA512 c52a87fd7e282f88487249dc30add581c486cd091b8b205540222aaa83808ccab355e083543b6f266c6499b8134b4c6eb6a3d333b1679ca54970e073939252b3

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 52b664f21bdfc3981881dabe4eb1d1a7
SHA1 d28f126945db84b2b83f8e72042e26401dd7916b
SHA256 a7e4e6d52e10a44eee97a065543d4c0c1e9c2bc6e1347a2bf0f4afa4d6f939d9
SHA512 d554ded13f051b4ca076f30305e964e8107dc1a49751b3b45ea7827d466ac727b8fc1c9739504313175cc1be6f8583e75031131b9b1c975878791db9bf500590

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 7557bc6b88318b8ca26d1b467e2e45c8
SHA1 5aabdf7d08d3e087c255ab15ba20b36710c3f12c
SHA256 e5014ac1e7c1e0ac672c131857a8dd818eba40af641b601687f20db61ec9d522
SHA512 f999c4c0c2e7483890842b6e903012db5dde69c9552a2e0e50497fb01d093e5b68d27b0c7728b3207e732d0c9d88030029da725536a46c72e6cc018a0ad87c2b

memory/744-147-0x0000000005BC0000-0x0000000005C26000-memory.dmp

memory/744-157-0x0000000006B90000-0x0000000007134000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 810da00c69d55e89dca3bfe9a6f6a420
SHA1 ca02bdce48ac20f7b40ab720079009894f369990
SHA256 64a21d074850a4e8dd28a846e8f9e5d72d5549dc68d9ded2e9bff99f730f4d80
SHA512 453f25595db97195c6211a07c821977e1db5015906865fcbb535172c5fc1733a131eafc512dc896f4c8726c9d58cf2aa6b354d7e33ae3afd9371a0c5432b3034

memory/744-158-0x00000000066F0000-0x0000000006782000-memory.dmp

memory/744-169-0x0000000006790000-0x0000000006806000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000756001\rdxx1.exe

MD5 e955394816239fb3e4142ff955e88bfc
SHA1 e62f7cda63e9cd19cbf4baf6513474d6f6495797
SHA256 7a39eb239f9c42ae2edc541a56921783378a0ada9d2f86cb6aada8539897a7ca
SHA512 5ff3f48ec882c0f5eda30c78b949e7ee2afafaa724a55ee477dfd2a1dcd549cbce0fd0b3683c686f56eb4ebe172c2a19a2746ede0d9e23a06d3e429548683d16

memory/4000-170-0x0000000002520000-0x0000000002582000-memory.dmp

memory/2784-171-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/4000-172-0x0000000004A10000-0x0000000004A70000-memory.dmp

memory/4000-174-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4000-176-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/2784-178-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/4440-181-0x0000000000400000-0x0000000000452000-memory.dmp

memory/548-182-0x0000000000FD0000-0x00000000014B0000-memory.dmp

memory/4000-180-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/4000-179-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

memory/744-177-0x00000000068E0000-0x00000000068FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 81d642b6b5ce82dd48b4b652be33ef0b
SHA1 3ca39aef5f56839895a6b802bc05cce464ea89d5
SHA256 07cf174b1309fcd24b03e2252449799c72c70826d692ce65f5e1c4aa9ee06031
SHA512 9267a78e24bf70d7569e553bf37c9919907016cbe8ccd33887e446c06fb453e8af3e11e31d4a199de61cc3a1ace13a2bba0ca40e73db601cfc483f48ea45cb3a

memory/4000-187-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4440-186-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

memory/4000-197-0x0000000002590000-0x0000000004590000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/744-185-0x0000000007A50000-0x0000000007AA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 b2f3f214e959043b7a6b623b82c95946
SHA1 4924ee55c541809f9ba20fd508f2dd98168ffdc7
SHA256 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29
SHA512 c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67

memory/3904-216-0x00000000009F0000-0x0000000000A72000-memory.dmp

memory/4372-219-0x0000000000960000-0x0000000000EED000-memory.dmp

memory/744-218-0x0000000008250000-0x0000000008412000-memory.dmp

memory/4440-221-0x0000000005260000-0x0000000005270000-memory.dmp

memory/744-220-0x0000000008950000-0x0000000008E7C000-memory.dmp

memory/4440-217-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/3904-225-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/548-236-0x0000000000FD0000-0x00000000014B0000-memory.dmp

memory/3904-241-0x00000000053E0000-0x00000000053F0000-memory.dmp

memory/1084-250-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 c53008e60ad81bdabdc16eb8d27b0b18
SHA1 5239d012b6d701c903ba326e27fc5ca220a9b8d6
SHA256 2cb5be789fbf15a8521fdac7253f19c2416fde182e2427d7f7a47f08f67ab6ac
SHA512 49f45c027067ac9cdc8463ffe29549d84c234d3681073666c0f150beac824bbfed5ef5106fd3ab067347d192149857d6b5e6d3b1b2cfd11b0c2e5340aa374d23

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

memory/3064-257-0x0000000000A20000-0x0000000000A74000-memory.dmp

memory/3904-268-0x0000000002CC0000-0x0000000004CC0000-memory.dmp

memory/3904-269-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/1084-279-0x00000000730E0000-0x0000000073890000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

memory/4372-283-0x0000000000960000-0x0000000000EED000-memory.dmp

memory/3064-284-0x0000000005460000-0x0000000005470000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4372-287-0x0000000000960000-0x0000000000EED000-memory.dmp

memory/1084-294-0x0000000005470000-0x0000000005480000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

memory/1708-285-0x00000000052D0000-0x00000000052E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 51f06b46b3a0d18378ced767d82ab29a
SHA1 b9a14a18c4f5447e7a4092fe67df5488837004e0
SHA256 3b4b7a94afbad56a690b3244665e86179be635d78d97fb29fd263be3d445f691
SHA512 8425edb84a89b3e2547306ee7e2660a984538d411088b9e407b6a402ca38c7356ff8ef0fc29b5d89be06b66d6cfe5786721abbc1bd5df5fc341d76c97e41e745

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 4d4dfb48b507912cde25efd6234d7dac
SHA1 d775bdceb80792a462e96b67edd0be34ee6c67ee
SHA256 7c9e03d2bb488bda0ae8d30cec7b147a42a9b80e461617d12975e6a947947fd5
SHA512 3b936f5843665091d19b5f8047fcd2cc7e232e07c9706f866d3f66731f3bcd8fd15196d054b5416dfd516918a6c89129033141cc08c47bc6b716488114e6324a

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 0056fa740e7bdb737c7ef1699eae57a3
SHA1 9910bedef4e5c2b1727f8cbe2032ae6bade6a7e4
SHA256 fcf7ac7a28e4b059ba60026a04c30c759c2ad4bc86f11dbf42d965ab31ad877e
SHA512 8a22a845b8183918f05e31f36edaafbd84031f9266bd573dd87611c92cd20e5afd423a3bfac7385121ade1bbf83337c8d166e20df249416f0fbe33a063ee8bf7

memory/3404-354-0x0000000000610000-0x0000000000699000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 5310ec6a08a2439e3d1f95171fd80377
SHA1 5d06c04524b152799b85d9f265abb8d9082e1fb4
SHA256 7f2fa496fe5d905f7e103f747416753751e7950ff4c52f58097269c75e4fd2ab
SHA512 3374eb77ed1ed33e3bb3cb2cdeececb79f8ffa00ed9cd4c97d30b2b3da2909d2611df928afbf5c6c39d9eed6c2755383713fe21f5d06a6f2202423cb4d2dfb9b

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 f22b0415c679ea3cdbc04055ba495d10
SHA1 4fa9dc29069fb282d5750df4d7c9e7956082d08b
SHA256 53fca573963e6776b7c41ae86d655e6315bb4580b4f2dcdb1eb1350047b9b522
SHA512 942ebd7e802094cffda1796cd596fec19af7212ae742fec05657f44a29b41db71294cacf6e4f8df0819dfd0fb956d8620a26d84d4dc865f3545808a448370037

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 f8395be734a1e57d14bfa8004dad040d
SHA1 9a38ae0a38e1d9a8ee2d3818505a8301ca392f82
SHA256 ba315b8ece56ea78cf7504a7cbaffec6bfa7cac0a040e38fb517d059a3fba0ad
SHA512 d410b067c9851490c7e6887d5f0cea6e790faea297d150cca817ec82f68d20cf39a0984a980453f415e9d683f0a28ec646608d87063e5379e94880caa00ce815

memory/2784-380-0x0000000000830000-0x0000000000C38000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 f0b1dbf7b7f27ba5b7177724f80293fd
SHA1 6451089babcd465ef366d7a7ba07a297ec5188a1
SHA256 baf727506df169762669ea9298bb83849abfd4dac035b20af4e42688406d6dd8
SHA512 adeaf336b6ef16728ac529c9a7025768442cc4ac68fe386191ebfaeef04c00af7813f36ff20e8d603b03ea8042a673757f1c7120835d24236487a5b17f2f7890

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 09bb58965bc904f65f2c288f3449ffa3
SHA1 d6d302cd48b739d13b37963a06e3732d44a97f1d
SHA256 819e94c0a1930dd569acc17d8931a1a378532288430dd68073d6b235224638d6
SHA512 13e698c88121fd8cd56c7554a8efa43ea08dbafe3f80c458a2aaa307e0670289a7561e98e6929f8253e928883b12c5aaff91ae10888fefde28080e2f7f253a5d

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 d35abde6c7161184ea22b6d383f881a0
SHA1 6b44b715837335cad97e6fb3b55e61772aeffe54
SHA256 2bfae2d6e94c33ca29dbf420b8b77356529e7416414a83e272cbd8b9f2f2e521
SHA512 a05a70907f4d5370de584cb093cf39e8a72844eb3fb5d390864ac83b410876ccb58702baa092252573aee8e0c3580f6c4921502c0d9f00cba2fdc24e2a8c696d

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 a1470335c14e84fd1f158878a5776ae1
SHA1 98ff4297b83233ce26c0a116abe76312af645398
SHA256 8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5
SHA512 cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 3228b50902bf06fd90c7ec763c6c55a9
SHA1 07a2c29a6e2bdb4c8b210c45430e0aa18ca20829
SHA256 6b51a6e0d464e5266d6cdfa269ee27ca4c57a34191402d1c1849a6f03186fcd8
SHA512 3e94fab45a81149b2a11b66ee328d482c2d7b471145cadb4ae8a97ff8fae8d51c031822e2e400aaedaea90d205c1d910aae0c1ed00010b4be2b7c0aed69b6ac5

C:\Users\Admin\AppData\Local\Temp\nssCBCD.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2706e54160f0d13f18e16b179a9ff54f
SHA1 a1371674239cd0dabfab6e7d99d119d75eb8d120
SHA256 f4e4a1493eda761d98ff91b56f5a2d741410a04d8c01cb6a3df180a5d6078280
SHA512 e81007bd177857b1d94813719522dedd965c56e8836221598488ca5d8ef02345a7b7df18dfd16b0b61559ba5e44c0c5fac483bf9aaae0d93522bc87d5754e4f6

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 06085332e3f39811251ad4c3a04bf5ee
SHA1 d82effd0fa041013cb46e95f240a3f0efd23d877
SHA256 0f5b20e005a51310f375077bf14f19c8a19e38734c125db7f6c6b41117708217
SHA512 65373110edc3af7bd92bb0bafa48d45e83f0eb2142ae2283d31a7b8e69d66509203f7a5ef1cfbb6b18112a0a9931e210134e4ab53bd35dca3ee9073e5262cf0d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3e30790cc9414db7223b841be88ad4d1
SHA1 df8449db29ea69fd7deb60984cb36642ebe9af7b
SHA256 55caf366eed404b54ecea7d5c910d089e9dd2c3edae826b537e8ef16c7063abe
SHA512 843785fd2b969f614df800e48ff2b0efd8707bfe820adb88fb84fc12cd775d51e406fc9e24da1f67e4884402dbc50edb3329f3124d6426fd7e38c79cf718a9bc

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 5fc3833765e0d0a94d226bc480931a19
SHA1 239778d5c4dddba969c7c10f3697f690e01814e2
SHA256 c1c48c533ea6736332f9c6906f13b18cab5ed3ea5e81a1aa472044d43e7abdb6
SHA512 f6d9b45cb5008a1bc9de01f1da215a82383d4768f07c0357bb82307554091c52655ecd006ed43b702c2282c136582394757e64862622614ec425dd1b68a74e9f

memory/548-425-0x0000000000FD0000-0x00000000014B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 0b374be36fee0eae8b1e305f1e4073f5
SHA1 3e5f24441b9f00c3e5beb7ef2438d1868259d852
SHA256 bbd48c58bc41696a56c317d9650057c725642e5c1dee71a8b4f0b9cbd9095ad4
SHA512 f8abf77020dfe9cba6c8afb6535a86338a8923dac7d3a81ce78110302708611109c3b80104178ec6dcd95ce7d9e60829fa8b88c7411aa726699aec04eaaccb9c

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 f39190b7b1b71c46422bda88310fc7ea
SHA1 6896e5307f7cbbba35ca8328db82325458122dfc
SHA256 2db182f76ad1f6c00daba3e80bc78756739e7005873ba3c73eb17eb0aa1d5881
SHA512 6c3a76fa005f30384c4191339bb2980c01a9bd9556a0dd50f113423b49e7fd9162e80623b2445131540ab93b186d971b8e5d077dd40c2a0527e884c0bc9c8625

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 b5c71e949a63ca8386a33c851002d51f
SHA1 7b5b97c75aceb0eb7f8d137ee449fec23e06404d
SHA256 23d9cdbf7e44149a1cb1aaf4aa096b293c5cc5045a805f4fbfadb7cfc9637259
SHA512 b9132a7b51b223d684fafc0c135d91f378e220d75a6da7a8169f4f1d5faf3570a44d662497b66d1e2571eb63546ad0fcbede74c0d355dd1cfb688f12382499c6

memory/4372-465-0x0000000000960000-0x0000000000EED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 b8449f91ecd64b2e6fe9c8607f348669
SHA1 1b288d0d2a6a04c8f704ad95640e01596521e5f7
SHA256 aa10dc154d1d230bfb428ea04dacc89c7076f5a6658e36e34f1cdde9190a6a54
SHA512 41e6e0939a4afd84a446e4e65f420c09b6c026afca826b85178e464fbe2584e2a61f651d8a029a07bd8a77fb8bc4ba915b756e8fdddd697b72b813fe1ae9c418

C:\Users\Admin\AppData\Local\Temp\nsqD3EC.tmp

MD5 4d1536443c0c72543ce312195f21e784
SHA1 b10e6254076b4a2ccc137baedd64f9d6605d12e8
SHA256 0371fbd1376855c5dc8e6202ed99834a4a085e5d9c0a180084a4513303b6ae70
SHA512 7932e6530c64e6c4ed2d401f7334ca5adcfb17b01d5101244863a12dc79b70f3b789e2ae02ca458503c5cb9abe2823bad06df709bd0dbf4131955faa192ba103

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 bf2a3e48b0ea897e1cb01f8e2d37a995
SHA1 4e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA512 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

memory/3404-531-0x0000000000610000-0x0000000000699000-memory.dmp

memory/2580-542-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2580-547-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 a54e442c0ba096e239ae84b881ac5431
SHA1 b6a2a0bdda4fcf342170647e9950ef2d3faacb05
SHA256 e1fd64dc0919fc314f81422b0ce8da5358b2e7f304bc87bc7a6eb21f66bdeaa3
SHA512 2a7d19558633d011673a26e8664f78c8aa6a0a7205fe33772325640522d6f0fd78d31b779670cac3533c2f367fb561e5caa85ee4eadd9e08748c9936bfcfae7a

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 9edebe77d8a38db11eaa01aea66c0bfe
SHA1 b1e8ae274513d903672dd8d9a564bcfd51b393ef
SHA256 1faca181d7856ea9eda636d8791a9a45b58fbf1ac22d041dd2c444ec4fbe60a4
SHA512 bd22d71e51bbb472ee763ba06fa1b452badd34e4a5460270ac5c37f70348a5b8ff57f5e56dcaa25e96841fc8e9e0b02ed366bbf6750c59a09336dc6c01600157

memory/4452-566-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2784-569-0x0000000000830000-0x0000000000C38000-memory.dmp

memory/4452-570-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-567-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-571-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-572-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-573-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-574-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-575-0x0000000001080000-0x00000000010A0000-memory.dmp

memory/4452-576-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-577-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-578-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-579-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4452-580-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 07d72a32daa65d79cb4a475c8563b65b
SHA1 6b89a42b2690641d2b52f7a76ff9243fc4b3ea42
SHA256 5715ba704a64082291960f971600e57d1bee120365c0f832fc6cb5f8e9a7335d
SHA512 8a4c9888859c494b64faee165b0340af894418528f069b4b9835cc46db994a3b84c6a30d2bd19696bff448f201db2f8f0750a0b8543347bd6fa0cfbbf937befe

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 e67cbb5370aa1e0cc7df4ce62dc5f82d
SHA1 d470d4a877c84b009a5ea438b95e92fac7d4911c
SHA256 50847dadf9e3065478f004cd35e99f3ddc6032f97c01cb2e1ecb9a81da1eccc6
SHA512 4891fb2d3dc7e1d82e5d87b7537a8ac805eb9199b6a248513968803fab5a15b1d1788dcca8f879add5bd6fadd2adc46b1904f04181182d5ea04e0a977f3adf63

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 f0148aace93a5d316fcaab79eb9a52a1
SHA1 05708ed64cbdca02904cf81ed80cd6b5af6fb099
SHA256 4d696f6d8f6b0e158e56c123f91a3da3a1665b5acbe38db686dfa54bc41745db
SHA512 fcbec064d97d9812d405b0a2a9e9fb9df78beb60ffc92fb112bbdba740602ce5c018a2f6a93d281d4864d6281e36b451ef68551d7d258cf4cd687e38611022cb

memory/548-603-0x0000000000FD0000-0x00000000014B0000-memory.dmp

memory/1472-604-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4964-605-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 2ee8ae9a18ae8148086566c941472012
SHA1 8abea4bc078bdbf191f587073604ad20bc0205e3
SHA256 6e4168ccd4846a770dde9433ab2ada4b525528e90f4f0a4536d37497cb483824
SHA512 b1b7a22f398900279530ba417de07c5266459763cb28f3480507ae581b24dfe0f3e4993a4330d88b855f3353690887318616d928b87d98a76270734d95b41291

memory/4436-608-0x00007FF672440000-0x00007FF672E7D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 150aaf12e9400bdbaa61ae427215a49a
SHA1 61f448c80bc48362d3c1a74051b7922f3ade206c
SHA256 2e9d5d086395519d605c03a5113921e630a3bc45a3f439dbdf04908d4ec8bf9e
SHA512 fa33c3bc45f2fa430c89d30afd1a94c967c9d1c585cbb089bab59d668fad7214467e92fcdc130524255e6b195588061e7c7a2cf52f735a93be2abbc449452f09

memory/4372-630-0x0000000000960000-0x0000000000EED000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 9455125717632ae8f21a2172a2610eee
SHA1 67f13bf6cef3da84a9c746fabe5b3c08c31152d6
SHA256 aff4a80096c94459486e953fd57dc0ffb39ba340b9cbf7548fada58a4deef42e
SHA512 78791a44f260a01202894ad9d7de4d637a11e35f0ce07ab58a73f3a8c7d9dfa373532b9928f57b31c2851944ee37f7bd5b8f0d600570504fe36f150e2886eac1

memory/1648-648-0x0000000005760000-0x0000000005905000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 008f67b36b9be44885346e2b58aa8fdd
SHA1 748d68315388cb0874ddfedee3dca5c235ced7d3
SHA256 651502e37667ad19128bb7e92365b5421150e4b64ef1108f0486ab9681579166
SHA512 a207a8f618d989613ba3daac6d5bec99f7193c36bea6aaa7bfab91a1e1f7edac820278e3e103f01f4fb7265fa87890fe2db0fc9d0ef868e1bebab16b14db0c2a

memory/1648-667-0x0000000005760000-0x0000000005905000-memory.dmp

memory/1648-675-0x0000000005760000-0x0000000005905000-memory.dmp

memory/1648-680-0x0000000005760000-0x0000000005905000-memory.dmp

memory/1648-684-0x0000000005760000-0x0000000005905000-memory.dmp

memory/4440-683-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4440-681-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4440-679-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4440-674-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4440-676-0x0000000140000000-0x000000014000D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 26b0e1817c946b08d79bf5fa9463e09c
SHA1 fe1fe0eea55a567351cc00df77f4c814a0fb61bd
SHA256 c027c16cad90e9445faa2e1c0e220dac7adc8fe813f30fdc026ae90abcf7acd6
SHA512 b5d0fd44d0394dc94723cdc36c1e6534ff6d718a0ac18fcb78545fee878f8d41f7b7ac2e4dca86ca415ff1413970b2d033a51ae204b6f351f6de09e18d7e8896

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 e192ed56e9f5156b30ac5b5764f1eea1
SHA1 cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5
SHA256 be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3
SHA512 a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 97650dcd02840df3d852404dbcd7b6fe
SHA1 89dfe504c083d9b6ef13dc03708ac4c626b2199d
SHA256 3df2467733d9ec8420449d9fa074927afdac005b35da2c028a57decfd49be1e1
SHA512 dcad292278471b3f007edddff6d72e1bd01f74e9a03986620033831d5f0695644781f8540e62dd39ab4d3237a83c4412b0d337b0ed339e0a850e8bcfebf64213

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 7dfc17f5285ffc263ad707fb6961be7b
SHA1 74682ac3e422945a2877cb9d929f0ff5a468a3fd
SHA256 247a2246e66716badcd95844b6343f753819a1a9e6c4612027a8515208e97bd9
SHA512 46bc4bf05c58d171fbfdac739c0d0c4ea03b36fd2fc8f542b8f018dba6bffcd28b5f2ae1497a78a0ae83794e05231790cdae56af4ada82e3a1a0c04ad0ed5d2f

memory/1648-653-0x0000000005760000-0x0000000005905000-memory.dmp

memory/4452-649-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 36cdae10478c115fa64c36d80dd83b2d
SHA1 57de5b99dd48d35569fb12e7454c1b6f4b55e267
SHA256 50755f295af8188d4169790291795a25cf8e73c1d6ace2c27faf62e4cb7f2c34
SHA512 8bc676477cefa732a78f613344cefd04f183b22113779b169beeca57246a0c5bcc7b5296162f72f53a2ecf1b6d12399568d90565086bbbf88e8780af5be6cadd

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 5ea776e43112b097b024104d6319b6dc
SHA1 abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256 cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA512 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

C:\Users\Admin\AppData\Local\Temp\398549320365

MD5 c7c53db43db6390c4d099dde400d765a
SHA1 3e5723809205beaae9fba0daf5a939578d03bc4f
SHA256 fad0910cb41893dcef4d10bbaa2dc8a6767cb4708de262475a23bbd29c94ac4b
SHA512 60056f908ef781433efa3f6e3f85a21070a7718708b185da6ca07713600cf5403e28cefb2ed82670a61dd43da199b8540af881e4e6a887c4176aaf48d408ea5d

C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe

MD5 3459e4e3b8c2023cb721b547fda205f6
SHA1 c4cc7eb4d2e016b762e685a87b16144fda258f9c
SHA256 9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd
SHA512 eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_agnuvtpu.ewz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe

MD5 5fd7aff48d27771ca0aec6776afefb93
SHA1 5d57e1e85a836b736d3b3c2056d500d1d2b92dd2
SHA256 a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b
SHA512 aea36265cf13aa252ee06086b22002165401fed256d1bdfd26aee61f4b26e7c29b430237a6941a5a09f923b246cf84cf75b110aad9f01c694e992c6b076bc293

C:\Windows\Temp\zamrbllfjgdb.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\c39c4a68c1baf0a4b7e4691e3eeab4d3

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b