Analysis Overview
SHA256
f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
Threat Level: Known bad
The file b5ee067743155c953eb9b6426ede5062.exe was found to be: Known bad.
Malicious Activity Summary
RedLine payload
Detect ZGRat V1
xmrig
Amadey
RisePro
ZGRat
Stealc
SmokeLoader
RedLine
XMRig Miner payload
Stops running service(s)
Creates new service(s)
Modifies Windows Firewall
Downloads MZ/PE file
Loads dropped DLL
UPX packed file
.NET Reactor proctector
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 18:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 18:36
Reported
2024-01-30 18:38
Platform
win7-20231215-en
Max time kernel
5s
Max time network
153s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe
"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 96
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240130183631.log C:\Windows\Logs\CBS\CbsPersist_20240130183631.cab
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp
C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 596
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\explorer.exe
explorer.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 604
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8A347E80-1F1A-43DC-B120-3DF62BDABE7E} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| NL | 80.79.4.61:18236 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 185.172.128.19:80 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| RU | 185.215.113.68:80 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| HK | 154.92.15.189:80 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 95.179.241.203:80 | tcp | |
| DE | 141.95.211.148:46011 | tcp | |
| DE | 95.179.241.203:80 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| NL | 195.20.16.103:20440 | tcp | |
| AT | 5.42.64.33:80 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| DE | 185.172.128.90:80 | tcp | |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | 4ebbd791-0e75-4d0e-849c-e4db03ccfd43.uuid.realupdate.ru | udp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.70.36:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| NL | 94.156.67.230:13781 | tcp |
Files
memory/1944-1-0x0000000001060000-0x0000000001468000-memory.dmp
memory/1944-0-0x0000000001060000-0x0000000001468000-memory.dmp
memory/1944-2-0x0000000001060000-0x0000000001468000-memory.dmp
memory/1944-4-0x0000000000840000-0x0000000000841000-memory.dmp
memory/1944-12-0x0000000001060000-0x0000000001468000-memory.dmp
memory/1944-15-0x0000000004850000-0x0000000004C58000-memory.dmp
memory/2728-14-0x0000000000CC0000-0x00000000010C8000-memory.dmp
memory/2728-16-0x0000000000CC0000-0x00000000010C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | e95793e18d8b0c2445b03ae95e6d68c3 |
| SHA1 | 92150b713ed3eede5deecdff66e76d747a334a0b |
| SHA256 | a5d3ecdca4366063b84f5578ba3f04a6ce17ce28772296a9eeac1b3c6473f1e6 |
| SHA512 | e5d75c4c021ffbb5e983420f12ef77229f3979257422570b8c79dbec9857b7413d77382671e37df4a6a5c0c95112999e23619e63b388d652fff34c408ba0d731 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 9bb25345f6d4d092db86707bf74b259d |
| SHA1 | 3666c15304fb910c76b9fdcd06bd2e8cc4d01c3c |
| SHA256 | 20c4e2004a2ca9402c4bb13e8e093035ed200fe80931f1ba4de179536f9010bd |
| SHA512 | 3d96826c79786531e94be0db6980d37872ca71deee1542244e5dea001ac001eb228c33476ce2e5d521fe4b1c6086c42efa6eb9ed8c4942ef21a10f1c90a0d720 |
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 3853abb35ab617a117144f119cdc9808 |
| SHA1 | 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae |
| SHA256 | f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef |
| SHA512 | 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8 |
\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b5ee067743155c953eb9b6426ede5062 |
| SHA1 | 0725e7b508a48778c10a06c446845b0571480716 |
| SHA256 | f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4 |
| SHA512 | 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5 |
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | 93dd5dd5aca2ca8c72e966e6e29e43b7 |
| SHA1 | 64d97058f3bc57a8045fa79a8968c33655fb5ad5 |
| SHA256 | d558428f5b025167a56a202d5ba57d405b29aa63c5484ba431f9a30f11b9e508 |
| SHA512 | d8484542ace14986239ce9d3ab79967480c4605273b940c40a22150abfb0c8b92a0370763abe17e26013f1a93b89db1c5b649ccc7d2ec76dd236f308a8b96e23 |
\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | d6a353e429f1a11b677246b72c88c4d4 |
| SHA1 | 63ca79747a8485d7c0d52d2be29175ebd784505c |
| SHA256 | 748d1007e227220053fd49754e416f4bd2389ff587ceb7e57198bc571a0db967 |
| SHA512 | bf087f91adb077712237b374e2665cf07a44d1ef2c4e7062cf4efd4e27baccecf4f4a21d917af4426603dbfca9341210ec8be83a674f1df9c5604d51a802753c |
memory/2728-34-0x0000000004960000-0x0000000004E40000-memory.dmp
memory/2584-35-0x0000000000390000-0x0000000000870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | 7720ab01cda8cb37874ecdf68589a431 |
| SHA1 | fce5bd019db682a07c453b1973971ca7819b247c |
| SHA256 | 06f23cbc3046cec22b22c8a4b670cd2e4729bf94229069a1f6746d9ce157ae02 |
| SHA512 | 4488e81fe9c410a3d34b2c543ab4d5df2f02439df28021db8985b4c8f2f58054ac01bcc9432a7f10bf8ce926f5ba18bbcc842c5d63294358bd810cc3e1d9ce1a |
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/2800-54-0x0000000073B00000-0x00000000741EE000-memory.dmp
memory/2800-53-0x00000000011C0000-0x000000000122C000-memory.dmp
memory/2800-55-0x0000000004DA0000-0x0000000004DE0000-memory.dmp
memory/2800-58-0x0000000002630000-0x0000000004630000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | abf943778f1a580b45a1794e9d9dde83 |
| SHA1 | a8c23b81d4f07656a682796adef1d2e6841d70a4 |
| SHA256 | b79b23ecf63dd796e152bb91b51d8f84d350c6a3979410b3c11248e0de16e40c |
| SHA512 | 49b12764db2b7a9a4b05c5c34c95173f76cc0d7646918620c04e03791d8d43d57bb70f9f4ce7ad88c92552ee8981c0604c2e43095e81c4c8f1ae0e07b9322c6f |
\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 0d456597fce16b0851ef82950cb14661 |
| SHA1 | e1087237993df095c95e59918081201ab9930de8 |
| SHA256 | c84c04f7f58cae8a44b10f56a3dc87ba18fc92521cce214bcfa839ebe56e215f |
| SHA512 | 551205d2f7abc99f719e10b52e5adfb8375842fc596b8822c0d0eb0df691fdf8a0d21730eb457afc1993deb8f524027734d1b7ba86deb432329eb92f386ba1e5 |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 60f118d06db31cb3d05b18af067d1201 |
| SHA1 | f578edfd1cc79c809140f7263cb18b8a0b33a95e |
| SHA256 | 980acb452542a5fef36a44e42bf463071dfca7c12dfa66d8af6053b0559b26d3 |
| SHA512 | fb38042906c6c4a9fae30c8adab1cb55eb0bfc851caf23367b107ab5e20da373452c74a8b58294d6516fd7625cc8bd8550ebd0a4265196778937d69bfb0b4878 |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 0ae7bdc8f1ebfbfcfe54c268763a8b54 |
| SHA1 | f447a8b8faa4403223e9122547e2bcb1b88a6aee |
| SHA256 | 511b20c8ad8c289981cbccb54e7c18e1e1c86bb26f3305a1819a5d12e7f2cb9d |
| SHA512 | 789c84401f44a4d19702a7e879844114715f3d34ef671cf7fb630b9dcb7e86dabdcc8c6b7655ea3fc7d4c8c18e945d4b61c477047aa4c957e73c322d9296d028 |
\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 5d7018d7ba8040db775a48cf0f991e2b |
| SHA1 | 0c3803d135ea5b22a1afb7397c6eb44b27950b13 |
| SHA256 | 3451e49cb0a7d093612e8393371e55a0727188a94f53b3244a1779dc3eb579b3 |
| SHA512 | 713e6d4df28ec44b9d34c1184e10905640eb654310cdc69e877a32d1bab4ea1ee72908898d021c496daa3acd77faefb0db1323c706a64d858b1f0583a6ee438d |
memory/1984-75-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1984-76-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1984-77-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1984-74-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1984-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1984-80-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1984-82-0x0000000000400000-0x000000000045A000-memory.dmp
memory/1984-84-0x0000000000400000-0x000000000045A000-memory.dmp
memory/2800-86-0x0000000073B00000-0x00000000741EE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 592c461904f16d2a5c7a0d884c72f516 |
| SHA1 | 80669f744667f2e62a56407d6ac62412c47a0a73 |
| SHA256 | 3980ff209557d6613dabf1414a43eb19fd82881cd19817479ab80653b11d5b6a |
| SHA512 | c466918a30b10c30da1416f383f1254732ae78deb90f389890f479d1cdb112ee29f22aa6913acffad1a1abe4f420eb014c791eb97abf090b514d071e96757cbd |
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 7d5b2d6f3078bc25b5fe4654875828e7 |
| SHA1 | 003d4df8c42c840e4de4184aaecb2d26bf3bf511 |
| SHA256 | 8781112eadc77eac4f5a9c9490337b67ba2583114cefafdbb118d0d243c722de |
| SHA512 | 7c8b6994965fa7919014f8bbdd278f163b5a140ed253c03b8f47d7af8f8042a627c39042c54d1707035cca8e51ff7316fea2c27d05e62f4e4943365099035530 |
\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | 3406ee4ca02565f53634fa3690f20029 |
| SHA1 | b6cd0eefd669582a0b2f0d449aaf3dafe7be8597 |
| SHA256 | 5baf49c1ac27ac1244d3a08d0f60c1f4d8be8c03fe54edc1faf73c9faad59f9c |
| SHA512 | eaaf532b6997fd3edad9d2e53eb65ec9e3d7bb22e3aeb731351ffe3055cf2ba158413d15720e1f75fadd65493ea5c3812e649a52ba04a29f54edcd50f427e5c1 |
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 3f20ea8ce2ed44b8582b516df6c1a2a6 |
| SHA1 | 4e1d20dea312403dd2ef0f215af138518601b832 |
| SHA256 | ad8d222f9dd9fef61b5e530bc18276860012e8e5b0b8531d31a6c6d1e18fbffe |
| SHA512 | fd53396cbeaf7669cf23724d33a99924e7de2d124ac84f3b6eee5ea4623d7fe5b095319b6f49ca2d35be5512db3b6daee8b8be44816672acb70df5f0e7ba2f6e |
\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 71ce20cc35b7abaf81744adaa47f2b3a |
| SHA1 | c00b38d9b6846af94a16124acbed1f7c943a2c32 |
| SHA256 | 89111a02a3bfd586930f61f2bce5916cb4267b0965ace5621e6f6ecb52b8ef92 |
| SHA512 | 5fb87408f5bf40badf43dab00ff15601d0127f9a8eea550fc97141881743d2a318dd02ee0e221f52e8a7afdd89f934ae7d176a2efe9145ce0173afb0d7624077 |
memory/1324-116-0x0000000000220000-0x00000000002A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | dfba4c0ad0cf5fec4f2d8925423e0e45 |
| SHA1 | da943cb7dad41ae29e5ad04da46dd3067e5b6d37 |
| SHA256 | 3abff8d39bc21be06f635b706212ba55ecb624bbd6b876f5b884b3968ba5f730 |
| SHA512 | 2df3289d20e94646cd5217b0ccce23c64effaf9d855f94810008d3796bf4ee224e42170c223d4c788b6bc171c07558df7dcd296177c7a65dc03eb52f15f18e36 |
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | d085b525a5072ce84939ea8c37d947ff |
| SHA1 | b5930bf67b1a6b40942f0b3149e74ecba84c42c8 |
| SHA256 | f7d3bfc1ee85d4c05af9ce381172014f04009613dca63560407f12cce69af5f9 |
| SHA512 | 254b770c17cbdae6c51f2895cf2a43f98850c0fa8de220993ac222e8bd3af06569f485f15598286fe352164e1ffda5d60686474375f82e48347709d700f55d55 |
memory/1324-117-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/1324-119-0x00000000005C0000-0x0000000000600000-memory.dmp
memory/1944-118-0x0000000004850000-0x0000000004C58000-memory.dmp
memory/1760-122-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2728-124-0x0000000000CC0000-0x00000000010C8000-memory.dmp
memory/1760-125-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1760-127-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1760-126-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1760-128-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | eed2f543bab543a40e20305cc020766b |
| SHA1 | 971322b286532ab404d63d045d979640041878d3 |
| SHA256 | 7eadbf53e1520d025ec53c4766e7caf8cd15e2746db14c68b97c329585a3d1ca |
| SHA512 | 2342483aed9f249cd6096ba51f1098c6ffd724df393b343db07c7f91954a2be637b8a9fa1e8ff55631e715e28d82fb3dad0f592d24184f75c2cd355c1518d078 |
memory/1760-139-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1324-140-0x0000000002340000-0x0000000004340000-memory.dmp
memory/1760-144-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1324-146-0x0000000073A80000-0x000000007416E000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 27de97e070b292db6682a194fa067aa2 |
| SHA1 | 18d7e3689dd4f8767db17ab6bd49b056b6be7e05 |
| SHA256 | 193fa224a34d9236060242a502eb35dba33f75132e312ffc7db890d5d7911e2d |
| SHA512 | c86d5d0d9ba7a9f364879d0ace625af3c88b96292ba50f80e556230008ab3edda20467fb71ae4e04a3d00a39b3f288688716f567755cb8cada2b012f3677615a |
memory/1128-153-0x0000000001320000-0x0000000001374000-memory.dmp
memory/1128-155-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/1128-156-0x0000000004F70000-0x0000000004FB0000-memory.dmp
memory/2728-154-0x0000000004960000-0x0000000004E40000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 2b2de7db25fae47158c6e186a68ed895 |
| SHA1 | 9587f37f8739be0053884871aeebbb2be68eb542 |
| SHA256 | 9e1aaac2ef342ba3874fcb9817c6cefb2c17cd34298cb4438d4f916fc5832b63 |
| SHA512 | 270911809b4d8d136f3f9d1b42acba51131482328d256d1a012f1df255ddfb43787040752288a830e2b48b73ebba562927b05e18b4585efe829a59e16334fe3b |
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | fe8c178f62c85331270c9e062b690895 |
| SHA1 | db16a82e65708b88f3fe37186149116dae81e91c |
| SHA256 | 3ef15e594dcf50f80f0616b2f8b993ec1f59f1efd3b3da3bfa988fb5a992c7ac |
| SHA512 | d91d73fa74ac96ddb6b1f9b8ce2ac83bccc99fe3a05fd960cf44e5980ba13c31badab5b30734c2603cccfb952a333ea0ca5a377b6b48e6742ad5b1623f9d6cba |
memory/1760-147-0x0000000000400000-0x0000000000454000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
| MD5 | 766d5e3c108bcd4fb1a70133fc6851b5 |
| SHA1 | dea70636e04a2f10ae8d07671b5e5587235d67ef |
| SHA256 | b02574759e124841a33513d5e69abe317e63be6a1a5100d60a385b346c3fe9bc |
| SHA512 | 7c2635c302653bc3eddf953eb22d50393bc6bd97263d59831b5a13a07889d433389969c1376de831f45c88f7d480325219507ff54a5e76b2c81a236424570b6a |
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
| MD5 | 38f04d90cea8bbbcb0f1f670888322da |
| SHA1 | 237aac5813d619e72a4c08bfdebd48d59be9805f |
| SHA256 | adebb2d8d1993bfcec4e2f09c268f6d03323b5845dc6b81835c54abcdca34111 |
| SHA512 | c365572fe94a3c2a800b467093cf1823dbdcd87f4efa489103fe7e72aee984a5b5f822291071ba140dfa5f3befcbdc05a6e85a3952476e628cb2719d76fbf8ef |
memory/1776-173-0x0000000000EB0000-0x0000000000F1C000-memory.dmp
memory/2728-172-0x0000000000CC0000-0x00000000010C8000-memory.dmp
memory/1776-178-0x0000000000640000-0x0000000000680000-memory.dmp
memory/1776-177-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2584-175-0x0000000000390000-0x0000000000870000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
| MD5 | c38b4d161a816abd4e7e0ffb9d84887d |
| SHA1 | 6e49d7d9b6d78ec2b6b5fc145192d3a914e87b84 |
| SHA256 | 14cb869b0ff1e69b80da3930d30e75eefda0275310c971d50ebf23857fc5bc07 |
| SHA512 | e069ba126c0f552137a200ff0047a578b4f983956c9a787133e92ced560e28a6cb493c5742535f7f3b5cb9dfeede25db6bef9fc0ddbc63b914ab7a99a351bbbd |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/1776-191-0x0000000002320000-0x0000000004320000-memory.dmp
memory/1776-200-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | f90dcc9dc45b8ecb0589e929ba148867 |
| SHA1 | a289d1d02b0f1325b8683f72447f078d188a27e8 |
| SHA256 | 00e5e6c111db9caf5a5c676c8347e03cd549aed530a9833336f0385179020c45 |
| SHA512 | eb37e1dde0381664a2eca7d84a67300cc0667a94036a9ffd525db894925f03ba4ed27502bb3739484c41de3a49b23898c1a208b64493ea5d02ff3d273e4c1ad1 |
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | ed37d3cb88a119e1d8ae95f5f21fcb25 |
| SHA1 | e1d3789fa2990281a03521f53f96114654a1ccd9 |
| SHA256 | 72838660b7e9249d9d246d54701eb4923a92d008d87fec0547898a17894c8c28 |
| SHA512 | 7bd6bde7fafd1893404673105d501098a75caa8c8995ed44d144202a05662ed9a4632b1c9faaac5b3fbbd4d47e35253ddd65e49ba77c73a23a91e176b0c22149 |
\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | 238fc58167e34dd0c38ff360b847081e |
| SHA1 | 720c79675669aa283c2ffd703b63940277d1d273 |
| SHA256 | 93ca5cd50cbd330833e619e87dc3ed84580ff10265ec710a690ea9ceccdf9b15 |
| SHA512 | 54bd780de19375636d056db3e8aaa14b7a8782b1da3290f90e6062e0854a81c31702402d69e9cd160fad2d95c95b1e59b3813f03a7ae757289acc236de95c015 |
memory/1720-215-0x0000000001E90000-0x0000000001ED2000-memory.dmp
memory/1720-217-0x00000000049D0000-0x0000000004A10000-memory.dmp
memory/1720-219-0x0000000002210000-0x000000000224E000-memory.dmp
memory/1720-218-0x00000000049D0000-0x0000000004A10000-memory.dmp
memory/1720-216-0x0000000073A80000-0x000000007416E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | cd1d912d88fda2d51c469f39a1fa1101 |
| SHA1 | fb19c0b7a7bc1db3c00147326181656ccc04d9d2 |
| SHA256 | d6e810d6a1040d55b4fb9af07bd4071d32a287c60e8b6585c03ddd54bd464e84 |
| SHA512 | 9be14104004e862782605437ffe133a5c51f8c4acc180655c86ffc8aa813b35d9d11408013a3d63ea96c43d3261b2c4a6195a123438a38b245d50374963708f8 |
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 18193d2321a0fb72a6733dfcac79de00 |
| SHA1 | d67a87c9bf99513df9a28f87ab446b52ce74dcef |
| SHA256 | f431a0a9df06294bf258887e9b580761e9f40cf5d11ad5bd613251248adb0ac5 |
| SHA512 | 22a6334a3b04e4e784c2153b7821664c480c98ee414964ca6046694fff5e5e3998d27f2dd3c15ce544b7734ec88c5f6318a8b25cb87011319f669323a0a736de |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 42f6fed0bf4649ad036c091c98cca35f |
| SHA1 | c5f492c0e8b2082de9fbe28ce16f68f2df456564 |
| SHA256 | 160020085f40c2f182e98693124df3f18766f15dfa305beae164bb44b80db133 |
| SHA512 | 7945e82da1b91fad6f54384b0aed63d338f69ff157a1b7b27ffed1d4f4efb9fb53e823b0ac9905c8c9f18710eaa19449a7f424cae0d2ea39669d600063827d8b |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 02e4711ae36dfe90be50671314bca402 |
| SHA1 | 29b386e5503978d1762c52244d3d1c85b0959a82 |
| SHA256 | c3440a895cd58c8b840da8fdc5cd159189d1aa48faf4d5ef054ec391da4dcfe1 |
| SHA512 | acb0883c3253f66b5d911afdd10c63d2745fc70aebdeed8ad10fb67ceef05289ddd1ba9621a30571595e16a6b3ec26e7fb25add6590b8c86e51cd5bdad1b4026 |
memory/584-237-0x00000000002D0000-0x0000000000359000-memory.dmp
memory/2584-242-0x0000000000390000-0x0000000000870000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 3343d25924c935790ed157ed9d403efe |
| SHA1 | f5a8a6eb9d3e601ab332b5bb0b003897ef564670 |
| SHA256 | 2e867284e6c32c62d026091b824ae3721b9c1044d1b20f062207227e717570a8 |
| SHA512 | 20b2424358276a6b030f0ccb3ad3b2735f03e9396f3665a02a63f220e61fa6069cc4d0e6585a64263555e100f765c8bfe8362161ea9ab4e679843b335ac35bb1 |
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 2f55c8214f49e2dfa3562ed71ec829db |
| SHA1 | 1581122505873126c065df549b7b98076f4ed8db |
| SHA256 | 721d510e3a00609386a94924bfe4f0d698c808a7ed145384359d5f76648c2028 |
| SHA512 | 883ef60d8db465d2ebb17b80a2f78e90c23b320a3bf2cd9f5dcc6d603dcb785f51b21fd52e36775eab096bd682b0516495ef9bd7b1c89807684cdc551c7f77c2 |
memory/584-246-0x0000000000020000-0x0000000000021000-memory.dmp
memory/1128-245-0x0000000073A80000-0x000000007416E000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 44f082ab5c76a15736a9d4d64d77394b |
| SHA1 | abf517234cfef0227d7cd23f952c6e17a109412a |
| SHA256 | f5bfa477c027ad18ced914619001a4efbff82a68511d89a340bee5d679399c14 |
| SHA512 | a4777a90c722ef593945a6ca024c92ca2be448a49c17332656e6c5610a3d37f02af16b0c43bfc4871bb306f63a1cbf70138bef7f5e783310f014b99e5892296d |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/1300-254-0x00000000001C0000-0x00000000001C8000-memory.dmp
memory/1300-255-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | bbf28cc86d9fdccbf899d8266d111a13 |
| SHA1 | 0c900ad55979768b3ecba001b053c0905399aa1e |
| SHA256 | f48ef2913328e8c123ae57dac94bef761add6f7326a1e468834dd4c96b9a500a |
| SHA512 | dcc6bc4dba6a571d7ddf603068b6aba7ec510b0e49b4abfef512be280a4ea775e538a539e2e4321aac1acb608d74129c3bbb75ef2a192687703d14da7446221a |
memory/2260-272-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/1720-271-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2260-273-0x0000000000B60000-0x00000000012B4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 47c0578f25d97eebacabc983d135a6e8 |
| SHA1 | aa70101ba1d7bdcae4e7af14b8ff394cbf596d49 |
| SHA256 | 960b2ea13fe6aff3726b36837b4ccf92a469c2ed1b2025720d3c44cc7b3ab317 |
| SHA512 | 7eea4e271563eb613243f24464546bb9c7dbbb533c8502fa70dca499512cd829b3ccac84a306d19f8c5bcc74429e96e284b8663f94a66ab4e032edf026f12d4c |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 151ffa4fcc18c008f3d5df7af8f025fe |
| SHA1 | 111145df6d797e3b358ba4589cb2cc7e117e1a73 |
| SHA256 | 6bdf7e0efa7ff9629f69e6bbd5487a81f3bf3ef14c90ec1694fb3eb5fd08419e |
| SHA512 | 6e85333415bcc4c070bc3db495c8b25483605c13dd524ea7d25ce3ade1ee4ebb3eeeb1d6302bf6c970f2060c1772de348e9cf7c35cfd9e808f23e2db8b154c20 |
\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 014ebe62c930271b034faf0fba720665 |
| SHA1 | a0f7ea196cb00f23db21fe81c66abb52970165da |
| SHA256 | a7f75764bd5c7b8e1d7a0db9d698862ea6c21a0af61a501e00109aa91fb8c9c1 |
| SHA512 | a4fdc0887be024ddc462c5bd2abdec7515c71a8af799f39b22642eb5fe986f5c87959056a57102b7719cef66aa5c5985b7e043c5a99f6678b0daed00dc219d93 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 80bd93565eeb595174be8aaef1f6da7f |
| SHA1 | 49b3ce401154091e7826f79f28b8a03e79d8518e |
| SHA256 | 012e1703fb6bdde2648e38ebd66ed64c10b5787491c1538fa794d77c58b39047 |
| SHA512 | 928cced06c4152813e67f73e018cb4003e2bb0a1d4623c1818b72251850550ff9ecdef5de26205ce820bf4b4d607b917a9af0c12167793c64f318b1ba607ac62 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 070d93603fe2a88662288b92f962504c |
| SHA1 | 8269d7ac09616efe2f5c0716c08cc964e8216275 |
| SHA256 | 9ed2aaeb39075587b3a1a0bdce8e66ae64babcb402d08e72744dc80e597a624f |
| SHA512 | 36bbe5d1122619d2e5db2e019e616eb6318612129d9354e1b62efba9f3019368e69acbd56623d1e95167728d5adf753d4a67380820c721c347d0969b1d0343d9 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 256cece7d507fbc7c8096da38e1a0c94 |
| SHA1 | 1989e951db733d146e6d0b9359ba57d07143c975 |
| SHA256 | 1a23e9440a0d3503805bf6df8c8c7e1a426d4c4f5c2fca69e0c8b322c1c44c07 |
| SHA512 | 0546ee787bed60a6de935feb913c43c845e3435a80110473fa9a8670605ef0f13099f9268d5fd8335558945642824bba341b1cc39f771034087b24a21b9b0604 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | bf7f3e817f7030ee290e1f1154e27170 |
| SHA1 | 90f2a2c1cc987edd0fdb16029fcf16d9a6a048e7 |
| SHA256 | bc8cb87a87956fdfce1fb3a34c607b914054350bdc7d7ea46b0870aa956839b9 |
| SHA512 | 60f92f264876d40c7fcc85e8a104f522b7020fadc3a4151022675ce8b32695895c7d0de2408bf9b2083405e6a96e7b1d906c10b7dcb2227c107c6bfe8e9e00d4 |
memory/1128-294-0x0000000004F70000-0x0000000004FB0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | b4414f88c788c2d5150712b54ba3ebd5 |
| SHA1 | 0e6a28fc5946413f705dd719b181906c1ed9e7ee |
| SHA256 | f57b10b7876abdf13f1ccb59e560320475e10fd9ef5429d50fc959bd1ace4b2a |
| SHA512 | 846a6ecb929dfe209891bb6f1a7dee7f0b2244fe8ca51786c0bbccf3f1125cef15a2d29d969fbed1b104a00f5780aa10622cc2fb866a90f4490e1c2d3728a2ab |
memory/2260-314-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/296-311-0x00000000FF5D0000-0x00000000FF687000-memory.dmp
memory/1044-324-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1044-322-0x0000000000400000-0x000000000045C000-memory.dmp
memory/1248-333-0x0000000000DF0000-0x00000000011E8000-memory.dmp
memory/1248-335-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/580-336-0x0000000000240000-0x0000000000241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 1b3a6a71cb1509a5deacc5b6ebd6e314 |
| SHA1 | 7580bb788fefda6a3aae46f963c493da799f339c |
| SHA256 | 22d031a9976a8efb3e5a5ecd6f4e76ea24d07b1e612839587b5cc6db46278ce3 |
| SHA512 | 63dcaf507e5681fcabb317d40b6778e8260148583e84898048620cf904ca75623e125c230d00f3b6a9bed815cb796ca209fef17a664be8ebc627e2a4bf3ab8b1 |
\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 40f70155db1e42ab9f51524da95a5531 |
| SHA1 | 05d5eb0c8bf558b8b6c5ad307595db19033ce677 |
| SHA256 | 9423d83223d2c647ec821f8719b4e09c03a2b74e863741169692135c7fee307f |
| SHA512 | f8d87c24167e940e0a1d85e7e643499b30235e89e420634ee5d7c8ee6b14ae09fa710e6320036c7bbdf5458379946e676f1e2b0631218e66e950ba8c6006679b |
\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | b1d7ea3b91ce01007e36f8956b86e1db |
| SHA1 | 1d6fcd288622f1b4d2eee54a16c8bc3ad72544e6 |
| SHA256 | 12d5f60e2c6b0bdbcef8ecd2302a0b3e5e579b080dbf28f06edf5d56ecee86c0 |
| SHA512 | b385fd9b573f6dd18683ebc74af667a15cdff907eaf81d4bef7c4645f0c24b892ef030c938658e10b821883a0c423cdd87fdb31d1814179bc19231fea16c7c85 |
memory/1248-337-0x0000000002A40000-0x000000000332B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 6816592b3686f53489aee98c6097ea9c |
| SHA1 | c4dd494e26998184cccb3da7233abeb17051d57d |
| SHA256 | 98ca63d19ad7f6b25f03717238159936cebb05e8ee24ddbb8bb352dcac6616fc |
| SHA512 | abd3df56d217b19fe89e045b853b74740bf139cea7c8ec74c5b9717463921e7cddfe30941194027e37d7e43b2b3762e831668b313a7fd4c6f9db8d378b6c25af |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | a4babb7dca85fdc17d6fa3f5d8f04adc |
| SHA1 | 0fc21510ff59f493fbd25a13a63a22de78c2af53 |
| SHA256 | b9393cc66d146c51b52255294ad8a7e291fb6d7937b39c5ef4247921a80635f5 |
| SHA512 | 5ab6820146a8d5cb509cf607069acc4f6c30b00edb7c9d10fcd29639933a60f4fa8e4b705a0d08222d7a889adeb0d106d6ed2c8ab3d9f7cbee33473742f23935 |
memory/1248-320-0x0000000000DF0000-0x00000000011E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\nso80C5.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | f68774e31d4058bd5240c19856247743 |
| SHA1 | 6fe690fb05ecb54faac2ca329f2daa4fff7fa9ca |
| SHA256 | a18ada26ce039fbe51b93fc353f0f507382ac6b9c08785ed815542871e8c015e |
| SHA512 | a0b5d5015747d4e84a14523f8cc4fa17677f6c6a1bf6c8563522bd0d2057c8868957cfb43cdf4756be671e59340e61a1ff0423d42087f034d38d801a0c1f55c8 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 24d01409e5ecc92b87876958152b5c67 |
| SHA1 | ecd90c5ef10c5aa956fbd4b7807531d0eb825e70 |
| SHA256 | 03a28bc18075ff594932eee37a555db1f5e31eb4031147e8242e7eddd5c3feb3 |
| SHA512 | 777f1ac95930b58541eba251b841e9ec1b0104a223a1c8fd5b416db621e2d5d563b99cdb39197c43eaf72c00c4d43bd3414682eac2b1e3e6f73af665aae2d4f5 |
\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 8d558c9f81b80fa958f191a737596223 |
| SHA1 | 5019adccf0c6ffc8f24b1e3b46e59d9f262a1656 |
| SHA256 | 968fd2982219838973cf8a5147bf4cf722e1054aa237f8211313ccb8e1484dda |
| SHA512 | d07cf611e831d9795f78a1e4d8d9b41380680cd31a3f04dc4195f998c73b4bd7e0771ec5af73042cb806afeadb008252382ac628e745bec053cec71ccbb4b54f |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a15aeec992d7ee84d8bdfb4eb7bbaba3 |
| SHA1 | 027aac94d7d70c49481e6d420a3ec8f6b1a80cf5 |
| SHA256 | 282a84745a7ee714b7b1ed6a874af9e859dcd43d40e5de5e5900f911e7bb1722 |
| SHA512 | 7b6b39e4e501e9552ac5f4681c3da449fe5501c56407d5ce20d72d63a790d4543d49071f5302ef8312dbb19489921757c2d6ac69cae81def7b1221507fbe89ec |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 0efde3a9de2d5f9ec37098b9e8cbc9c1 |
| SHA1 | aa090727f8200c07b9e2bb594b128a8152558807 |
| SHA256 | 9292cf0a0ce8dee44fbf6aec6d50241e626a59e3ec2203795866fa67b4a556f1 |
| SHA512 | d4e713f60d3da28c2b3af99a5bfcb04bbd6e042fee4b8d07ca2454abda5954144d02ff87f20d5127dc755b95b22ee1354e851995d11b55ebb767558c579c16ac |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ebec9f5b9fd6aeaa7ef5d9a8f5655e63 |
| SHA1 | 615d973269ce4e65c08f3bc748c4aaa398209424 |
| SHA256 | 3580137ad4c8995cd230027cf0211341dc9c685193c37d2122f7f68f31356ed7 |
| SHA512 | d6cfcf70567710936689d9aa8c3bdc6c426b62a4cb346bf1b08297efeef09c0ac43555b0ffc6e1e9ceefa1d17d4af504d38c6f38889a0a357de1a547a38b5d1e |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d317fa545b3fabaad8f3a089594b3728 |
| SHA1 | a245ddefe7506f90a1acda790ed06887cdf2fa74 |
| SHA256 | 99e922cd5f48de14f5ae2d0139ca5533c1ccd23140f93285c7314dbb4e7e61d0 |
| SHA512 | b7856f39924bb0f2ea87f5760a0ecd4c38c6356946d243d8df5f9977df0964c1519e3ace7b9ba42f7170eef6a79c84ed9444a02b79b62a542cb98c16a967063c |
memory/1044-295-0x00000000002B0000-0x00000000003B0000-memory.dmp
memory/1044-296-0x00000000001B0000-0x00000000001BB000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 091d97f7e2cd3e494467cc0411308c68 |
| SHA1 | c517bb14fadd5b9436ceacc3d958e768e95c3650 |
| SHA256 | 871793f2988442b774e6d700f8ddb706a34736c57e52d1c73b797113f6fa8a95 |
| SHA512 | d4fc112198929639846676505218d909b74d40b4045c1d07acc7e461ce19575c361e814064e8f8d7260f7489d6cb190bd38407604a69c28ff4612165b336544c |
\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 8ffd6ba0f47e888ef2d65c792bd91549 |
| SHA1 | b1ac234b252c52d99996359d31d678f9be3dcff9 |
| SHA256 | c1283d10d8cf551c5ba9ce55f98ceca45d59c48830c4a82f9396666ac9d10790 |
| SHA512 | 1ce66855edff3e10f968571e1fbfc494fa84558d5bed5a8bd69afc9b258e8e83c48c155c4e4d3a9780f04605f7c8f63b9a3603883ae848551d5f95ae8cea9746 |
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6a550537477e1a28cb8dabfd8bcc247f |
| SHA1 | f0d4935578e1c20208a2e623735e4ba3e3563a12 |
| SHA256 | d036a3123324b2d64ac7380641715133f7a65e16fce33dd18fc24bb8ac5f7bab |
| SHA512 | 0b303afa47e6ba8c7b0a04754e7363656b0056748d785812030a0397a1052034b253a082300a7e594bf0dda9c68b8e47794a0086c5555b0b3fe166f0ea36fbdd |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 9627459d7eec2629e56a6439cd2f8ef7 |
| SHA1 | 5581d3c177b2e3d694bbdb32b54531500f4c1682 |
| SHA256 | e99fe12a0b2a176d125994fa9b93aa1d3dc968647b53f0a628be8a73bdcbfe9b |
| SHA512 | bbc112a46c7d0ac9c037d3a629120adc95a04647b0f1fc6ee94229de6cf71d94670cb75af385c39363ace5314c54c5adc180053e8a7260a53e831b80b309478e |
memory/2728-365-0x0000000000CC0000-0x00000000010C8000-memory.dmp
memory/2724-366-0x0000000001320000-0x0000000001372000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 7bf1272c315c69140bbab970a4354737 |
| SHA1 | 10d06f298f0705a9d2da0a3e327b50bb8b9baf8d |
| SHA256 | 3a622a2b61b8e94641dc42846d409eb0a5bc1febe1f02e914b769db384c00890 |
| SHA512 | 363da70bc4e2b89ccdbb10e2f710a7e455c56bd940a47d6461c78d106be723c72253b330a675d2d554658d321e3db3fc3475848ba48fc543ef6635fa97e19e04 |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 07173beefb0208b05051a0614b6e8530 |
| SHA1 | f01774cbf0173c07620cdf766c9500f4a52e1c87 |
| SHA256 | b61d6672d48b377847a8ccad995c1de505b1f700962e40105eea785ab2bfb49a |
| SHA512 | 43a630927a85bf73f717cd05b0a5beffdf9112cb9f13d678b8ab43f9ce45d93530515a979758086f6c71b89d8b66d802526714f4f418c754856c1beb87f7eb24 |
memory/2724-369-0x0000000073A80000-0x000000007416E000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 1616a9c704e5c0d86789da193360bd93 |
| SHA1 | 878ea8f398a1ece9f24b9449ef90af07a8ba8de5 |
| SHA256 | 634c6a5f69535073133f9cfdcb49e3deed9f96b513b49bd716432e8f3b992225 |
| SHA512 | e0f8c0fa2dc27a70df16ee1ab349cfbb41c4468556f62cf00886f7be9f9f2bf531da9cfc1db019a13795acb161271ef7eb64f16d3dd432f95117d48b078d7237 |
memory/2724-370-0x0000000004D20000-0x0000000004D60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp
| MD5 | 5879fe09bc286dea2c8e3cbd7a6301af |
| SHA1 | 9ac970e93b10273cd02d81e3dd037daa54e793cf |
| SHA256 | c50aa012e24453800119dac6a6073cd0c8ec355a0fe0a7a917c9c887c95fc80d |
| SHA512 | c62a0b5e6876b7d9aae7f100a9061c94664c88b97e7d8639570a471c904138a88f6d230532dbe4ab4e43e8208b6650523c02b5d096fb8dd6bee03c7812a0cc24 |
C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp
| MD5 | 87b447af14a5f42c39ffbb5b449ca4c1 |
| SHA1 | 05297602ff0432214008efd0dc7d5d815fec6662 |
| SHA256 | 81174a43049aee9aad4f2ad8b040e9900ca511da807a8e38a2ff3d15b23124c9 |
| SHA512 | 3e69426c8ec334a00b9b44eb7a66ffa2ab9f348a593f09a84349f2efdd446bc61def56fe7c1a11253708d2a2731d3c5cfd0dd7bb2d1d47138948d99dc32fbd6e |
\Users\Admin\AppData\Local\Temp\nsy88F0.tmp
| MD5 | 890040f425eaa3881218e43ce6189790 |
| SHA1 | e6d1286d157ed7b05a2c19b75b167a09c75b6b31 |
| SHA256 | cf7688b942e8ec18a1fd2daba2f48e7277655ecbc7759008e97554d58e829976 |
| SHA512 | ed1eea88f2900bb84a2ef2b12977d8e34228bfc778b132d61ba7436a6a98e2944e7a01ce4ae5f2321fce48e4c8856681018f1839a588473f207345aebd3d89fb |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
\Users\Admin\AppData\Local\Temp\nsy88F0.tmp
| MD5 | 5e03f474c4c91b62e46fb9ba68b2d475 |
| SHA1 | 3f71626f842b7a781ec80554cc1e42b37d96936a |
| SHA256 | ac7e0ca194c8c46544fd9ab0b9b56f459228079c4eb091928a701dcfc4ec6f7a |
| SHA512 | bac7487f003cdca77860d4494ccc50897cdc03b0aa395e4f3394e63a498986397597210053a7e55e9a493b41e31fe047baeb3e081b6bf7b49c2435268096500a |
C:\Users\Admin\AppData\Local\Temp\Cab8E5D.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\Tar8F4A.tmp
| MD5 | d9ea4a002113fc431ef731174bd45d35 |
| SHA1 | 2323ccbec64688d35794a63a0cc5ffd9c6eb4770 |
| SHA256 | 3cb524659029e827984b91193ede7b1bde047f3cce055b5a0ac63de10e502868 |
| SHA512 | f4a5a1a4ceaf2f2db96463316b2bdea4d7cfbeb43f8d2f077114e00390ee1cf284b7841eab7ca91962421784587c5b810624c9759d4d11b76de970953330bd54 |
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | cba3167a8f01e24ff2f154235928460a |
| SHA1 | 0fc5aa2c8c83759477638d46bbaa426bf674bffc |
| SHA256 | 25f3ae8759a21328da00728227a36300805ec46f50b322bac62aea7e06068c12 |
| SHA512 | 08655d7d4b7368221fd435350d2b299b9cd30ce7a0821ce70179f1ac6669b033ba1f2beb9e47347052550fc58232361bc9972f7a584699cdcb268d4aab11813b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b1c8e751693dadadd5d23ae7cc2f07b0 |
| SHA1 | 09c3d1b54bb28a860c1a8ad230057a918d3ecdb9 |
| SHA256 | edbf664a16460fe2c70307a1d6db806394eb9daa80bd3c648da6a54de233374b |
| SHA512 | 6b489381bd898d966689430e18bba889889fcf224f9ec2934748d82eb3ac3f86f1e3ef27b77d57f31f5a0efbea7b971e1cc4d5e78cb46c7a0dd2896ff8613fb4 |
memory/2584-472-0x0000000000390000-0x0000000000870000-memory.dmp
memory/2256-471-0x00000000024C0000-0x0000000002558000-memory.dmp
memory/2256-473-0x00000000023D0000-0x0000000002468000-memory.dmp
memory/2256-474-0x0000000073A80000-0x000000007416E000-memory.dmp
memory/2256-475-0x0000000002600000-0x0000000002640000-memory.dmp
memory/2256-477-0x0000000002600000-0x0000000002640000-memory.dmp
memory/2256-479-0x0000000002600000-0x0000000002640000-memory.dmp
memory/1300-480-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp
memory/2256-481-0x00000000026E0000-0x00000000046E0000-memory.dmp
memory/2592-485-0x0000000000230000-0x000000000024C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 6bc36143d6b1f7897ac24cf5a994a5b5 |
| SHA1 | 91f9b62599b87af8493394e4daf0cee3284b9734 |
| SHA256 | d620c68311c639ee58e34e6d574992419ac2b37f3b1aae34e864749c04a63e99 |
| SHA512 | fc52e4c7308f521cc2f55c40b3326631624ccb25ead6c87b097b8d01440cd10583e706a9cba02cd8cc9cd9655ec42fda30aba6c3172464146f6e8d4794325533 |
memory/1960-519-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1960-521-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | d6c567363ca4a4dfc5cdf55212b3e660 |
| SHA1 | fd807c5196e896a49e2e6de76d6a2d8c4af14cf8 |
| SHA256 | 65faba0142a6d50ae4f1688d4a37159b392bfbf792dbb909ed78c99d09001660 |
| SHA512 | 367cea2e466381cc555a714ca582e48233db80d2ee8e61ee5b1dbb2cf6c369ef2d3df9e91514fcd60d8d5c41cdc3e8c1917468d59ce4aaa5997b408fffc135b8 |
memory/1960-520-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1960-531-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1960-533-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1960-534-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1960-539-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1960-543-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1248-538-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | 496bb675c29127ae28cbfaa1ba56d046 |
| SHA1 | 65551d294d2d2f504f33cf96b49fad4d13960001 |
| SHA256 | dd8bceb6f368bff9b45e6695c2ff3004aab42fad0810558735a3c29cd9014532 |
| SHA512 | a82d02a6509294da3c0a8e6864f12b5b258b65f114f3ea52ab64efe19af859770f3c03e7722c36c3d0e2440a0e5962b6e114ec3b902ddb85c74075d12cb793a5 |
memory/772-535-0x0000000000F20000-0x0000000001318000-memory.dmp
memory/2496-566-0x0000000004CA0000-0x0000000004E45000-memory.dmp
memory/2496-572-0x0000000004CA0000-0x0000000004E45000-memory.dmp
memory/2496-567-0x0000000004CA0000-0x0000000004E45000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | 271eff1529bd028d9cb036ef36766591 |
| SHA1 | 6ad75c801db8240fa2cae991f45a8565964e2dda |
| SHA256 | 569b9de1cae5612354a31158a3a3f882d2d9ca01338f6cfc821a9c25ff0a3e40 |
| SHA512 | 558d504e9baaf7474da1038ce32617ae8cf4f7194ae0cf2614db7fc582c0df0aa74adb8afb157f9af6a637abdb4ec9334e4c15a29f71291b45684b79b9b51888 |
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | 9aa8737202bac7dcc71ef4c77939f82b |
| SHA1 | 25b29b7274fb3ef7d16052f8400d24540621aff9 |
| SHA256 | a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff |
| SHA512 | aa55987a32b3e259376594df68a2008007353953a2bf390b44b908e5fdaee181d3b216aec46f8679aa5f5e4164a0a412511621c6249d3cab7e1eba86d8494a7a |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 96b84119e4735b25a48799133c73b2e2 |
| SHA1 | 114cc635518e004323a4c18faeb0c889ef38a22e |
| SHA256 | eea9917904dcce9b90228b982e0a05973ea444c61da1750224f3d06c129e54ed |
| SHA512 | 3e21b66ebf505ad6addd5d9839b58cca4aabf0a5936a5eebcbaf601a201b888f56789a9cde8c128c6da2f44b37389a72d611ec5d60f64294875748fb15528c0d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a52de3b51f8461299ce680c609846a6b |
| SHA1 | 08d0dfd7f7112dab415bc55636952c798aa42edc |
| SHA256 | c298a856a380400984d8738885333019225ab268d8060a194ada92d81504f4ab |
| SHA512 | 91b71737d98fa24f3c52cc9501f213b56ee52250d037f75fac1cb640455d2438f7ec5aecff793f7cb8a428dafa3ee556c7773ec0cdc252f135732cd9ed11d6b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 18:36
Reported
2024-01-30 18:38
Platform
win10v2004-20231215-en
Max time kernel
5s
Max time network
154s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
ZGRat
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4640 wrote to memory of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
| PID 4640 wrote to memory of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
| PID 4640 wrote to memory of 4872 | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe |
| PID 4872 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4872 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | C:\Windows\SysWOW64\schtasks.exe |
| PID 4872 wrote to memory of 4944 | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | C:\Windows\SysWOW64\schtasks.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe
"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3784 -ip 3784
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1232
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp
C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 116 -ip 116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 348
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 228 -ip 228
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp" & del "C:\ProgramData\*.dll"" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 2340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 228 -ip 228
C:\Windows\SysWOW64\timeout.exe
timeout /t 5
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 2516
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.179.17.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| US | 172.67.149.126:443 | tcp | |
| US | 172.67.152.52:443 | tcp | |
| NL | 195.20.16.103:20440 | tcp | |
| US | 172.67.213.168:443 | tcp | |
| US | 8.8.8.8:53 | claimconcessionrebe.shop | udp |
| US | 172.67.199.120:443 | claimconcessionrebe.shop | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 188.114.97.2:443 | liabilityarrangemenyit.shop | tcp |
| US | 8.8.8.8:53 | 120.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| US | 8.8.8.8:53 | 4.64.42.5.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| US | 8.8.8.8:53 | udp | |
| DE | 141.95.211.148:46011 | tcp | |
| US | 8.8.8.8:53 | 148.211.95.141.in-addr.arpa | udp |
| RU | 5.42.65.31:48396 | tcp | |
| DE | 185.172.128.33:8924 | tcp | |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.89.76.45.in-addr.arpa | udp |
| DE | 45.76.89.70:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| US | 8.8.8.8:53 | hiromcloud.com | udp |
| US | 188.114.96.2:443 | hiromcloud.com | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ratmarket.com | udp |
| US | 172.67.146.113:443 | ratmarket.com | tcp |
| US | 8.8.8.8:53 | 113.146.67.172.in-addr.arpa | udp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| US | 8.8.8.8:53 | 109.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | ji.alie3ksgdd.com | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| HK | 154.92.15.189:80 | ji.alie3ksgdd.com | tcp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 189.15.92.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | 79.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.134.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dce404d9-d81d-4aa5-96da-608f3d8a6709.uuid.allstatsin.ru | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 193.98.74.40.in-addr.arpa | udp |
Files
memory/4640-0-0x0000000000EF0000-0x00000000012F8000-memory.dmp
memory/4640-1-0x0000000000EF0000-0x00000000012F8000-memory.dmp
memory/4640-2-0x0000000000EF0000-0x00000000012F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b5ee067743155c953eb9b6426ede5062 |
| SHA1 | 0725e7b508a48778c10a06c446845b0571480716 |
| SHA256 | f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4 |
| SHA512 | 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5 |
memory/4872-14-0x0000000000FA0000-0x00000000013A8000-memory.dmp
memory/4872-16-0x0000000000FA0000-0x00000000013A8000-memory.dmp
memory/4640-15-0x0000000000EF0000-0x00000000012F8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 3853abb35ab617a117144f119cdc9808 |
| SHA1 | 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae |
| SHA256 | f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef |
| SHA512 | 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 9f854e765c3310453239677479d53f86 |
| SHA1 | 04a968afeac953f960ba7529bba1de29cdaddc1f |
| SHA256 | 2fddc8529d0f1bf333884e176e41955b9dcd2be114d5b40dc1013040c2d33092 |
| SHA512 | 3a1b309c1b8b64c1f865d65374a1414fa080ea17a844559940333ee8e626ba86005df3cc5b310591f59817f21c83477d1acbcbd4251fb158517bcda96f37a662 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 73f990f9b77fbe88ec844d1d0890b499 |
| SHA1 | f944937844113fc57c864d8d49893b129a8936e5 |
| SHA256 | 31b4b27aa4918d1d1ceba5164dbacc954e08020fed661eb49fafd8633c592bbb |
| SHA512 | fe21b51e732354606c5d3b2b9d58efeb5eea83e9c456afdf1482849a9a8eb5375ceea5943a66745433088739917260f164a88966889ef9c79c8c65dd1be30c3f |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 2da5cf6ab18faca7815a9b4e7074f93b |
| SHA1 | 411e89edcd1c7065b39aa313f14e1e99b7b98188 |
| SHA256 | 6402a0596bf8c7660e386dddd646228c14e57207be3ab1effcf7c62c0fdc7f37 |
| SHA512 | fd9b0b682df4a05894876f975c2be3e60b465ee061ee0a05a223b6b434a4a49d72d16ffa6ad768140a6c636e239dcfaf74d66e9d483ea57133e8e33fdc96ef6d |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 1f5bac10f632432cdb7f3af24083e9a5 |
| SHA1 | 379bd2bb6b3ccca5151cb4b954ea69466346b985 |
| SHA256 | c03e7e43e2fefbb5628a792c0726301eb7556e6541362a4d6a7124e7ac9ba632 |
| SHA512 | acbdf4f97f0aa04f5e26ae7494874af5d218040fda77baab428955149c96fa420f1d2560bcfb2fd47f0813f5edb79e4848a816732a1df76b881c8481411c9fb0 |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | dcf5917a233f1ddc3a2f9004e3a5adc0 |
| SHA1 | bc9fbd1f4685e4cbb86c65e75feecd1029246483 |
| SHA256 | e0d13c9f0d014e4ce586e7915a4a3293400a1f3b74445fed45bf7ee5f2f33699 |
| SHA512 | 7bcb78b3b642afdfa238f2957dcdfbe8b25654e282d139de48d749754c98f0e5196b7c677afaa1ced44319f31c52a61d2d8168ff4967986767950f1cfe43b442 |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 9812c01ea3b0e14c6b6a47da6a955436 |
| SHA1 | 1c084bcd63ed4de42b57600792bf19f902dd68b5 |
| SHA256 | 45e5e6dad0f1dd452fe676157ae6c037c1b778e732bdda1e3fb7e9875480ea1c |
| SHA512 | 3a069ca79bb322287052f1a27f792af8ea99c3ffe30d76853a20a071e3ae82f4e5e1a72b0a384c2fe643b1978ad9850b9f7968ecce2ad3abfd5473c7ef151533 |
memory/4240-55-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4240-54-0x0000000000230000-0x0000000000282000-memory.dmp
memory/4240-56-0x0000000005280000-0x0000000005824000-memory.dmp
memory/4240-57-0x0000000004CD0000-0x0000000004D62000-memory.dmp
memory/4240-58-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | a7c024c0bdca84f4c2ae6c90c044db4e |
| SHA1 | 610e35cc242a67dd245e9fa53733f4c8c2a59125 |
| SHA256 | 0ee6c84a2dd00f9f5f168bef0cbf0798623a8b136aa34fc0d5a2e2148f81cf57 |
| SHA512 | 7f7131bbc835e68b2023b51b08c25bfb024205f9d1a93f491da2a7ec141d0895668de798595579f1884429f4fd83d35076b1738daa8e456bee4a0118e75085f3 |
memory/4240-70-0x0000000004C90000-0x0000000004C9A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | bf2a3e48b0ea897e1cb01f8e2d37a995 |
| SHA1 | 4e7cd01f8126099d550e126ff1c44b9f60f79b70 |
| SHA256 | 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3 |
| SHA512 | 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91 |
memory/3748-79-0x0000000004C20000-0x0000000004CB8000-memory.dmp
memory/3748-80-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/3748-81-0x0000000004B80000-0x0000000004C18000-memory.dmp
memory/3748-83-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/3748-84-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/4240-86-0x0000000005E50000-0x0000000006468000-memory.dmp
memory/4240-88-0x0000000005060000-0x000000000516A000-memory.dmp
memory/3748-82-0x00000000026F0000-0x0000000002700000-memory.dmp
memory/4240-89-0x0000000004F10000-0x0000000004F22000-memory.dmp
memory/3784-90-0x0000000000400000-0x000000000048A000-memory.dmp
memory/4240-93-0x0000000004F70000-0x0000000004FAC000-memory.dmp
memory/3784-94-0x0000000000400000-0x000000000048A000-memory.dmp
memory/4240-96-0x0000000004FC0000-0x000000000500C000-memory.dmp
memory/3748-97-0x0000000002740000-0x0000000004740000-memory.dmp
memory/3784-98-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/3784-100-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/3784-101-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/3784-103-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
memory/3784-102-0x0000000000B90000-0x0000000000BD0000-memory.dmp
memory/3784-104-0x0000000000400000-0x000000000048A000-memory.dmp
memory/3748-99-0x00000000730E0000-0x0000000073890000-memory.dmp
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 6e1fc65e20cab6458c231a72af9f08df |
| SHA1 | 97c7f54e0f813e98d09be479144aa3de6222b51e |
| SHA256 | de80c2371fd7e2b42f96ba431df9170bcec33d80f40baf290373c199fccac8b4 |
| SHA512 | ffcd111198b273ba3a9f6df0f76c660162f87ba3f6fa37094a2f75769a8fb1f12be48210e92d3f08fad04dec2f15931a4e116817df368c0c30a80a8cd8950bed |
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 846ba90721c5f04a05146bc6adbb0be0 |
| SHA1 | bda514aa42dfe135ef652e782df54eba00840961 |
| SHA256 | 9c1ba121e075258c65272bfb4be4eedb043a5d2bdee191a87b05aea54c07f4c7 |
| SHA512 | efe8fef99439cd6e7d86a84c7c5bc6533c1aec1dcb6599c299f2eeb4a33442510e68a31e92bc8792e5523c505d0960f5c73d590713e596b659cda5c5c926a6bb |
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 330b0867feeca636b40bf97614c2d2ac |
| SHA1 | ffacb9689c2831bf2ce6d5644db697b2f1d0e802 |
| SHA256 | 754151c4223083cab19ee790a5c581d9eec71beaa58fc900db885fb32931dcac |
| SHA512 | 056492f9230d0fa36a5203634e483352355938c514390d6b5023657d7aef203561fad5edc9d3889a008816d661ee843a968c0597ae8aeec44e33bed15c267745 |
memory/4872-129-0x0000000000FA0000-0x00000000013A8000-memory.dmp
memory/4484-128-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | fac998d08317ecb06ee191de215584fa |
| SHA1 | b8fff43417fbd008f85492dd343d0cfee956c69b |
| SHA256 | 00a3e7d8d526f49a758d70bfc763b25559513faf8521ffee00485796d73fd55d |
| SHA512 | eddf7309e3f26e54570a5627615f049b6ad3792d5360e2ef60facfab01873fa1726c3ec7e39cdcb2cfeab67a63af161a1276fe8f5c587631d8a0d0131f2b2b56 |
memory/4484-125-0x0000000140000000-0x0000000140848000-memory.dmp
memory/688-132-0x00007FF752D40000-0x00007FF75377D000-memory.dmp
memory/4484-133-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-134-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-131-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-135-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-136-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-137-0x00000000012E0000-0x0000000001300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 3d6a04a400d25f9454a5965d1c3e5262 |
| SHA1 | 457dc58d04968d8497f89ef67bbfbc706f01f278 |
| SHA256 | 78c48ae539e4d3fd5150a7cd7d81a102e771555cca2aa8afa61a440d08e17630 |
| SHA512 | f1fd4855aab684f719787dcab7754ed07c42c9375c0b88f535b9ff224a4ecfb8426bcd5ed845ce26230f326560eded1912d9991e3d962f92ed25c27b995c504e |
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 714a389beb4b0f7ce465e03bab168363 |
| SHA1 | bc72b6477e009cbe9267d156062ae8ded2d72a80 |
| SHA256 | 9d568bab71e0e2200237ea4b17c6e73bf6b9b9ca6225e65cd7e97ab0016a0e3b |
| SHA512 | a61939f1842419a6368c7846a19709b041bbc92aa6231f0b04f66b7eb8f690ba082ec37ecabc86cfdcd4d534dcb432397228964ab2f636b012dbe65c462d9b9b |
memory/4484-147-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-148-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | b24f30cfa5d33ff7cd24c4d2529d330a |
| SHA1 | 920e422fc0337adbd2733f5ce08cc748ada83446 |
| SHA256 | bfa7006fba4835a69953c301f1170a228478445ac540e26386d74bb49d8b105e |
| SHA512 | 844d84eae9d3f12de879279930291b53e1b24255c287d73fcc46b982201798d46f7e90a6a9acd2336815954484b3599a57efa1469bd0d9de46c31922997eae4a |
memory/4484-159-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | d26c25eb17bfa8965bb02c9d8476db91 |
| SHA1 | 1cd61285a24f59624ade4a7314beb3eaf9f63352 |
| SHA256 | ab9aa03ea86cc8c32818ba6e38f76e1da9eb9f5de746820ab8debc6626385eec |
| SHA512 | 45021c8bd3e4541b064deced845a1ab7d54662e0a26a9ef79f886483f455c1517d612d459a2bc1c4fc1e089024443fa2963685f90576d0ee6ed9dba3b859064f |
memory/4484-160-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4484-161-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2484-162-0x00000000050D0000-0x000000000527C000-memory.dmp
memory/4872-163-0x0000000000FA0000-0x00000000013A8000-memory.dmp
memory/2484-165-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/2484-176-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/2484-178-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/2484-179-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-177-0x0000000004F20000-0x00000000050C5000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | e192ed56e9f5156b30ac5b5764f1eea1 |
| SHA1 | cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5 |
| SHA256 | be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3 |
| SHA512 | a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b |
memory/2484-199-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-202-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-190-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/2484-204-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-206-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/4872-180-0x0000000000FA0000-0x00000000013A8000-memory.dmp
memory/2484-208-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-210-0x0000000004F20000-0x00000000050C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | 67b50ad2672110c088414f2e05bf4e59 |
| SHA1 | c5a6519aee58ca727f1b8fb8f76cdc110353ba3b |
| SHA256 | 3f6ca7362fc27789e410c05d0bfb61573ce82990618e777596a3ed86c9d1a92e |
| SHA512 | 3424569626d01ce40055866b2295cb15ec4b80949bcd01a351dbfac433ca94c922c9ec324aa8fb08273d5f8bef8282d390edf52eb3aa076ea0b258e23eee573d |
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 9e5bd65697b31f801abe139c1b89e2b3 |
| SHA1 | 8974972ce9cf9d75e8fdb59be24137e502d53d3a |
| SHA256 | 791620393ddbb22139bb0c2ddf65d800586c23b3300129b4b1b9998efcceb74a |
| SHA512 | 5af89bc9b1310630a3d771d7f566173a8b7df37369742caecb6d7dfab73daeedc239ac4a4371cf7aac4746cfaf94b9b26d8881206b7ccfb6236276e288915f2a |
memory/2484-227-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-231-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/688-229-0x00007FF752D40000-0x00007FF75377D000-memory.dmp
memory/2484-238-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-242-0x0000000004F20000-0x00000000050C5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 31ac27f770066a8d6339376fc611144f |
| SHA1 | 13d60cf7b1e80f1f90a45728506f4614ba5bbc97 |
| SHA256 | fc070b4e1b3d3e2a2eb4d87f341d165e33402830af05f2dba1b454d63f8f45bf |
| SHA512 | a47feb8f7195bc456837f8ddc0a0904336557621f25cd00f8987882fa3255921dcda7ec6bc45f310e4beadd3c89fbd8657c3678e9dbef93c24979bd02ef4843d |
memory/2484-244-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/4240-245-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4800-247-0x00000000057D0000-0x00000000057E0000-memory.dmp
memory/2484-248-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-250-0x0000000004F20000-0x00000000050C5000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | f3a90e5d9f54a9b0f9ae3fc0b111e083 |
| SHA1 | c269b113bf218e2d7475240d5d15c603a2733f93 |
| SHA256 | 7ae100c11679b251c454c259f50bad872f32e8e04d143258dfdf3066193317bd |
| SHA512 | bbe28b1650e4cc986746ee35ce5b244f46c053c777a11c40718fc489e349237e2e6c1a95e133e13149e5a2622796648d61cb7ff1ef2a28896b1eab15876301df |
memory/2484-257-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-260-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/2484-267-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/4464-266-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4464-263-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2372-261-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2720-259-0x00007FF6C6BF0000-0x00007FF6C762D000-memory.dmp
memory/4240-256-0x0000000004ED0000-0x0000000004EE0000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | edb9a2d5c6a5044c03a7cf30da2a2735 |
| SHA1 | f896ad04a0f8f13fed235320be361ec51964e9c4 |
| SHA256 | f90b55ef3150dfe5899745c1b72d1911912afa00f5d15de5ac33d8f8a4936424 |
| SHA512 | 35d3161ac72f88e2561550383e38a1822b06f0a50638190138d5e8abea90691714e88147e6726642220aef67d6951c894a31f441921de856feb58b9ed7982aac |
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 5cc505c2442cb69d5603fe24fc9d9841 |
| SHA1 | e3b53d5ffca4cb3effec3b11722b9db8b75ddfb4 |
| SHA256 | f554e10eed1e5c667204c4752f9b967d86c221f33f8748641c1d56bb22c155e5 |
| SHA512 | b5011ab8ebd5e208486a89931740750f23cb243d4b63c7ff5da30f2c55c2681297f4ac9a306b09d085fe7b8ede7e641826c929bde2c9f67c1a25ea1aa0751449 |
memory/4800-228-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4240-213-0x0000000005830000-0x0000000005896000-memory.dmp
memory/2484-212-0x0000000004F20000-0x00000000050C5000-memory.dmp
memory/4800-215-0x0000000000DB0000-0x0000000000E14000-memory.dmp
memory/2484-166-0x0000000004F10000-0x0000000004F20000-memory.dmp
memory/2484-164-0x0000000004F20000-0x00000000050CC000-memory.dmp
memory/3784-271-0x0000000000400000-0x000000000048A000-memory.dmp
memory/4464-270-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4464-272-0x0000000140000000-0x000000014000D000-memory.dmp
memory/4464-268-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2372-286-0x0000000005250000-0x0000000005260000-memory.dmp
memory/2372-298-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4800-283-0x0000000002FA0000-0x0000000004FA0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | 5448932b17f9c3558beb44954f601d1a |
| SHA1 | 9bb24b1e6957d5e523bf89fecb26ce189c17d5d6 |
| SHA256 | cbc691f8a688acb706b34e3d5ba1b1f6a0d5afa74f6dd9764e3fcff03c761710 |
| SHA512 | ca14e4df71d7ea54366833f9bb8842586b9154bd2a0458376b1c92977e1dbf9b689d8f038a87388dc00e91b639b07eac35d755da5b6111c5d09cdc6902cedb4a |
memory/4800-273-0x00000000730E0000-0x0000000073890000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | 4b5c32d86df8a04c0555f901ed69bb45 |
| SHA1 | a5782fadc2c959643cd004a6286e86f941358511 |
| SHA256 | 0e3484c39105d509f8ea20b35d8e9146cd7242b144dd74b43e1ff56cf6e9b7b4 |
| SHA512 | 129d023328a5308a525bf2daa73f6bd3770fedd97255dd34b31cc4c8e2644994bc7fb125d4e0f3f4cbcb574d85301897215892393f89835fe85d5b4da2a7d678 |
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | 25f756afbb6efdd9a3dd9123fa05135a |
| SHA1 | 1a502e03872cc0d58addbecb302e250e9556564f |
| SHA256 | 455cbdd38990c6cdc8a0c9420a410c0459a38e8175ec2621641b03cba4c503be |
| SHA512 | 018c09fd2d2c1435b21446f336d0c02db5482a596964ff6cb121cd2503fb634ddf67f73e73f2467d2d24f8da27a02a89b317c70575c8d3ca04300eeda6ac4a0c |
memory/2484-318-0x00000000029C0000-0x00000000049C0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | cd28a3f29f680353fd9e9051129c89ce |
| SHA1 | 2bcc30f9da47697e0ea81102a0edb0b24ff04e6c |
| SHA256 | 5e85e12fa3b9314c9e9d6e703253bb3f2c07e7e58e5fafb63f6ca8f7e4795e32 |
| SHA512 | 940b0bb4b577e5cd244783ab085411e81b52ad4c904990ca07217b56435377a1249869117695b8670c9ef99cd2c627f7907194dceb379d77c7059b1cfa31ce1a |
memory/4456-324-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4456-334-0x0000000005030000-0x0000000005040000-memory.dmp
memory/2484-328-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/4456-320-0x0000000000400000-0x0000000000592000-memory.dmp
memory/3912-341-0x0000000000500000-0x0000000000554000-memory.dmp
memory/3912-342-0x00000000730E0000-0x0000000073890000-memory.dmp
memory/2800-343-0x0000000077544000-0x0000000077546000-memory.dmp
memory/3912-345-0x0000000005050000-0x0000000005060000-memory.dmp
memory/2800-346-0x0000000005490000-0x0000000005491000-memory.dmp
memory/2800-348-0x0000000005500000-0x0000000005501000-memory.dmp
memory/2800-349-0x0000000005480000-0x0000000005481000-memory.dmp
memory/2800-339-0x0000000000790000-0x0000000000D18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | 9aa8737202bac7dcc71ef4c77939f82b |
| SHA1 | 25b29b7274fb3ef7d16052f8400d24540621aff9 |
| SHA256 | a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff |
| SHA512 | aa55987a32b3e259376594df68a2008007353953a2bf390b44b908e5fdaee181d3b216aec46f8679aa5f5e4164a0a412511621c6249d3cab7e1eba86d8494a7a |
memory/2800-350-0x0000000000790000-0x0000000000D18000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 5ea776e43112b097b024104d6319b6dc |
| SHA1 | abd48a2ec2163a85fc71be96914b73f3abef994c |
| SHA256 | cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341 |
| SHA512 | 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 3058f10b2fe431d9f8a487a35cd89ba3 |
| SHA1 | adf31cfada940e96a02305177bea754d4ee41861 |
| SHA256 | 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30 |
| SHA512 | 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | d65bc7baa859ec7d193a3943c2dcca95 |
| SHA1 | eb05786f62d30cd8da3187c4228656d2558ade29 |
| SHA256 | 984988f9e849f5407874f8b80747f3706368d1aed396685ecb7163513e304c43 |
| SHA512 | bf92f35e1cee9567e73c5949d96c415d82f3b97ab04fd823c99cf70606fa0a9fc3bef3564f3ea66bb19a17e4e44eb82139f85f95b83c46426c0dcdbfa7e73421 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | c4d1fc0442b37122b2d3dc1f23b5780c |
| SHA1 | 8d84837ce53af949a70a6d177320d4997da3e840 |
| SHA256 | dca06371e08d57d6a695c0bd0ea924b30608262a063626b064fe0a78e1c1fea1 |
| SHA512 | 734fb8773d2585e4148390dd6ae285c96ce1cf3fd60e1275e00332df34c8ef2da9a0437c20d76d64683f5db1dc5a1df6994cf6714311f5b761ffa3fffd93cdcc |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 61875241ae509411d9733d761ceab419 |
| SHA1 | ac8e09391fe96c683659a11dbbd686ccceba3d6f |
| SHA256 | 7343d80622c51c01749b10474ac428df66f1395ce0598b4bf46b721a7bcdd8c8 |
| SHA512 | c4ff9d29314136863073d0cf981e3ec825874360907890fadb29bc86241b89903e459a71982db3feb56d52ba9d62923f9d66969e1790dade54bb08ff48d95287 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Windows\TEMP\zamrbllfjgdb.sys
| MD5 | 0c0195c48b6b8582fa6f6373032118da |
| SHA1 | d25340ae8e92a6d29f599fef426a2bc1b5217299 |
| SHA256 | 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 |
| SHA512 | ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 94dc619a3f5b3ae4e1742b2264b6acf7 |
| SHA1 | 6959347752f4760d6717925e939c345368d6e14d |
| SHA256 | d4c108798454eaca435b06689f5f915ce65cb6f033de43c0ed64da4079b078f5 |
| SHA512 | ee5595c110cc2a43cc189e618315826fda58e131373054ee3cdccb6044107130c63d94b9fa41c8af52b4d17593b0fec74631adb45f1b61e1c6aee583bbf66bd7 |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
| MD5 | df35f19c7d7e1539ca17e4d839b20a04 |
| SHA1 | 7dab9f9d3ff0c6f4ee4d7f33ab81ac7118afe193 |
| SHA256 | f50c34273870841df335fa73d1cd9c2acb9de70e4ed77dabfcc9eb98dcff9b54 |
| SHA512 | 90e210ce12d846c42fa724ad1be934362134b5449dbe6bad49e380087bd2496fe973c4e63731ef291cc854685cd7129e980676816e4298ef617ee56896b5c00b |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | 928b55ed319f97dfefa2f9875ee9d00b |
| SHA1 | 459414dc21828152e3ca69f3ac8250310752ed49 |
| SHA256 | ec519e15a75246fbeaf762a06e5e9068e95d3d49eae67dcbc23cc91db4b3cd8f |
| SHA512 | ec279c2d0f0d0a3a67c676a6d64cb15a02eba1559693f936dfb91a0074a6c44e457761bb508ce84086c5bd91778431a67ccbc9ad690109b83dccbfa62aa2c4e4 |
C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7588dfcc27a15b1d528d7cec135a78fe |
| SHA1 | 98ba6c8e3709f6c99045cb0b71515d45054ce0b9 |
| SHA256 | 17cdfeb4ad7bb124eabfb741377604ad7a4b2024cc9d768ab639d75a68df39ac |
| SHA512 | 0499af202dd355d2fa81a35ab408cdb32efb3345c9f93914387a62dc077c8877dcbd4afc3d4f05ee0e5b93c3e23c9a470cd3d60891c9e8d92b9300b58614bb9a |
C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ac6aebfbc5262350e3d2fc51158b70aa |
| SHA1 | 56d1133563796380d905e067c795e9017c80d01f |
| SHA256 | de0e82602af7035d329cd58b8c39dc5b50831133f1f7b2fecb9a8fa5bd855215 |
| SHA512 | c2d2339127b3e278d4e390ec2cbf59bb0278f9f04bd3bfd1fe079ca3e44cad38ee5aee59c31a2102146755c0e4c58e3d3d8475c3f4ec20361e965ef7a59a114f |
C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 98fba146a124cd78e152d4b0ef80c8de |
| SHA1 | 1d8adb5d6c9536b526467f19eeafd297acea327a |
| SHA256 | 77205b9ebc131544bcdabe0fd9007db1cbef79171f800aa351f0ca95f8639fa8 |
| SHA512 | 75374db5042e01d0f9dd0bfaa0e23322ae159ce026a7e01d94f6c568f339f92280633feaee709baa845dd2f8e8a97c151cc6aa9d93f7b68b84d89f043bae2828 |
C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
| MD5 | e6de88cccf397b63186fc9083b8523b6 |
| SHA1 | 9ab6ec7f1901e065e83901815ae5aec6c1a04f16 |
| SHA256 | e41c37da671c6b68efb3b1a709df6b81eba20613f2de0645884a839354a0777d |
| SHA512 | 3944f1fca9c4a76c0cc98a5a15ff218876e2c1804f930960f19b6dd145e00307fb6be8cd18a7a9f018b875db036c2b54c2d876c45c89d299e26a9d71b2d1a6ab |
C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
| MD5 | d782921a7a4424cf86cd2787884f00a7 |
| SHA1 | af5502662106c4ccf10f9800ca5e8f4f1327e06b |
| SHA256 | 8830a632f42184810364e953cc73fef8600c768a0928085f7918ecd4226e3b7a |
| SHA512 | ac713febed3cf5f2e05a4bb7b1cf04c1856e1885ff8d3c895481b829dd02607521f21c26709e920afe6c4a9e12facf3c1b799b674a097a5082a42d6f02066119 |
C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
| MD5 | fd7431015eb5f5ebfe9e4a7397bb7b45 |
| SHA1 | fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914 |
| SHA256 | 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04 |
| SHA512 | dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208 |
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 3c892759b24ee9ad9664b98939cd5810 |
| SHA1 | c9d42a1b9c0234b8f11655945c044fa67a4da64b |
| SHA256 | d50b7419fb0e8d56e27a8b64e8479bad4e408574637e49cb8b8c81b473586084 |
| SHA512 | aa4d39beacb147116ace6ee425232749aa317db02c7047d843e4d493b1ac11cbf324ded7ab0c311c5550a483d770f39f9e6ef6265ae1c12f4c120372d6bf2fb1 |
C:\Users\Admin\AppData\Local\Temp\nsx8B44.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
| MD5 | 3459e4e3b8c2023cb721b547fda205f6 |
| SHA1 | c4cc7eb4d2e016b762e685a87b16144fda258f9c |
| SHA256 | 9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd |
| SHA512 | eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc |
C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp
| MD5 | 69ccfb535cfa2b3d0fb557c7fe723460 |
| SHA1 | 3b5f39d0d2f5c2ec3608fdf92cf62debea22b353 |
| SHA256 | 6cbbeeec9edcc60aacefe3d37be88dc610955bf5ae8dd93fff99d2b18c799dbc |
| SHA512 | 9708e0d9e48569aec0bf14803bbcc8a923e73a646e214128d658916862b50c761065cbdbc41ebc7e0c4e97cde1ae67ba77486d5fdc8c52a2903283152f263af6 |
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
| MD5 | 5fd7aff48d27771ca0aec6776afefb93 |
| SHA1 | 5d57e1e85a836b736d3b3c2056d500d1d2b92dd2 |
| SHA256 | a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b |
| SHA512 | aea36265cf13aa252ee06086b22002165401fed256d1bdfd26aee61f4b26e7c29b430237a6941a5a09f923b246cf84cf75b110aad9f01c694e992c6b076bc293 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoz42ss4.d1s.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c8091d24016fa2444ba81f5dfbbdd4fd |
| SHA1 | 9ab28ae5b43a3edea85e574b0fca7ed17ac137dc |
| SHA256 | e416baf0c6bd0360667fdc775598cbc7db94ab3bc5690b885c6c57a4c94eceba |
| SHA512 | 312e14a1d6273b6820eb0a1cd7f1b29ea37938dc34d8860e4c0f39f4a460bef9a0b523c4c64106b774546c41e09d6af3e4b34ee7d3457e2cc90bac8c4e3f41ed |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 2f8bc5847188369f2c250cf707728278 |
| SHA1 | b757845e64a1dcf93ae3d15f87086b9879f31840 |
| SHA256 | 3fef84f56c859b7f008ee0194adf73d9ddd488b10f8696fa2240a3a83116a64e |
| SHA512 | e74013129b7abdbf1ca7b206aa2a433657467a8eb96955e4a852acca021f664928aa60af8e06a23e2982b52398bf224a28792c1802695a65dfcd873126d5d79a |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 57c0257c110198d5476a7c6c97acf4fa |
| SHA1 | c0a277b7aac350f3474729733a4b45fe5da76956 |
| SHA256 | db0db1f1ee5593e0b600a6c9f2ef1f4e046a6f55862659a39e20d280ab0519b1 |
| SHA512 | 5c041fc0e3857b00d6321f07f083fd454562ad1e0ec7ed900288c54ebfa7769dd5b57fe323bc0c648ea37305c6afeaec57a2a8a2cdbe0c54fa9217bd2e5d0e49 |
C:\Windows\rss\csrss.exe
| MD5 | 6ddd9c6cd7616171ddacc402102a2182 |
| SHA1 | 837f18c2971d06d1f2bf445b781a1411870a6320 |
| SHA256 | bc55e04eea350b27e997ea823e890477e54bf9aa080a6c0c9362e9879cdbfd85 |
| SHA512 | f3b7e63aea08392fde222c0bf6f034f4f446f906fa96d7547b76997ca15c60cccf27f41ba7b93bbc802ac15076b6e2335ac68993850e779c6ebafbffa614d5d6 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 295106f43fcb4850a73fd56fd6c832cc |
| SHA1 | a89ac87f9b9bd2f2b091f90e0439992fed6e8e72 |
| SHA256 | a06656630a555bfd893f51c1fa9b2b54e19cf798ee3dd7dccaff35554809bbe0 |
| SHA512 | 2366e40491a58e1bc9c55825f85f1f4d7722df8604e0fd6d76f4205a32bb8af381823f76557bf00f13038f86ad1d90988e942e28954826d655df70e2cff04813 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1af6a02168fbf5ca635167ff007e42e2 |
| SHA1 | 3bfbdd03d9d0539e76aefa294edc3fd2992f49b2 |
| SHA256 | 515ec6adae4d57bea1a511f047d1e6148316dc76196bd0a4753b8d8af660e314 |
| SHA512 | 80ae16eea4424bcd696489a648870a3c763124f52dbfbcf0d5850eeb62dab73a92381d0fcaac36fde9a4b65b0540ab67da97ed4b5ccf8e7ace7364450ffa49a9 |