Malware Analysis Report

2025-01-22 10:25

Sample ID 240130-w8wrtscacn
Target b5ee067743155c953eb9b6426ede5062.exe
SHA256 f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
Tags
amadey redline risepro smokeloader stealc xmrig zgrat 2024 @pixelscloud livetraffic pub1 backdoor evasion infostealer miner persistence rat stealer trojan upx @oleh_ps @rlreborn cloud tg: @fatherofcarders)
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4

Threat Level: Known bad

The file b5ee067743155c953eb9b6426ede5062.exe was found to be: Known bad.

Malicious Activity Summary

amadey redline risepro smokeloader stealc xmrig zgrat 2024 @pixelscloud livetraffic pub1 backdoor evasion infostealer miner persistence rat stealer trojan upx @oleh_ps @rlreborn cloud tg: @fatherofcarders)

RedLine payload

Detect ZGRat V1

xmrig

Amadey

RisePro

ZGRat

Stealc

SmokeLoader

RedLine

XMRig Miner payload

Stops running service(s)

Creates new service(s)

Modifies Windows Firewall

Downloads MZ/PE file

Loads dropped DLL

UPX packed file

.NET Reactor proctector

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 18:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 18:36

Reported

2024-01-30 18:38

Platform

win7-20231215-en

Max time kernel

5s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 1944 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2728 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2728 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2728 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2728 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2728 wrote to memory of 2584 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 584 -s 96

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240130183631.log C:\Windows\Logs\CBS\CbsPersist_20240130183631.cab

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp

C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 596

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\explorer.exe

explorer.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 604

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8A347E80-1F1A-43DC-B120-3DF62BDABE7E} S-1-5-21-1268429524-3929314613-1992311491-1000:XBTLDBHN\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
NL 80.79.4.61:18236 tcp
DE 144.76.1.85:25894 tcp
DE 20.79.30.95:33223 tcp
DE 185.172.128.19:80 tcp
DE 144.76.1.85:25894 tcp
RU 185.215.113.68:80 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
RU 5.42.64.4:80 5.42.64.4 tcp
HK 154.92.15.189:80 tcp
NL 94.156.67.230:13781 tcp
DE 20.79.30.95:33223 tcp
DE 95.179.241.203:80 tcp
DE 141.95.211.148:46011 tcp
DE 95.179.241.203:80 tcp
NL 94.156.67.230:13781 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
NL 195.20.16.103:20440 tcp
AT 5.42.64.33:80 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
DE 185.172.128.90:80 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 4ebbd791-0e75-4d0e-849c-e4db03ccfd43.uuid.realupdate.ru udp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.70.36:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
NL 94.156.67.230:13781 tcp

Files

memory/1944-1-0x0000000001060000-0x0000000001468000-memory.dmp

memory/1944-0-0x0000000001060000-0x0000000001468000-memory.dmp

memory/1944-2-0x0000000001060000-0x0000000001468000-memory.dmp

memory/1944-4-0x0000000000840000-0x0000000000841000-memory.dmp

memory/1944-12-0x0000000001060000-0x0000000001468000-memory.dmp

memory/1944-15-0x0000000004850000-0x0000000004C58000-memory.dmp

memory/2728-14-0x0000000000CC0000-0x00000000010C8000-memory.dmp

memory/2728-16-0x0000000000CC0000-0x00000000010C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 e95793e18d8b0c2445b03ae95e6d68c3
SHA1 92150b713ed3eede5deecdff66e76d747a334a0b
SHA256 a5d3ecdca4366063b84f5578ba3f04a6ce17ce28772296a9eeac1b3c6473f1e6
SHA512 e5d75c4c021ffbb5e983420f12ef77229f3979257422570b8c79dbec9857b7413d77382671e37df4a6a5c0c95112999e23619e63b388d652fff34c408ba0d731

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 9bb25345f6d4d092db86707bf74b259d
SHA1 3666c15304fb910c76b9fdcd06bd2e8cc4d01c3c
SHA256 20c4e2004a2ca9402c4bb13e8e093035ed200fe80931f1ba4de179536f9010bd
SHA512 3d96826c79786531e94be0db6980d37872ca71deee1542244e5dea001ac001eb228c33476ce2e5d521fe4b1c6086c42efa6eb9ed8c4942ef21a10f1c90a0d720

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b5ee067743155c953eb9b6426ede5062
SHA1 0725e7b508a48778c10a06c446845b0571480716
SHA256 f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
SHA512 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 93dd5dd5aca2ca8c72e966e6e29e43b7
SHA1 64d97058f3bc57a8045fa79a8968c33655fb5ad5
SHA256 d558428f5b025167a56a202d5ba57d405b29aa63c5484ba431f9a30f11b9e508
SHA512 d8484542ace14986239ce9d3ab79967480c4605273b940c40a22150abfb0c8b92a0370763abe17e26013f1a93b89db1c5b649ccc7d2ec76dd236f308a8b96e23

\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 d6a353e429f1a11b677246b72c88c4d4
SHA1 63ca79747a8485d7c0d52d2be29175ebd784505c
SHA256 748d1007e227220053fd49754e416f4bd2389ff587ceb7e57198bc571a0db967
SHA512 bf087f91adb077712237b374e2665cf07a44d1ef2c4e7062cf4efd4e27baccecf4f4a21d917af4426603dbfca9341210ec8be83a674f1df9c5604d51a802753c

memory/2728-34-0x0000000004960000-0x0000000004E40000-memory.dmp

memory/2584-35-0x0000000000390000-0x0000000000870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 7720ab01cda8cb37874ecdf68589a431
SHA1 fce5bd019db682a07c453b1973971ca7819b247c
SHA256 06f23cbc3046cec22b22c8a4b670cd2e4729bf94229069a1f6746d9ce157ae02
SHA512 4488e81fe9c410a3d34b2c543ab4d5df2f02439df28021db8985b4c8f2f58054ac01bcc9432a7f10bf8ce926f5ba18bbcc842c5d63294358bd810cc3e1d9ce1a

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/2800-54-0x0000000073B00000-0x00000000741EE000-memory.dmp

memory/2800-53-0x00000000011C0000-0x000000000122C000-memory.dmp

memory/2800-55-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

memory/2800-58-0x0000000002630000-0x0000000004630000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 abf943778f1a580b45a1794e9d9dde83
SHA1 a8c23b81d4f07656a682796adef1d2e6841d70a4
SHA256 b79b23ecf63dd796e152bb91b51d8f84d350c6a3979410b3c11248e0de16e40c
SHA512 49b12764db2b7a9a4b05c5c34c95173f76cc0d7646918620c04e03791d8d43d57bb70f9f4ce7ad88c92552ee8981c0604c2e43095e81c4c8f1ae0e07b9322c6f

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 0d456597fce16b0851ef82950cb14661
SHA1 e1087237993df095c95e59918081201ab9930de8
SHA256 c84c04f7f58cae8a44b10f56a3dc87ba18fc92521cce214bcfa839ebe56e215f
SHA512 551205d2f7abc99f719e10b52e5adfb8375842fc596b8822c0d0eb0df691fdf8a0d21730eb457afc1993deb8f524027734d1b7ba86deb432329eb92f386ba1e5

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 60f118d06db31cb3d05b18af067d1201
SHA1 f578edfd1cc79c809140f7263cb18b8a0b33a95e
SHA256 980acb452542a5fef36a44e42bf463071dfca7c12dfa66d8af6053b0559b26d3
SHA512 fb38042906c6c4a9fae30c8adab1cb55eb0bfc851caf23367b107ab5e20da373452c74a8b58294d6516fd7625cc8bd8550ebd0a4265196778937d69bfb0b4878

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 0ae7bdc8f1ebfbfcfe54c268763a8b54
SHA1 f447a8b8faa4403223e9122547e2bcb1b88a6aee
SHA256 511b20c8ad8c289981cbccb54e7c18e1e1c86bb26f3305a1819a5d12e7f2cb9d
SHA512 789c84401f44a4d19702a7e879844114715f3d34ef671cf7fb630b9dcb7e86dabdcc8c6b7655ea3fc7d4c8c18e945d4b61c477047aa4c957e73c322d9296d028

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 5d7018d7ba8040db775a48cf0f991e2b
SHA1 0c3803d135ea5b22a1afb7397c6eb44b27950b13
SHA256 3451e49cb0a7d093612e8393371e55a0727188a94f53b3244a1779dc3eb579b3
SHA512 713e6d4df28ec44b9d34c1184e10905640eb654310cdc69e877a32d1bab4ea1ee72908898d021c496daa3acd77faefb0db1323c706a64d858b1f0583a6ee438d

memory/1984-75-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1984-76-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1984-77-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1984-74-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1984-78-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1984-80-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1984-82-0x0000000000400000-0x000000000045A000-memory.dmp

memory/1984-84-0x0000000000400000-0x000000000045A000-memory.dmp

memory/2800-86-0x0000000073B00000-0x00000000741EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 592c461904f16d2a5c7a0d884c72f516
SHA1 80669f744667f2e62a56407d6ac62412c47a0a73
SHA256 3980ff209557d6613dabf1414a43eb19fd82881cd19817479ab80653b11d5b6a
SHA512 c466918a30b10c30da1416f383f1254732ae78deb90f389890f479d1cdb112ee29f22aa6913acffad1a1abe4f420eb014c791eb97abf090b514d071e96757cbd

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 7d5b2d6f3078bc25b5fe4654875828e7
SHA1 003d4df8c42c840e4de4184aaecb2d26bf3bf511
SHA256 8781112eadc77eac4f5a9c9490337b67ba2583114cefafdbb118d0d243c722de
SHA512 7c8b6994965fa7919014f8bbdd278f163b5a140ed253c03b8f47d7af8f8042a627c39042c54d1707035cca8e51ff7316fea2c27d05e62f4e4943365099035530

\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 3406ee4ca02565f53634fa3690f20029
SHA1 b6cd0eefd669582a0b2f0d449aaf3dafe7be8597
SHA256 5baf49c1ac27ac1244d3a08d0f60c1f4d8be8c03fe54edc1faf73c9faad59f9c
SHA512 eaaf532b6997fd3edad9d2e53eb65ec9e3d7bb22e3aeb731351ffe3055cf2ba158413d15720e1f75fadd65493ea5c3812e649a52ba04a29f54edcd50f427e5c1

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 3f20ea8ce2ed44b8582b516df6c1a2a6
SHA1 4e1d20dea312403dd2ef0f215af138518601b832
SHA256 ad8d222f9dd9fef61b5e530bc18276860012e8e5b0b8531d31a6c6d1e18fbffe
SHA512 fd53396cbeaf7669cf23724d33a99924e7de2d124ac84f3b6eee5ea4623d7fe5b095319b6f49ca2d35be5512db3b6daee8b8be44816672acb70df5f0e7ba2f6e

\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 71ce20cc35b7abaf81744adaa47f2b3a
SHA1 c00b38d9b6846af94a16124acbed1f7c943a2c32
SHA256 89111a02a3bfd586930f61f2bce5916cb4267b0965ace5621e6f6ecb52b8ef92
SHA512 5fb87408f5bf40badf43dab00ff15601d0127f9a8eea550fc97141881743d2a318dd02ee0e221f52e8a7afdd89f934ae7d176a2efe9145ce0173afb0d7624077

memory/1324-116-0x0000000000220000-0x00000000002A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 dfba4c0ad0cf5fec4f2d8925423e0e45
SHA1 da943cb7dad41ae29e5ad04da46dd3067e5b6d37
SHA256 3abff8d39bc21be06f635b706212ba55ecb624bbd6b876f5b884b3968ba5f730
SHA512 2df3289d20e94646cd5217b0ccce23c64effaf9d855f94810008d3796bf4ee224e42170c223d4c788b6bc171c07558df7dcd296177c7a65dc03eb52f15f18e36

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 d085b525a5072ce84939ea8c37d947ff
SHA1 b5930bf67b1a6b40942f0b3149e74ecba84c42c8
SHA256 f7d3bfc1ee85d4c05af9ce381172014f04009613dca63560407f12cce69af5f9
SHA512 254b770c17cbdae6c51f2895cf2a43f98850c0fa8de220993ac222e8bd3af06569f485f15598286fe352164e1ffda5d60686474375f82e48347709d700f55d55

memory/1324-117-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/1324-119-0x00000000005C0000-0x0000000000600000-memory.dmp

memory/1944-118-0x0000000004850000-0x0000000004C58000-memory.dmp

memory/1760-122-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2728-124-0x0000000000CC0000-0x00000000010C8000-memory.dmp

memory/1760-125-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1760-127-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1760-126-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1760-128-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 eed2f543bab543a40e20305cc020766b
SHA1 971322b286532ab404d63d045d979640041878d3
SHA256 7eadbf53e1520d025ec53c4766e7caf8cd15e2746db14c68b97c329585a3d1ca
SHA512 2342483aed9f249cd6096ba51f1098c6ffd724df393b343db07c7f91954a2be637b8a9fa1e8ff55631e715e28d82fb3dad0f592d24184f75c2cd355c1518d078

memory/1760-139-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1324-140-0x0000000002340000-0x0000000004340000-memory.dmp

memory/1760-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1324-146-0x0000000073A80000-0x000000007416E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 27de97e070b292db6682a194fa067aa2
SHA1 18d7e3689dd4f8767db17ab6bd49b056b6be7e05
SHA256 193fa224a34d9236060242a502eb35dba33f75132e312ffc7db890d5d7911e2d
SHA512 c86d5d0d9ba7a9f364879d0ace625af3c88b96292ba50f80e556230008ab3edda20467fb71ae4e04a3d00a39b3f288688716f567755cb8cada2b012f3677615a

memory/1128-153-0x0000000001320000-0x0000000001374000-memory.dmp

memory/1128-155-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/1128-156-0x0000000004F70000-0x0000000004FB0000-memory.dmp

memory/2728-154-0x0000000004960000-0x0000000004E40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 2b2de7db25fae47158c6e186a68ed895
SHA1 9587f37f8739be0053884871aeebbb2be68eb542
SHA256 9e1aaac2ef342ba3874fcb9817c6cefb2c17cd34298cb4438d4f916fc5832b63
SHA512 270911809b4d8d136f3f9d1b42acba51131482328d256d1a012f1df255ddfb43787040752288a830e2b48b73ebba562927b05e18b4585efe829a59e16334fe3b

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 fe8c178f62c85331270c9e062b690895
SHA1 db16a82e65708b88f3fe37186149116dae81e91c
SHA256 3ef15e594dcf50f80f0616b2f8b993ec1f59f1efd3b3da3bfa988fb5a992c7ac
SHA512 d91d73fa74ac96ddb6b1f9b8ce2ac83bccc99fe3a05fd960cf44e5980ba13c31badab5b30734c2603cccfb952a333ea0ca5a377b6b48e6742ad5b1623f9d6cba

memory/1760-147-0x0000000000400000-0x0000000000454000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 766d5e3c108bcd4fb1a70133fc6851b5
SHA1 dea70636e04a2f10ae8d07671b5e5587235d67ef
SHA256 b02574759e124841a33513d5e69abe317e63be6a1a5100d60a385b346c3fe9bc
SHA512 7c2635c302653bc3eddf953eb22d50393bc6bd97263d59831b5a13a07889d433389969c1376de831f45c88f7d480325219507ff54a5e76b2c81a236424570b6a

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 38f04d90cea8bbbcb0f1f670888322da
SHA1 237aac5813d619e72a4c08bfdebd48d59be9805f
SHA256 adebb2d8d1993bfcec4e2f09c268f6d03323b5845dc6b81835c54abcdca34111
SHA512 c365572fe94a3c2a800b467093cf1823dbdcd87f4efa489103fe7e72aee984a5b5f822291071ba140dfa5f3befcbdc05a6e85a3952476e628cb2719d76fbf8ef

memory/1776-173-0x0000000000EB0000-0x0000000000F1C000-memory.dmp

memory/2728-172-0x0000000000CC0000-0x00000000010C8000-memory.dmp

memory/1776-178-0x0000000000640000-0x0000000000680000-memory.dmp

memory/1776-177-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2584-175-0x0000000000390000-0x0000000000870000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 c38b4d161a816abd4e7e0ffb9d84887d
SHA1 6e49d7d9b6d78ec2b6b5fc145192d3a914e87b84
SHA256 14cb869b0ff1e69b80da3930d30e75eefda0275310c971d50ebf23857fc5bc07
SHA512 e069ba126c0f552137a200ff0047a578b4f983956c9a787133e92ced560e28a6cb493c5742535f7f3b5cb9dfeede25db6bef9fc0ddbc63b914ab7a99a351bbbd

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/1776-191-0x0000000002320000-0x0000000004320000-memory.dmp

memory/1776-200-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 f90dcc9dc45b8ecb0589e929ba148867
SHA1 a289d1d02b0f1325b8683f72447f078d188a27e8
SHA256 00e5e6c111db9caf5a5c676c8347e03cd549aed530a9833336f0385179020c45
SHA512 eb37e1dde0381664a2eca7d84a67300cc0667a94036a9ffd525db894925f03ba4ed27502bb3739484c41de3a49b23898c1a208b64493ea5d02ff3d273e4c1ad1

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 ed37d3cb88a119e1d8ae95f5f21fcb25
SHA1 e1d3789fa2990281a03521f53f96114654a1ccd9
SHA256 72838660b7e9249d9d246d54701eb4923a92d008d87fec0547898a17894c8c28
SHA512 7bd6bde7fafd1893404673105d501098a75caa8c8995ed44d144202a05662ed9a4632b1c9faaac5b3fbbd4d47e35253ddd65e49ba77c73a23a91e176b0c22149

\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 238fc58167e34dd0c38ff360b847081e
SHA1 720c79675669aa283c2ffd703b63940277d1d273
SHA256 93ca5cd50cbd330833e619e87dc3ed84580ff10265ec710a690ea9ceccdf9b15
SHA512 54bd780de19375636d056db3e8aaa14b7a8782b1da3290f90e6062e0854a81c31702402d69e9cd160fad2d95c95b1e59b3813f03a7ae757289acc236de95c015

memory/1720-215-0x0000000001E90000-0x0000000001ED2000-memory.dmp

memory/1720-217-0x00000000049D0000-0x0000000004A10000-memory.dmp

memory/1720-219-0x0000000002210000-0x000000000224E000-memory.dmp

memory/1720-218-0x00000000049D0000-0x0000000004A10000-memory.dmp

memory/1720-216-0x0000000073A80000-0x000000007416E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 cd1d912d88fda2d51c469f39a1fa1101
SHA1 fb19c0b7a7bc1db3c00147326181656ccc04d9d2
SHA256 d6e810d6a1040d55b4fb9af07bd4071d32a287c60e8b6585c03ddd54bd464e84
SHA512 9be14104004e862782605437ffe133a5c51f8c4acc180655c86ffc8aa813b35d9d11408013a3d63ea96c43d3261b2c4a6195a123438a38b245d50374963708f8

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 18193d2321a0fb72a6733dfcac79de00
SHA1 d67a87c9bf99513df9a28f87ab446b52ce74dcef
SHA256 f431a0a9df06294bf258887e9b580761e9f40cf5d11ad5bd613251248adb0ac5
SHA512 22a6334a3b04e4e784c2153b7821664c480c98ee414964ca6046694fff5e5e3998d27f2dd3c15ce544b7734ec88c5f6318a8b25cb87011319f669323a0a736de

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 42f6fed0bf4649ad036c091c98cca35f
SHA1 c5f492c0e8b2082de9fbe28ce16f68f2df456564
SHA256 160020085f40c2f182e98693124df3f18766f15dfa305beae164bb44b80db133
SHA512 7945e82da1b91fad6f54384b0aed63d338f69ff157a1b7b27ffed1d4f4efb9fb53e823b0ac9905c8c9f18710eaa19449a7f424cae0d2ea39669d600063827d8b

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 02e4711ae36dfe90be50671314bca402
SHA1 29b386e5503978d1762c52244d3d1c85b0959a82
SHA256 c3440a895cd58c8b840da8fdc5cd159189d1aa48faf4d5ef054ec391da4dcfe1
SHA512 acb0883c3253f66b5d911afdd10c63d2745fc70aebdeed8ad10fb67ceef05289ddd1ba9621a30571595e16a6b3ec26e7fb25add6590b8c86e51cd5bdad1b4026

memory/584-237-0x00000000002D0000-0x0000000000359000-memory.dmp

memory/2584-242-0x0000000000390000-0x0000000000870000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 3343d25924c935790ed157ed9d403efe
SHA1 f5a8a6eb9d3e601ab332b5bb0b003897ef564670
SHA256 2e867284e6c32c62d026091b824ae3721b9c1044d1b20f062207227e717570a8
SHA512 20b2424358276a6b030f0ccb3ad3b2735f03e9396f3665a02a63f220e61fa6069cc4d0e6585a64263555e100f765c8bfe8362161ea9ab4e679843b335ac35bb1

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 2f55c8214f49e2dfa3562ed71ec829db
SHA1 1581122505873126c065df549b7b98076f4ed8db
SHA256 721d510e3a00609386a94924bfe4f0d698c808a7ed145384359d5f76648c2028
SHA512 883ef60d8db465d2ebb17b80a2f78e90c23b320a3bf2cd9f5dcc6d603dcb785f51b21fd52e36775eab096bd682b0516495ef9bd7b1c89807684cdc551c7f77c2

memory/584-246-0x0000000000020000-0x0000000000021000-memory.dmp

memory/1128-245-0x0000000073A80000-0x000000007416E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 44f082ab5c76a15736a9d4d64d77394b
SHA1 abf517234cfef0227d7cd23f952c6e17a109412a
SHA256 f5bfa477c027ad18ced914619001a4efbff82a68511d89a340bee5d679399c14
SHA512 a4777a90c722ef593945a6ca024c92ca2be448a49c17332656e6c5610a3d37f02af16b0c43bfc4871bb306f63a1cbf70138bef7f5e783310f014b99e5892296d

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1300-254-0x00000000001C0000-0x00000000001C8000-memory.dmp

memory/1300-255-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 bbf28cc86d9fdccbf899d8266d111a13
SHA1 0c900ad55979768b3ecba001b053c0905399aa1e
SHA256 f48ef2913328e8c123ae57dac94bef761add6f7326a1e468834dd4c96b9a500a
SHA512 dcc6bc4dba6a571d7ddf603068b6aba7ec510b0e49b4abfef512be280a4ea775e538a539e2e4321aac1acb608d74129c3bbb75ef2a192687703d14da7446221a

memory/2260-272-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/1720-271-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2260-273-0x0000000000B60000-0x00000000012B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 47c0578f25d97eebacabc983d135a6e8
SHA1 aa70101ba1d7bdcae4e7af14b8ff394cbf596d49
SHA256 960b2ea13fe6aff3726b36837b4ccf92a469c2ed1b2025720d3c44cc7b3ab317
SHA512 7eea4e271563eb613243f24464546bb9c7dbbb533c8502fa70dca499512cd829b3ccac84a306d19f8c5bcc74429e96e284b8663f94a66ab4e032edf026f12d4c

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 151ffa4fcc18c008f3d5df7af8f025fe
SHA1 111145df6d797e3b358ba4589cb2cc7e117e1a73
SHA256 6bdf7e0efa7ff9629f69e6bbd5487a81f3bf3ef14c90ec1694fb3eb5fd08419e
SHA512 6e85333415bcc4c070bc3db495c8b25483605c13dd524ea7d25ce3ade1ee4ebb3eeeb1d6302bf6c970f2060c1772de348e9cf7c35cfd9e808f23e2db8b154c20

\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 014ebe62c930271b034faf0fba720665
SHA1 a0f7ea196cb00f23db21fe81c66abb52970165da
SHA256 a7f75764bd5c7b8e1d7a0db9d698862ea6c21a0af61a501e00109aa91fb8c9c1
SHA512 a4fdc0887be024ddc462c5bd2abdec7515c71a8af799f39b22642eb5fe986f5c87959056a57102b7719cef66aa5c5985b7e043c5a99f6678b0daed00dc219d93

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 80bd93565eeb595174be8aaef1f6da7f
SHA1 49b3ce401154091e7826f79f28b8a03e79d8518e
SHA256 012e1703fb6bdde2648e38ebd66ed64c10b5787491c1538fa794d77c58b39047
SHA512 928cced06c4152813e67f73e018cb4003e2bb0a1d4623c1818b72251850550ff9ecdef5de26205ce820bf4b4d607b917a9af0c12167793c64f318b1ba607ac62

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 070d93603fe2a88662288b92f962504c
SHA1 8269d7ac09616efe2f5c0716c08cc964e8216275
SHA256 9ed2aaeb39075587b3a1a0bdce8e66ae64babcb402d08e72744dc80e597a624f
SHA512 36bbe5d1122619d2e5db2e019e616eb6318612129d9354e1b62efba9f3019368e69acbd56623d1e95167728d5adf753d4a67380820c721c347d0969b1d0343d9

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 256cece7d507fbc7c8096da38e1a0c94
SHA1 1989e951db733d146e6d0b9359ba57d07143c975
SHA256 1a23e9440a0d3503805bf6df8c8c7e1a426d4c4f5c2fca69e0c8b322c1c44c07
SHA512 0546ee787bed60a6de935feb913c43c845e3435a80110473fa9a8670605ef0f13099f9268d5fd8335558945642824bba341b1cc39f771034087b24a21b9b0604

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 bf7f3e817f7030ee290e1f1154e27170
SHA1 90f2a2c1cc987edd0fdb16029fcf16d9a6a048e7
SHA256 bc8cb87a87956fdfce1fb3a34c607b914054350bdc7d7ea46b0870aa956839b9
SHA512 60f92f264876d40c7fcc85e8a104f522b7020fadc3a4151022675ce8b32695895c7d0de2408bf9b2083405e6a96e7b1d906c10b7dcb2227c107c6bfe8e9e00d4

memory/1128-294-0x0000000004F70000-0x0000000004FB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 b4414f88c788c2d5150712b54ba3ebd5
SHA1 0e6a28fc5946413f705dd719b181906c1ed9e7ee
SHA256 f57b10b7876abdf13f1ccb59e560320475e10fd9ef5429d50fc959bd1ace4b2a
SHA512 846a6ecb929dfe209891bb6f1a7dee7f0b2244fe8ca51786c0bbccf3f1125cef15a2d29d969fbed1b104a00f5780aa10622cc2fb866a90f4490e1c2d3728a2ab

memory/2260-314-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/296-311-0x00000000FF5D0000-0x00000000FF687000-memory.dmp

memory/1044-324-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1044-322-0x0000000000400000-0x000000000045C000-memory.dmp

memory/1248-333-0x0000000000DF0000-0x00000000011E8000-memory.dmp

memory/1248-335-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/580-336-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 1b3a6a71cb1509a5deacc5b6ebd6e314
SHA1 7580bb788fefda6a3aae46f963c493da799f339c
SHA256 22d031a9976a8efb3e5a5ecd6f4e76ea24d07b1e612839587b5cc6db46278ce3
SHA512 63dcaf507e5681fcabb317d40b6778e8260148583e84898048620cf904ca75623e125c230d00f3b6a9bed815cb796ca209fef17a664be8ebc627e2a4bf3ab8b1

\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 40f70155db1e42ab9f51524da95a5531
SHA1 05d5eb0c8bf558b8b6c5ad307595db19033ce677
SHA256 9423d83223d2c647ec821f8719b4e09c03a2b74e863741169692135c7fee307f
SHA512 f8d87c24167e940e0a1d85e7e643499b30235e89e420634ee5d7c8ee6b14ae09fa710e6320036c7bbdf5458379946e676f1e2b0631218e66e950ba8c6006679b

\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 b1d7ea3b91ce01007e36f8956b86e1db
SHA1 1d6fcd288622f1b4d2eee54a16c8bc3ad72544e6
SHA256 12d5f60e2c6b0bdbcef8ecd2302a0b3e5e579b080dbf28f06edf5d56ecee86c0
SHA512 b385fd9b573f6dd18683ebc74af667a15cdff907eaf81d4bef7c4645f0c24b892ef030c938658e10b821883a0c423cdd87fdb31d1814179bc19231fea16c7c85

memory/1248-337-0x0000000002A40000-0x000000000332B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 6816592b3686f53489aee98c6097ea9c
SHA1 c4dd494e26998184cccb3da7233abeb17051d57d
SHA256 98ca63d19ad7f6b25f03717238159936cebb05e8ee24ddbb8bb352dcac6616fc
SHA512 abd3df56d217b19fe89e045b853b74740bf139cea7c8ec74c5b9717463921e7cddfe30941194027e37d7e43b2b3762e831668b313a7fd4c6f9db8d378b6c25af

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 a4babb7dca85fdc17d6fa3f5d8f04adc
SHA1 0fc21510ff59f493fbd25a13a63a22de78c2af53
SHA256 b9393cc66d146c51b52255294ad8a7e291fb6d7937b39c5ef4247921a80635f5
SHA512 5ab6820146a8d5cb509cf607069acc4f6c30b00edb7c9d10fcd29639933a60f4fa8e4b705a0d08222d7a889adeb0d106d6ed2c8ab3d9f7cbee33473742f23935

memory/1248-320-0x0000000000DF0000-0x00000000011E8000-memory.dmp

\Users\Admin\AppData\Local\Temp\nso80C5.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 f68774e31d4058bd5240c19856247743
SHA1 6fe690fb05ecb54faac2ca329f2daa4fff7fa9ca
SHA256 a18ada26ce039fbe51b93fc353f0f507382ac6b9c08785ed815542871e8c015e
SHA512 a0b5d5015747d4e84a14523f8cc4fa17677f6c6a1bf6c8563522bd0d2057c8868957cfb43cdf4756be671e59340e61a1ff0423d42087f034d38d801a0c1f55c8

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 24d01409e5ecc92b87876958152b5c67
SHA1 ecd90c5ef10c5aa956fbd4b7807531d0eb825e70
SHA256 03a28bc18075ff594932eee37a555db1f5e31eb4031147e8242e7eddd5c3feb3
SHA512 777f1ac95930b58541eba251b841e9ec1b0104a223a1c8fd5b416db621e2d5d563b99cdb39197c43eaf72c00c4d43bd3414682eac2b1e3e6f73af665aae2d4f5

\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8d558c9f81b80fa958f191a737596223
SHA1 5019adccf0c6ffc8f24b1e3b46e59d9f262a1656
SHA256 968fd2982219838973cf8a5147bf4cf722e1054aa237f8211313ccb8e1484dda
SHA512 d07cf611e831d9795f78a1e4d8d9b41380680cd31a3f04dc4195f998c73b4bd7e0771ec5af73042cb806afeadb008252382ac628e745bec053cec71ccbb4b54f

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 a15aeec992d7ee84d8bdfb4eb7bbaba3
SHA1 027aac94d7d70c49481e6d420a3ec8f6b1a80cf5
SHA256 282a84745a7ee714b7b1ed6a874af9e859dcd43d40e5de5e5900f911e7bb1722
SHA512 7b6b39e4e501e9552ac5f4681c3da449fe5501c56407d5ce20d72d63a790d4543d49071f5302ef8312dbb19489921757c2d6ac69cae81def7b1221507fbe89ec

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 0efde3a9de2d5f9ec37098b9e8cbc9c1
SHA1 aa090727f8200c07b9e2bb594b128a8152558807
SHA256 9292cf0a0ce8dee44fbf6aec6d50241e626a59e3ec2203795866fa67b4a556f1
SHA512 d4e713f60d3da28c2b3af99a5bfcb04bbd6e042fee4b8d07ca2454abda5954144d02ff87f20d5127dc755b95b22ee1354e851995d11b55ebb767558c579c16ac

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ebec9f5b9fd6aeaa7ef5d9a8f5655e63
SHA1 615d973269ce4e65c08f3bc748c4aaa398209424
SHA256 3580137ad4c8995cd230027cf0211341dc9c685193c37d2122f7f68f31356ed7
SHA512 d6cfcf70567710936689d9aa8c3bdc6c426b62a4cb346bf1b08297efeef09c0ac43555b0ffc6e1e9ceefa1d17d4af504d38c6f38889a0a357de1a547a38b5d1e

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 d317fa545b3fabaad8f3a089594b3728
SHA1 a245ddefe7506f90a1acda790ed06887cdf2fa74
SHA256 99e922cd5f48de14f5ae2d0139ca5533c1ccd23140f93285c7314dbb4e7e61d0
SHA512 b7856f39924bb0f2ea87f5760a0ecd4c38c6356946d243d8df5f9977df0964c1519e3ace7b9ba42f7170eef6a79c84ed9444a02b79b62a542cb98c16a967063c

memory/1044-295-0x00000000002B0000-0x00000000003B0000-memory.dmp

memory/1044-296-0x00000000001B0000-0x00000000001BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 091d97f7e2cd3e494467cc0411308c68
SHA1 c517bb14fadd5b9436ceacc3d958e768e95c3650
SHA256 871793f2988442b774e6d700f8ddb706a34736c57e52d1c73b797113f6fa8a95
SHA512 d4fc112198929639846676505218d909b74d40b4045c1d07acc7e461ce19575c361e814064e8f8d7260f7489d6cb190bd38407604a69c28ff4612165b336544c

\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8ffd6ba0f47e888ef2d65c792bd91549
SHA1 b1ac234b252c52d99996359d31d678f9be3dcff9
SHA256 c1283d10d8cf551c5ba9ce55f98ceca45d59c48830c4a82f9396666ac9d10790
SHA512 1ce66855edff3e10f968571e1fbfc494fa84558d5bed5a8bd69afc9b258e8e83c48c155c4e4d3a9780f04605f7c8f63b9a3603883ae848551d5f95ae8cea9746

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 6a550537477e1a28cb8dabfd8bcc247f
SHA1 f0d4935578e1c20208a2e623735e4ba3e3563a12
SHA256 d036a3123324b2d64ac7380641715133f7a65e16fce33dd18fc24bb8ac5f7bab
SHA512 0b303afa47e6ba8c7b0a04754e7363656b0056748d785812030a0397a1052034b253a082300a7e594bf0dda9c68b8e47794a0086c5555b0b3fe166f0ea36fbdd

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 9627459d7eec2629e56a6439cd2f8ef7
SHA1 5581d3c177b2e3d694bbdb32b54531500f4c1682
SHA256 e99fe12a0b2a176d125994fa9b93aa1d3dc968647b53f0a628be8a73bdcbfe9b
SHA512 bbc112a46c7d0ac9c037d3a629120adc95a04647b0f1fc6ee94229de6cf71d94670cb75af385c39363ace5314c54c5adc180053e8a7260a53e831b80b309478e

memory/2728-365-0x0000000000CC0000-0x00000000010C8000-memory.dmp

memory/2724-366-0x0000000001320000-0x0000000001372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 7bf1272c315c69140bbab970a4354737
SHA1 10d06f298f0705a9d2da0a3e327b50bb8b9baf8d
SHA256 3a622a2b61b8e94641dc42846d409eb0a5bc1febe1f02e914b769db384c00890
SHA512 363da70bc4e2b89ccdbb10e2f710a7e455c56bd940a47d6461c78d106be723c72253b330a675d2d554658d321e3db3fc3475848ba48fc543ef6635fa97e19e04

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 07173beefb0208b05051a0614b6e8530
SHA1 f01774cbf0173c07620cdf766c9500f4a52e1c87
SHA256 b61d6672d48b377847a8ccad995c1de505b1f700962e40105eea785ab2bfb49a
SHA512 43a630927a85bf73f717cd05b0a5beffdf9112cb9f13d678b8ab43f9ce45d93530515a979758086f6c71b89d8b66d802526714f4f418c754856c1beb87f7eb24

memory/2724-369-0x0000000073A80000-0x000000007416E000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 1616a9c704e5c0d86789da193360bd93
SHA1 878ea8f398a1ece9f24b9449ef90af07a8ba8de5
SHA256 634c6a5f69535073133f9cfdcb49e3deed9f96b513b49bd716432e8f3b992225
SHA512 e0f8c0fa2dc27a70df16ee1ab349cfbb41c4468556f62cf00886f7be9f9f2bf531da9cfc1db019a13795acb161271ef7eb64f16d3dd432f95117d48b078d7237

memory/2724-370-0x0000000004D20000-0x0000000004D60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp

MD5 5879fe09bc286dea2c8e3cbd7a6301af
SHA1 9ac970e93b10273cd02d81e3dd037daa54e793cf
SHA256 c50aa012e24453800119dac6a6073cd0c8ec355a0fe0a7a917c9c887c95fc80d
SHA512 c62a0b5e6876b7d9aae7f100a9061c94664c88b97e7d8639570a471c904138a88f6d230532dbe4ab4e43e8208b6650523c02b5d096fb8dd6bee03c7812a0cc24

C:\Users\Admin\AppData\Local\Temp\nsy88F0.tmp

MD5 87b447af14a5f42c39ffbb5b449ca4c1
SHA1 05297602ff0432214008efd0dc7d5d815fec6662
SHA256 81174a43049aee9aad4f2ad8b040e9900ca511da807a8e38a2ff3d15b23124c9
SHA512 3e69426c8ec334a00b9b44eb7a66ffa2ab9f348a593f09a84349f2efdd446bc61def56fe7c1a11253708d2a2731d3c5cfd0dd7bb2d1d47138948d99dc32fbd6e

\Users\Admin\AppData\Local\Temp\nsy88F0.tmp

MD5 890040f425eaa3881218e43ce6189790
SHA1 e6d1286d157ed7b05a2c19b75b167a09c75b6b31
SHA256 cf7688b942e8ec18a1fd2daba2f48e7277655ecbc7759008e97554d58e829976
SHA512 ed1eea88f2900bb84a2ef2b12977d8e34228bfc778b132d61ba7436a6a98e2944e7a01ce4ae5f2321fce48e4c8856681018f1839a588473f207345aebd3d89fb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

\Users\Admin\AppData\Local\Temp\nsy88F0.tmp

MD5 5e03f474c4c91b62e46fb9ba68b2d475
SHA1 3f71626f842b7a781ec80554cc1e42b37d96936a
SHA256 ac7e0ca194c8c46544fd9ab0b9b56f459228079c4eb091928a701dcfc4ec6f7a
SHA512 bac7487f003cdca77860d4494ccc50897cdc03b0aa395e4f3394e63a498986397597210053a7e55e9a493b41e31fe047baeb3e081b6bf7b49c2435268096500a

C:\Users\Admin\AppData\Local\Temp\Cab8E5D.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Tar8F4A.tmp

MD5 d9ea4a002113fc431ef731174bd45d35
SHA1 2323ccbec64688d35794a63a0cc5ffd9c6eb4770
SHA256 3cb524659029e827984b91193ede7b1bde047f3cce055b5a0ac63de10e502868
SHA512 f4a5a1a4ceaf2f2db96463316b2bdea4d7cfbeb43f8d2f077114e00390ee1cf284b7841eab7ca91962421784587c5b810624c9759d4d11b76de970953330bd54

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 cba3167a8f01e24ff2f154235928460a
SHA1 0fc5aa2c8c83759477638d46bbaa426bf674bffc
SHA256 25f3ae8759a21328da00728227a36300805ec46f50b322bac62aea7e06068c12
SHA512 08655d7d4b7368221fd435350d2b299b9cd30ce7a0821ce70179f1ac6669b033ba1f2beb9e47347052550fc58232361bc9972f7a584699cdcb268d4aab11813b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1c8e751693dadadd5d23ae7cc2f07b0
SHA1 09c3d1b54bb28a860c1a8ad230057a918d3ecdb9
SHA256 edbf664a16460fe2c70307a1d6db806394eb9daa80bd3c648da6a54de233374b
SHA512 6b489381bd898d966689430e18bba889889fcf224f9ec2934748d82eb3ac3f86f1e3ef27b77d57f31f5a0efbea7b971e1cc4d5e78cb46c7a0dd2896ff8613fb4

memory/2584-472-0x0000000000390000-0x0000000000870000-memory.dmp

memory/2256-471-0x00000000024C0000-0x0000000002558000-memory.dmp

memory/2256-473-0x00000000023D0000-0x0000000002468000-memory.dmp

memory/2256-474-0x0000000073A80000-0x000000007416E000-memory.dmp

memory/2256-475-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2256-477-0x0000000002600000-0x0000000002640000-memory.dmp

memory/2256-479-0x0000000002600000-0x0000000002640000-memory.dmp

memory/1300-480-0x000007FEF55B0000-0x000007FEF5F9C000-memory.dmp

memory/2256-481-0x00000000026E0000-0x00000000046E0000-memory.dmp

memory/2592-485-0x0000000000230000-0x000000000024C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 6bc36143d6b1f7897ac24cf5a994a5b5
SHA1 91f9b62599b87af8493394e4daf0cee3284b9734
SHA256 d620c68311c639ee58e34e6d574992419ac2b37f3b1aae34e864749c04a63e99
SHA512 fc52e4c7308f521cc2f55c40b3326631624ccb25ead6c87b097b8d01440cd10583e706a9cba02cd8cc9cd9655ec42fda30aba6c3172464146f6e8d4794325533

memory/1960-519-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1960-521-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 d6c567363ca4a4dfc5cdf55212b3e660
SHA1 fd807c5196e896a49e2e6de76d6a2d8c4af14cf8
SHA256 65faba0142a6d50ae4f1688d4a37159b392bfbf792dbb909ed78c99d09001660
SHA512 367cea2e466381cc555a714ca582e48233db80d2ee8e61ee5b1dbb2cf6c369ef2d3df9e91514fcd60d8d5c41cdc3e8c1917468d59ce4aaa5997b408fffc135b8

memory/1960-520-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1960-531-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1960-533-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1960-534-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1960-539-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1960-543-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1248-538-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 496bb675c29127ae28cbfaa1ba56d046
SHA1 65551d294d2d2f504f33cf96b49fad4d13960001
SHA256 dd8bceb6f368bff9b45e6695c2ff3004aab42fad0810558735a3c29cd9014532
SHA512 a82d02a6509294da3c0a8e6864f12b5b258b65f114f3ea52ab64efe19af859770f3c03e7722c36c3d0e2440a0e5962b6e114ec3b902ddb85c74075d12cb793a5

memory/772-535-0x0000000000F20000-0x0000000001318000-memory.dmp

memory/2496-566-0x0000000004CA0000-0x0000000004E45000-memory.dmp

memory/2496-572-0x0000000004CA0000-0x0000000004E45000-memory.dmp

memory/2496-567-0x0000000004CA0000-0x0000000004E45000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 271eff1529bd028d9cb036ef36766591
SHA1 6ad75c801db8240fa2cae991f45a8565964e2dda
SHA256 569b9de1cae5612354a31158a3a3f882d2d9ca01338f6cfc821a9c25ff0a3e40
SHA512 558d504e9baaf7474da1038ce32617ae8cf4f7194ae0cf2614db7fc582c0df0aa74adb8afb157f9af6a637abdb4ec9334e4c15a29f71291b45684b79b9b51888

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

MD5 9aa8737202bac7dcc71ef4c77939f82b
SHA1 25b29b7274fb3ef7d16052f8400d24540621aff9
SHA256 a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff
SHA512 aa55987a32b3e259376594df68a2008007353953a2bf390b44b908e5fdaee181d3b216aec46f8679aa5f5e4164a0a412511621c6249d3cab7e1eba86d8494a7a

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 96b84119e4735b25a48799133c73b2e2
SHA1 114cc635518e004323a4c18faeb0c889ef38a22e
SHA256 eea9917904dcce9b90228b982e0a05973ea444c61da1750224f3d06c129e54ed
SHA512 3e21b66ebf505ad6addd5d9839b58cca4aabf0a5936a5eebcbaf601a201b888f56789a9cde8c128c6da2f44b37389a72d611ec5d60f64294875748fb15528c0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a52de3b51f8461299ce680c609846a6b
SHA1 08d0dfd7f7112dab415bc55636952c798aa42edc
SHA256 c298a856a380400984d8738885333019225ab268d8060a194ada92d81504f4ab
SHA512 91b71737d98fa24f3c52cc9501f213b56ee52250d037f75fac1cb640455d2438f7ec5aecff793f7cb8a428dafa3ee556c7773ec0cdc252f135732cd9ed11d6b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 18:36

Reported

2024-01-30 18:38

Platform

win10v2004-20231215-en

Max time kernel

5s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3784 -ip 3784

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 1232

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp

C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp

C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 116 -ip 116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 116 -s 348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 228 -ip 228

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 2340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 228 -ip 228

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 2516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 65.179.17.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
US 172.67.149.126:443 tcp
US 172.67.152.52:443 tcp
NL 195.20.16.103:20440 tcp
US 172.67.213.168:443 tcp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 172.67.199.120:443 claimconcessionrebe.shop tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 188.114.97.2:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 120.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 95.179.241.203:80 pool.hashvault.pro tcp
US 8.8.8.8:53 203.241.179.95.in-addr.arpa udp
RU 5.42.64.4:80 5.42.64.4 tcp
US 8.8.8.8:53 4.64.42.5.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
US 8.8.8.8:53 udp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
DE 185.172.128.33:8924 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
RU 5.42.64.4:80 5.42.64.4 tcp
US 8.8.8.8:53 hiromcloud.com udp
US 188.114.96.2:443 hiromcloud.com tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 ratmarket.com udp
US 172.67.146.113:443 ratmarket.com tcp
US 8.8.8.8:53 113.146.67.172.in-addr.arpa udp
DE 185.172.128.109:80 185.172.128.109 tcp
US 8.8.8.8:53 109.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 17.118.160.158.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 ji.alie3ksgdd.com udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
HK 154.92.15.189:80 ji.alie3ksgdd.com tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 49.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 169.134.101.95.in-addr.arpa udp
US 8.8.8.8:53 dce404d9-d81d-4aa5-96da-608f3d8a6709.uuid.allstatsin.ru udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

memory/4640-0-0x0000000000EF0000-0x00000000012F8000-memory.dmp

memory/4640-1-0x0000000000EF0000-0x00000000012F8000-memory.dmp

memory/4640-2-0x0000000000EF0000-0x00000000012F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b5ee067743155c953eb9b6426ede5062
SHA1 0725e7b508a48778c10a06c446845b0571480716
SHA256 f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
SHA512 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5

memory/4872-14-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/4872-16-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/4640-15-0x0000000000EF0000-0x00000000012F8000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 9f854e765c3310453239677479d53f86
SHA1 04a968afeac953f960ba7529bba1de29cdaddc1f
SHA256 2fddc8529d0f1bf333884e176e41955b9dcd2be114d5b40dc1013040c2d33092
SHA512 3a1b309c1b8b64c1f865d65374a1414fa080ea17a844559940333ee8e626ba86005df3cc5b310591f59817f21c83477d1acbcbd4251fb158517bcda96f37a662

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 73f990f9b77fbe88ec844d1d0890b499
SHA1 f944937844113fc57c864d8d49893b129a8936e5
SHA256 31b4b27aa4918d1d1ceba5164dbacc954e08020fed661eb49fafd8633c592bbb
SHA512 fe21b51e732354606c5d3b2b9d58efeb5eea83e9c456afdf1482849a9a8eb5375ceea5943a66745433088739917260f164a88966889ef9c79c8c65dd1be30c3f

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 2da5cf6ab18faca7815a9b4e7074f93b
SHA1 411e89edcd1c7065b39aa313f14e1e99b7b98188
SHA256 6402a0596bf8c7660e386dddd646228c14e57207be3ab1effcf7c62c0fdc7f37
SHA512 fd9b0b682df4a05894876f975c2be3e60b465ee061ee0a05a223b6b434a4a49d72d16ffa6ad768140a6c636e239dcfaf74d66e9d483ea57133e8e33fdc96ef6d

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 1f5bac10f632432cdb7f3af24083e9a5
SHA1 379bd2bb6b3ccca5151cb4b954ea69466346b985
SHA256 c03e7e43e2fefbb5628a792c0726301eb7556e6541362a4d6a7124e7ac9ba632
SHA512 acbdf4f97f0aa04f5e26ae7494874af5d218040fda77baab428955149c96fa420f1d2560bcfb2fd47f0813f5edb79e4848a816732a1df76b881c8481411c9fb0

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 dcf5917a233f1ddc3a2f9004e3a5adc0
SHA1 bc9fbd1f4685e4cbb86c65e75feecd1029246483
SHA256 e0d13c9f0d014e4ce586e7915a4a3293400a1f3b74445fed45bf7ee5f2f33699
SHA512 7bcb78b3b642afdfa238f2957dcdfbe8b25654e282d139de48d749754c98f0e5196b7c677afaa1ced44319f31c52a61d2d8168ff4967986767950f1cfe43b442

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 9812c01ea3b0e14c6b6a47da6a955436
SHA1 1c084bcd63ed4de42b57600792bf19f902dd68b5
SHA256 45e5e6dad0f1dd452fe676157ae6c037c1b778e732bdda1e3fb7e9875480ea1c
SHA512 3a069ca79bb322287052f1a27f792af8ea99c3ffe30d76853a20a071e3ae82f4e5e1a72b0a384c2fe643b1978ad9850b9f7968ecce2ad3abfd5473c7ef151533

memory/4240-55-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4240-54-0x0000000000230000-0x0000000000282000-memory.dmp

memory/4240-56-0x0000000005280000-0x0000000005824000-memory.dmp

memory/4240-57-0x0000000004CD0000-0x0000000004D62000-memory.dmp

memory/4240-58-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 a7c024c0bdca84f4c2ae6c90c044db4e
SHA1 610e35cc242a67dd245e9fa53733f4c8c2a59125
SHA256 0ee6c84a2dd00f9f5f168bef0cbf0798623a8b136aa34fc0d5a2e2148f81cf57
SHA512 7f7131bbc835e68b2023b51b08c25bfb024205f9d1a93f491da2a7ec141d0895668de798595579f1884429f4fd83d35076b1738daa8e456bee4a0118e75085f3

memory/4240-70-0x0000000004C90000-0x0000000004C9A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 bf2a3e48b0ea897e1cb01f8e2d37a995
SHA1 4e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA512 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

memory/3748-79-0x0000000004C20000-0x0000000004CB8000-memory.dmp

memory/3748-80-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/3748-81-0x0000000004B80000-0x0000000004C18000-memory.dmp

memory/3748-83-0x00000000026F0000-0x0000000002700000-memory.dmp

memory/3748-84-0x00000000026F0000-0x0000000002700000-memory.dmp

memory/4240-86-0x0000000005E50000-0x0000000006468000-memory.dmp

memory/4240-88-0x0000000005060000-0x000000000516A000-memory.dmp

memory/3748-82-0x00000000026F0000-0x0000000002700000-memory.dmp

memory/4240-89-0x0000000004F10000-0x0000000004F22000-memory.dmp

memory/3784-90-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4240-93-0x0000000004F70000-0x0000000004FAC000-memory.dmp

memory/3784-94-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4240-96-0x0000000004FC0000-0x000000000500C000-memory.dmp

memory/3748-97-0x0000000002740000-0x0000000004740000-memory.dmp

memory/3784-98-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/3784-100-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/3784-101-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/3784-103-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

memory/3784-102-0x0000000000B90000-0x0000000000BD0000-memory.dmp

memory/3784-104-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3748-99-0x00000000730E0000-0x0000000073890000-memory.dmp

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 6e1fc65e20cab6458c231a72af9f08df
SHA1 97c7f54e0f813e98d09be479144aa3de6222b51e
SHA256 de80c2371fd7e2b42f96ba431df9170bcec33d80f40baf290373c199fccac8b4
SHA512 ffcd111198b273ba3a9f6df0f76c660162f87ba3f6fa37094a2f75769a8fb1f12be48210e92d3f08fad04dec2f15931a4e116817df368c0c30a80a8cd8950bed

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 846ba90721c5f04a05146bc6adbb0be0
SHA1 bda514aa42dfe135ef652e782df54eba00840961
SHA256 9c1ba121e075258c65272bfb4be4eedb043a5d2bdee191a87b05aea54c07f4c7
SHA512 efe8fef99439cd6e7d86a84c7c5bc6533c1aec1dcb6599c299f2eeb4a33442510e68a31e92bc8792e5523c505d0960f5c73d590713e596b659cda5c5c926a6bb

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 330b0867feeca636b40bf97614c2d2ac
SHA1 ffacb9689c2831bf2ce6d5644db697b2f1d0e802
SHA256 754151c4223083cab19ee790a5c581d9eec71beaa58fc900db885fb32931dcac
SHA512 056492f9230d0fa36a5203634e483352355938c514390d6b5023657d7aef203561fad5edc9d3889a008816d661ee843a968c0597ae8aeec44e33bed15c267745

memory/4872-129-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/4484-128-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 fac998d08317ecb06ee191de215584fa
SHA1 b8fff43417fbd008f85492dd343d0cfee956c69b
SHA256 00a3e7d8d526f49a758d70bfc763b25559513faf8521ffee00485796d73fd55d
SHA512 eddf7309e3f26e54570a5627615f049b6ad3792d5360e2ef60facfab01873fa1726c3ec7e39cdcb2cfeab67a63af161a1276fe8f5c587631d8a0d0131f2b2b56

memory/4484-125-0x0000000140000000-0x0000000140848000-memory.dmp

memory/688-132-0x00007FF752D40000-0x00007FF75377D000-memory.dmp

memory/4484-133-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-134-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-131-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-135-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-136-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-137-0x00000000012E0000-0x0000000001300000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 3d6a04a400d25f9454a5965d1c3e5262
SHA1 457dc58d04968d8497f89ef67bbfbc706f01f278
SHA256 78c48ae539e4d3fd5150a7cd7d81a102e771555cca2aa8afa61a440d08e17630
SHA512 f1fd4855aab684f719787dcab7754ed07c42c9375c0b88f535b9ff224a4ecfb8426bcd5ed845ce26230f326560eded1912d9991e3d962f92ed25c27b995c504e

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 714a389beb4b0f7ce465e03bab168363
SHA1 bc72b6477e009cbe9267d156062ae8ded2d72a80
SHA256 9d568bab71e0e2200237ea4b17c6e73bf6b9b9ca6225e65cd7e97ab0016a0e3b
SHA512 a61939f1842419a6368c7846a19709b041bbc92aa6231f0b04f66b7eb8f690ba082ec37ecabc86cfdcd4d534dcb432397228964ab2f636b012dbe65c462d9b9b

memory/4484-147-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-148-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 b24f30cfa5d33ff7cd24c4d2529d330a
SHA1 920e422fc0337adbd2733f5ce08cc748ada83446
SHA256 bfa7006fba4835a69953c301f1170a228478445ac540e26386d74bb49d8b105e
SHA512 844d84eae9d3f12de879279930291b53e1b24255c287d73fcc46b982201798d46f7e90a6a9acd2336815954484b3599a57efa1469bd0d9de46c31922997eae4a

memory/4484-159-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 d26c25eb17bfa8965bb02c9d8476db91
SHA1 1cd61285a24f59624ade4a7314beb3eaf9f63352
SHA256 ab9aa03ea86cc8c32818ba6e38f76e1da9eb9f5de746820ab8debc6626385eec
SHA512 45021c8bd3e4541b064deced845a1ab7d54662e0a26a9ef79f886483f455c1517d612d459a2bc1c4fc1e089024443fa2963685f90576d0ee6ed9dba3b859064f

memory/4484-160-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4484-161-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2484-162-0x00000000050D0000-0x000000000527C000-memory.dmp

memory/4872-163-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/2484-165-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/2484-176-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2484-178-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2484-179-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-177-0x0000000004F20000-0x00000000050C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 e192ed56e9f5156b30ac5b5764f1eea1
SHA1 cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5
SHA256 be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3
SHA512 a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b

memory/2484-199-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-202-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-190-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2484-204-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-206-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/4872-180-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/2484-208-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-210-0x0000000004F20000-0x00000000050C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 67b50ad2672110c088414f2e05bf4e59
SHA1 c5a6519aee58ca727f1b8fb8f76cdc110353ba3b
SHA256 3f6ca7362fc27789e410c05d0bfb61573ce82990618e777596a3ed86c9d1a92e
SHA512 3424569626d01ce40055866b2295cb15ec4b80949bcd01a351dbfac433ca94c922c9ec324aa8fb08273d5f8bef8282d390edf52eb3aa076ea0b258e23eee573d

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 9e5bd65697b31f801abe139c1b89e2b3
SHA1 8974972ce9cf9d75e8fdb59be24137e502d53d3a
SHA256 791620393ddbb22139bb0c2ddf65d800586c23b3300129b4b1b9998efcceb74a
SHA512 5af89bc9b1310630a3d771d7f566173a8b7df37369742caecb6d7dfab73daeedc239ac4a4371cf7aac4746cfaf94b9b26d8881206b7ccfb6236276e288915f2a

memory/2484-227-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-231-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/688-229-0x00007FF752D40000-0x00007FF75377D000-memory.dmp

memory/2484-238-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-242-0x0000000004F20000-0x00000000050C5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 31ac27f770066a8d6339376fc611144f
SHA1 13d60cf7b1e80f1f90a45728506f4614ba5bbc97
SHA256 fc070b4e1b3d3e2a2eb4d87f341d165e33402830af05f2dba1b454d63f8f45bf
SHA512 a47feb8f7195bc456837f8ddc0a0904336557621f25cd00f8987882fa3255921dcda7ec6bc45f310e4beadd3c89fbd8657c3678e9dbef93c24979bd02ef4843d

memory/2484-244-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/4240-245-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4800-247-0x00000000057D0000-0x00000000057E0000-memory.dmp

memory/2484-248-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-250-0x0000000004F20000-0x00000000050C5000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 f3a90e5d9f54a9b0f9ae3fc0b111e083
SHA1 c269b113bf218e2d7475240d5d15c603a2733f93
SHA256 7ae100c11679b251c454c259f50bad872f32e8e04d143258dfdf3066193317bd
SHA512 bbe28b1650e4cc986746ee35ce5b244f46c053c777a11c40718fc489e349237e2e6c1a95e133e13149e5a2622796648d61cb7ff1ef2a28896b1eab15876301df

memory/2484-257-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-260-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/2484-267-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/4464-266-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4464-263-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2372-261-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2720-259-0x00007FF6C6BF0000-0x00007FF6C762D000-memory.dmp

memory/4240-256-0x0000000004ED0000-0x0000000004EE0000-memory.dmp

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 edb9a2d5c6a5044c03a7cf30da2a2735
SHA1 f896ad04a0f8f13fed235320be361ec51964e9c4
SHA256 f90b55ef3150dfe5899745c1b72d1911912afa00f5d15de5ac33d8f8a4936424
SHA512 35d3161ac72f88e2561550383e38a1822b06f0a50638190138d5e8abea90691714e88147e6726642220aef67d6951c894a31f441921de856feb58b9ed7982aac

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 5cc505c2442cb69d5603fe24fc9d9841
SHA1 e3b53d5ffca4cb3effec3b11722b9db8b75ddfb4
SHA256 f554e10eed1e5c667204c4752f9b967d86c221f33f8748641c1d56bb22c155e5
SHA512 b5011ab8ebd5e208486a89931740750f23cb243d4b63c7ff5da30f2c55c2681297f4ac9a306b09d085fe7b8ede7e641826c929bde2c9f67c1a25ea1aa0751449

memory/4800-228-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4240-213-0x0000000005830000-0x0000000005896000-memory.dmp

memory/2484-212-0x0000000004F20000-0x00000000050C5000-memory.dmp

memory/4800-215-0x0000000000DB0000-0x0000000000E14000-memory.dmp

memory/2484-166-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2484-164-0x0000000004F20000-0x00000000050CC000-memory.dmp

memory/3784-271-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4464-270-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4464-272-0x0000000140000000-0x000000014000D000-memory.dmp

memory/4464-268-0x0000000140000000-0x000000014000D000-memory.dmp

memory/2372-286-0x0000000005250000-0x0000000005260000-memory.dmp

memory/2372-298-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4800-283-0x0000000002FA0000-0x0000000004FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 5448932b17f9c3558beb44954f601d1a
SHA1 9bb24b1e6957d5e523bf89fecb26ce189c17d5d6
SHA256 cbc691f8a688acb706b34e3d5ba1b1f6a0d5afa74f6dd9764e3fcff03c761710
SHA512 ca14e4df71d7ea54366833f9bb8842586b9154bd2a0458376b1c92977e1dbf9b689d8f038a87388dc00e91b639b07eac35d755da5b6111c5d09cdc6902cedb4a

memory/4800-273-0x00000000730E0000-0x0000000073890000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 4b5c32d86df8a04c0555f901ed69bb45
SHA1 a5782fadc2c959643cd004a6286e86f941358511
SHA256 0e3484c39105d509f8ea20b35d8e9146cd7242b144dd74b43e1ff56cf6e9b7b4
SHA512 129d023328a5308a525bf2daa73f6bd3770fedd97255dd34b31cc4c8e2644994bc7fb125d4e0f3f4cbcb574d85301897215892393f89835fe85d5b4da2a7d678

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 25f756afbb6efdd9a3dd9123fa05135a
SHA1 1a502e03872cc0d58addbecb302e250e9556564f
SHA256 455cbdd38990c6cdc8a0c9420a410c0459a38e8175ec2621641b03cba4c503be
SHA512 018c09fd2d2c1435b21446f336d0c02db5482a596964ff6cb121cd2503fb634ddf67f73e73f2467d2d24f8da27a02a89b317c70575c8d3ca04300eeda6ac4a0c

memory/2484-318-0x00000000029C0000-0x00000000049C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

MD5 cd28a3f29f680353fd9e9051129c89ce
SHA1 2bcc30f9da47697e0ea81102a0edb0b24ff04e6c
SHA256 5e85e12fa3b9314c9e9d6e703253bb3f2c07e7e58e5fafb63f6ca8f7e4795e32
SHA512 940b0bb4b577e5cd244783ab085411e81b52ad4c904990ca07217b56435377a1249869117695b8670c9ef99cd2c627f7907194dceb379d77c7059b1cfa31ce1a

memory/4456-324-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4456-334-0x0000000005030000-0x0000000005040000-memory.dmp

memory/2484-328-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/4456-320-0x0000000000400000-0x0000000000592000-memory.dmp

memory/3912-341-0x0000000000500000-0x0000000000554000-memory.dmp

memory/3912-342-0x00000000730E0000-0x0000000073890000-memory.dmp

memory/2800-343-0x0000000077544000-0x0000000077546000-memory.dmp

memory/3912-345-0x0000000005050000-0x0000000005060000-memory.dmp

memory/2800-346-0x0000000005490000-0x0000000005491000-memory.dmp

memory/2800-348-0x0000000005500000-0x0000000005501000-memory.dmp

memory/2800-349-0x0000000005480000-0x0000000005481000-memory.dmp

memory/2800-339-0x0000000000790000-0x0000000000D18000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

MD5 9aa8737202bac7dcc71ef4c77939f82b
SHA1 25b29b7274fb3ef7d16052f8400d24540621aff9
SHA256 a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff
SHA512 aa55987a32b3e259376594df68a2008007353953a2bf390b44b908e5fdaee181d3b216aec46f8679aa5f5e4164a0a412511621c6249d3cab7e1eba86d8494a7a

memory/2800-350-0x0000000000790000-0x0000000000D18000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 5ea776e43112b097b024104d6319b6dc
SHA1 abd48a2ec2163a85fc71be96914b73f3abef994c
SHA256 cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341
SHA512 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 3058f10b2fe431d9f8a487a35cd89ba3
SHA1 adf31cfada940e96a02305177bea754d4ee41861
SHA256 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30
SHA512 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 d65bc7baa859ec7d193a3943c2dcca95
SHA1 eb05786f62d30cd8da3187c4228656d2558ade29
SHA256 984988f9e849f5407874f8b80747f3706368d1aed396685ecb7163513e304c43
SHA512 bf92f35e1cee9567e73c5949d96c415d82f3b97ab04fd823c99cf70606fa0a9fc3bef3564f3ea66bb19a17e4e44eb82139f85f95b83c46426c0dcdbfa7e73421

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 c4d1fc0442b37122b2d3dc1f23b5780c
SHA1 8d84837ce53af949a70a6d177320d4997da3e840
SHA256 dca06371e08d57d6a695c0bd0ea924b30608262a063626b064fe0a78e1c1fea1
SHA512 734fb8773d2585e4148390dd6ae285c96ce1cf3fd60e1275e00332df34c8ef2da9a0437c20d76d64683f5db1dc5a1df6994cf6714311f5b761ffa3fffd93cdcc

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 61875241ae509411d9733d761ceab419
SHA1 ac8e09391fe96c683659a11dbbd686ccceba3d6f
SHA256 7343d80622c51c01749b10474ac428df66f1395ce0598b4bf46b721a7bcdd8c8
SHA512 c4ff9d29314136863073d0cf981e3ec825874360907890fadb29bc86241b89903e459a71982db3feb56d52ba9d62923f9d66969e1790dade54bb08ff48d95287

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Windows\TEMP\zamrbllfjgdb.sys

MD5 0c0195c48b6b8582fa6f6373032118da
SHA1 d25340ae8e92a6d29f599fef426a2bc1b5217299
SHA256 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5
SHA512 ab28e99659f219fec553155a0810de90f0c5b07dc9b66bda86d7686499fb0ec5fddeb7cd7a3c5b77dccb5e865f2715c2d81f4d40df4431c92ac7860c7e01720d

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

MD5 94dc619a3f5b3ae4e1742b2264b6acf7
SHA1 6959347752f4760d6717925e939c345368d6e14d
SHA256 d4c108798454eaca435b06689f5f915ce65cb6f033de43c0ed64da4079b078f5
SHA512 ee5595c110cc2a43cc189e618315826fda58e131373054ee3cdccb6044107130c63d94b9fa41c8af52b4d17593b0fec74631adb45f1b61e1c6aee583bbf66bd7

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe

MD5 df35f19c7d7e1539ca17e4d839b20a04
SHA1 7dab9f9d3ff0c6f4ee4d7f33ab81ac7118afe193
SHA256 f50c34273870841df335fa73d1cd9c2acb9de70e4ed77dabfcc9eb98dcff9b54
SHA512 90e210ce12d846c42fa724ad1be934362134b5449dbe6bad49e380087bd2496fe973c4e63731ef291cc854685cd7129e980676816e4298ef617ee56896b5c00b

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 928b55ed319f97dfefa2f9875ee9d00b
SHA1 459414dc21828152e3ca69f3ac8250310752ed49
SHA256 ec519e15a75246fbeaf762a06e5e9068e95d3d49eae67dcbc23cc91db4b3cd8f
SHA512 ec279c2d0f0d0a3a67c676a6d64cb15a02eba1559693f936dfb91a0074a6c44e457761bb508ce84086c5bd91778431a67ccbc9ad690109b83dccbfa62aa2c4e4

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7588dfcc27a15b1d528d7cec135a78fe
SHA1 98ba6c8e3709f6c99045cb0b71515d45054ce0b9
SHA256 17cdfeb4ad7bb124eabfb741377604ad7a4b2024cc9d768ab639d75a68df39ac
SHA512 0499af202dd355d2fa81a35ab408cdb32efb3345c9f93914387a62dc077c8877dcbd4afc3d4f05ee0e5b93c3e23c9a470cd3d60891c9e8d92b9300b58614bb9a

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ac6aebfbc5262350e3d2fc51158b70aa
SHA1 56d1133563796380d905e067c795e9017c80d01f
SHA256 de0e82602af7035d329cd58b8c39dc5b50831133f1f7b2fecb9a8fa5bd855215
SHA512 c2d2339127b3e278d4e390ec2cbf59bb0278f9f04bd3bfd1fe079ca3e44cad38ee5aee59c31a2102146755c0e4c58e3d3d8475c3f4ec20361e965ef7a59a114f

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 98fba146a124cd78e152d4b0ef80c8de
SHA1 1d8adb5d6c9536b526467f19eeafd297acea327a
SHA256 77205b9ebc131544bcdabe0fd9007db1cbef79171f800aa351f0ca95f8639fa8
SHA512 75374db5042e01d0f9dd0bfaa0e23322ae159ce026a7e01d94f6c568f339f92280633feaee709baa845dd2f8e8a97c151cc6aa9d93f7b68b84d89f043bae2828

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe

MD5 e6de88cccf397b63186fc9083b8523b6
SHA1 9ab6ec7f1901e065e83901815ae5aec6c1a04f16
SHA256 e41c37da671c6b68efb3b1a709df6b81eba20613f2de0645884a839354a0777d
SHA512 3944f1fca9c4a76c0cc98a5a15ff218876e2c1804f930960f19b6dd145e00307fb6be8cd18a7a9f018b875db036c2b54c2d876c45c89d299e26a9d71b2d1a6ab

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe

MD5 d782921a7a4424cf86cd2787884f00a7
SHA1 af5502662106c4ccf10f9800ca5e8f4f1327e06b
SHA256 8830a632f42184810364e953cc73fef8600c768a0928085f7918ecd4226e3b7a
SHA512 ac713febed3cf5f2e05a4bb7b1cf04c1856e1885ff8d3c895481b829dd02607521f21c26709e920afe6c4a9e12facf3c1b799b674a097a5082a42d6f02066119

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe

MD5 fd7431015eb5f5ebfe9e4a7397bb7b45
SHA1 fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914
SHA256 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04
SHA512 dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 3c892759b24ee9ad9664b98939cd5810
SHA1 c9d42a1b9c0234b8f11655945c044fa67a4da64b
SHA256 d50b7419fb0e8d56e27a8b64e8479bad4e408574637e49cb8b8c81b473586084
SHA512 aa4d39beacb147116ace6ee425232749aa317db02c7047d843e4d493b1ac11cbf324ded7ab0c311c5550a483d770f39f9e6ef6265ae1c12f4c120372d6bf2fb1

C:\Users\Admin\AppData\Local\Temp\nsx8B44.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe

MD5 3459e4e3b8c2023cb721b547fda205f6
SHA1 c4cc7eb4d2e016b762e685a87b16144fda258f9c
SHA256 9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd
SHA512 eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc

C:\Users\Admin\AppData\Local\Temp\nsn993F.tmp

MD5 69ccfb535cfa2b3d0fb557c7fe723460
SHA1 3b5f39d0d2f5c2ec3608fdf92cf62debea22b353
SHA256 6cbbeeec9edcc60aacefe3d37be88dc610955bf5ae8dd93fff99d2b18c799dbc
SHA512 9708e0d9e48569aec0bf14803bbcc8a923e73a646e214128d658916862b50c761065cbdbc41ebc7e0c4e97cde1ae67ba77486d5fdc8c52a2903283152f263af6

C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe

MD5 5fd7aff48d27771ca0aec6776afefb93
SHA1 5d57e1e85a836b736d3b3c2056d500d1d2b92dd2
SHA256 a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b
SHA512 aea36265cf13aa252ee06086b22002165401fed256d1bdfd26aee61f4b26e7c29b430237a6941a5a09f923b246cf84cf75b110aad9f01c694e992c6b076bc293

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yoz42ss4.d1s.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 c8091d24016fa2444ba81f5dfbbdd4fd
SHA1 9ab28ae5b43a3edea85e574b0fca7ed17ac137dc
SHA256 e416baf0c6bd0360667fdc775598cbc7db94ab3bc5690b885c6c57a4c94eceba
SHA512 312e14a1d6273b6820eb0a1cd7f1b29ea37938dc34d8860e4c0f39f4a460bef9a0b523c4c64106b774546c41e09d6af3e4b34ee7d3457e2cc90bac8c4e3f41ed

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 2f8bc5847188369f2c250cf707728278
SHA1 b757845e64a1dcf93ae3d15f87086b9879f31840
SHA256 3fef84f56c859b7f008ee0194adf73d9ddd488b10f8696fa2240a3a83116a64e
SHA512 e74013129b7abdbf1ca7b206aa2a433657467a8eb96955e4a852acca021f664928aa60af8e06a23e2982b52398bf224a28792c1802695a65dfcd873126d5d79a

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 57c0257c110198d5476a7c6c97acf4fa
SHA1 c0a277b7aac350f3474729733a4b45fe5da76956
SHA256 db0db1f1ee5593e0b600a6c9f2ef1f4e046a6f55862659a39e20d280ab0519b1
SHA512 5c041fc0e3857b00d6321f07f083fd454562ad1e0ec7ed900288c54ebfa7769dd5b57fe323bc0c648ea37305c6afeaec57a2a8a2cdbe0c54fa9217bd2e5d0e49

C:\Windows\rss\csrss.exe

MD5 6ddd9c6cd7616171ddacc402102a2182
SHA1 837f18c2971d06d1f2bf445b781a1411870a6320
SHA256 bc55e04eea350b27e997ea823e890477e54bf9aa080a6c0c9362e9879cdbfd85
SHA512 f3b7e63aea08392fde222c0bf6f034f4f446f906fa96d7547b76997ca15c60cccf27f41ba7b93bbc802ac15076b6e2335ac68993850e779c6ebafbffa614d5d6

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 295106f43fcb4850a73fd56fd6c832cc
SHA1 a89ac87f9b9bd2f2b091f90e0439992fed6e8e72
SHA256 a06656630a555bfd893f51c1fa9b2b54e19cf798ee3dd7dccaff35554809bbe0
SHA512 2366e40491a58e1bc9c55825f85f1f4d7722df8604e0fd6d76f4205a32bb8af381823f76557bf00f13038f86ad1d90988e942e28954826d655df70e2cff04813

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1af6a02168fbf5ca635167ff007e42e2
SHA1 3bfbdd03d9d0539e76aefa294edc3fd2992f49b2
SHA256 515ec6adae4d57bea1a511f047d1e6148316dc76196bd0a4753b8d8af660e314
SHA512 80ae16eea4424bcd696489a648870a3c763124f52dbfbcf0d5850eeb62dab73a92381d0fcaac36fde9a4b65b0540ab67da97ed4b5ccf8e7ace7364450ffa49a9