Analysis Overview
SHA256
f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
Threat Level: Known bad
The file b5ee067743155c953eb9b6426ede5062.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
RedLine payload
RedLine
xmrig
Glupteba payload
Glupteba
Amadey
ZGRat
RisePro
Detect ZGRat V1
Identifies VirtualBox via ACPI registry values (likely anti-VM)
XMRig Miner payload
Stops running service(s)
Downloads MZ/PE file
Blocklisted process makes network request
Modifies Windows Firewall
Creates new service(s)
.NET Reactor proctector
Identifies Wine through registry keys
Loads dropped DLL
Checks BIOS information in registry
UPX packed file
Executes dropped EXE
Modifies file permissions
Checks computer location settings
Reads user/profile data of web browsers
Themida packer
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Launches sc.exe
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
outlook_win_path
Checks SCSI registry key(s)
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Creates scheduled task(s)
outlook_office_path
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-30 18:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-30 18:37
Reported
2024-01-30 18:39
Platform
win7-20231215-en
Max time kernel
32s
Max time network
152s
Command Line
Signatures
Amadey
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe | N/A |
| N/A | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000778001\\lada.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2464 set thread context of 1496 | N/A | C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe | C:\Windows\explorer.exe |
| PID 2076 set thread context of 2292 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
| PID 2076 set thread context of 2632 | N/A | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | C:\Windows\system32\conhost.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\explorer.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\conhost.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe
"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 596
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
conhost.exe
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2412 -s 604
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {B0F86535-9124-40AF-91FC-9A8FBF9A2A37} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
Network
| Country | Destination | Domain | Proto |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| NL | 195.20.16.103:20440 | tcp | |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| DE | 141.95.211.148:46011 | tcp | |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| DE | 20.79.30.95:33223 | tcp |
Files
memory/2100-0-0x0000000000FD0000-0x00000000013D8000-memory.dmp
memory/2100-1-0x0000000000FD0000-0x00000000013D8000-memory.dmp
memory/2100-3-0x00000000003D0000-0x00000000003D1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b5ee067743155c953eb9b6426ede5062 |
| SHA1 | 0725e7b508a48778c10a06c446845b0571480716 |
| SHA256 | f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4 |
| SHA512 | 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5 |
memory/2100-11-0x0000000000FD0000-0x00000000013D8000-memory.dmp
memory/2100-14-0x0000000004790000-0x0000000004B98000-memory.dmp
memory/2688-13-0x0000000000950000-0x0000000000D58000-memory.dmp
memory/2688-15-0x0000000000950000-0x0000000000D58000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 5dec9f02f7067194f9928e37ed05c8f6 |
| SHA1 | 06f13ca068514d08f0595ded4ef140078888235a |
| SHA256 | dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806 |
| SHA512 | 98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c |
\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 58b38ad302507d1fd9efbd02555ee712 |
| SHA1 | 7f9aa30952e23a77ffc6fd205106dbb426d85d07 |
| SHA256 | 80d8006a8063a43693393a1c237ecc7c44c378366bbdec19afcbef53b209c2fe |
| SHA512 | f7da8ca9723302700b410ef24fa537b5a30eb8d38ae36025d3001490786798214148dd5a3f1ad3a47b4aae1f8ca4c2cc30ba1fa07068807e34cce4ecfae60aa8 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 09f8a4e0014fd1a8cce243421636e902 |
| SHA1 | a3d194c6e8e9fb490c0aa29710ef37d5ab2bd5b7 |
| SHA256 | 3f8052a8269cbb14b95b716314d5fa5ea6e2868ca92030f098d4f76110c56b8f |
| SHA512 | 556fb52831eee566ff6eac9f2314229dd1174ac2319038e50593cbd3c5a5016d86056fec8e739719ab829e636fcf30b67dcac9dce825366e84c5fdb8b1eb0934 |
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
memory/1648-51-0x0000000073D70000-0x000000007445E000-memory.dmp
memory/1648-50-0x00000000000C0000-0x0000000000112000-memory.dmp
memory/1648-52-0x00000000043D0000-0x0000000004410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | bf2a3e48b0ea897e1cb01f8e2d37a995 |
| SHA1 | 4e7cd01f8126099d550e126ff1c44b9f60f79b70 |
| SHA256 | 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3 |
| SHA512 | 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91 |
memory/2160-67-0x00000000049A0000-0x0000000004A38000-memory.dmp
memory/2160-68-0x0000000073D70000-0x000000007445E000-memory.dmp
memory/2160-69-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/2160-70-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/2160-71-0x0000000004900000-0x0000000004998000-memory.dmp
memory/2160-72-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/2688-75-0x0000000000950000-0x0000000000D58000-memory.dmp
memory/2160-76-0x0000000002380000-0x0000000004380000-memory.dmp
\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 1d3260677106332e9c02ed9cd549a677 |
| SHA1 | 4106e345f9ff47868c1a130caa2518af95e361f6 |
| SHA256 | 64d79a7114a2dde58fc41a19fbdb29231e5526a4efb384d78876a38b71d26ab0 |
| SHA512 | 0d3f5c101fbb028d1527baa2d59a1bbaa2300c5bf409f00078b3f596f40467521ecb6c4845eb2fc88132fa7ac9d27958dbe4e2877f8b21e6f3dddcedff306352 |
memory/1496-88-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-89-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-90-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-91-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-92-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-93-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-94-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/1496-104-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-103-0x0000000000130000-0x0000000000150000-memory.dmp
memory/1496-105-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-107-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-108-0x0000000140000000-0x0000000140848000-memory.dmp
memory/1496-106-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2688-109-0x0000000000950000-0x0000000000D58000-memory.dmp
memory/2688-110-0x0000000000950000-0x0000000000D58000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | fd2278c1d3a9721e34f2df857a1c869d |
| SHA1 | 84252835cbe562122c2ebc2dd360c3afbd77228b |
| SHA256 | e403e78c30ca071905243077eff55dad8074bb03b7ff1cd1554b3d3957bec044 |
| SHA512 | 66d2f9225e6f9d57d5cb892d6e897b748c5b1750830b07c881eecd1e32dc5721e3e949a0029df9a966be5a7f6dc2f55c0c8e59a62d9e9af47e0a6d2b00e363c7 |
\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | d8606555f8b196d4945d5196b67f31ca |
| SHA1 | 5a322b8438e9b1b369eaf5f58936dc6546788399 |
| SHA256 | effba831bf45b705d3c6462fe716cb521e61419dc44bf89dde57d3c7c93ea571 |
| SHA512 | 0ceacae258b77c172073995f5b7cd09ce6e3c0c496aa669924e46b522f8e75aad7939c65d33615668ade7235798a37efaf10bb6bf9f5942ce6c6a194b295abf6 |
\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 8ebdfbbf7d83252fdaca0741e282a465 |
| SHA1 | 78533dabe01b967d32f86c3f794e47b64dc907cf |
| SHA256 | 4b6f6a7bc6973e21402e2602fe4bd2203cad9711ebce0d743a1577bf18faf91f |
| SHA512 | 3a9750b99e4bcfba51798b7b3eceea40f278c07ed75766749798e78618f49516996b55faf8b3874d6cfd8655159c46d6ccd641bbf7582d5c82eadae7cc1f4b13 |
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | bccf9bb9ccb5bb02c1e0f1bd4714ff32 |
| SHA1 | acd855bac0475cf7c23148adf8ae1c934d799ff7 |
| SHA256 | fe286dbe24d7c2791a2dd4baade4216da99cb6addab0cf4542af55c496a531dc |
| SHA512 | bb6005ac42969ccb583676c4f8536fd77f23a02530148967411080bbdda28a634dee1dfbd2422c116da42cb5fe114cc76dbdb56ee2fc78fa67faa08572ff2a53 |
memory/2688-127-0x0000000004960000-0x000000000539D000-memory.dmp
memory/2688-128-0x0000000004960000-0x000000000539D000-memory.dmp
memory/2376-129-0x000000013FC10000-0x000000014064D000-memory.dmp
memory/1648-130-0x0000000073D70000-0x000000007445E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 8122f282f3899e20fe4e89a56e6d71de |
| SHA1 | 7e01f7317190b6a42654a4dcecd0c1427bb050f4 |
| SHA256 | bf41b8ec56b1a477e01ca1537f130aca8ad382e4d6baeb1fd77f61033f329e06 |
| SHA512 | 665f9c5e644fcbde0676d8eacd6f5d21049e2c4129b9a76ccefc2e9aeeacfbcf05fd8a5d32d0382651237c079b8371f6ba4209fee8e7cf598a659951cd3828f0 |
memory/1496-143-0x0000000140000000-0x0000000140848000-memory.dmp
memory/2412-149-0x0000000004DA0000-0x0000000004F4C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 3f27a2e2eb13aacfae7e3488f3d74319 |
| SHA1 | 53aa7ef037c11f9f4d6d40167cdba3f5f3610218 |
| SHA256 | 44f64b512fcbfab7608f560b157ff96120d4eb24bd8444f419d3d9c50f9fc6ba |
| SHA512 | 87fe41569152c2a585f41bb5cdb19733bf05efbad16d05ef5e28546015aa975f76fc3adaf55a86fd2e78eaf77f1a1aa128182c063bb82e75c681840099aa7dda |
\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 7778d5cf70e3b868568ddb060facded0 |
| SHA1 | d2b036edd4196aa578c7c715d27f614bca86463c |
| SHA256 | d62d1af1d8728ea17560320795699c7fa6a87cdfe1737ab31bc2357d6c7adc06 |
| SHA512 | b2536777a09a957f64183c8cdbf5add750d740683c569e5ab912a44b968e5f25bd924670849d0c968fdb82dd10a4d8eda951d118ca239bd88bf718a908ea3fb7 |
memory/2376-133-0x000000013FC10000-0x000000014064D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 39c3f20c12fc6f202b903b117ee71605 |
| SHA1 | 16bd4187b175accf631f61c0c2f0139ff81166f0 |
| SHA256 | 67097c1ae4631891cd7f01adb1b1b4c6664f57c5d0af469ec51c70a73f8817ab |
| SHA512 | 30ebbca125e49c33bf01ea8049cefdeefadd41861b7a182224b64ffaa68c09746f909d7e7830cf222fd47cdf989be5ec3034e281488c7df51e8000274b20d73d |
memory/2412-152-0x0000000004BF0000-0x0000000004D9C000-memory.dmp
memory/1496-153-0x0000000140000000-0x0000000140848000-memory.dmp
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 9451a7a5bfbc938542b8c59fcdc41aab |
| SHA1 | 32cfa442f98d8de94d105a162492ceed26710ff6 |
| SHA256 | d7569b2c6bcb00e2353ab94e96a312f05986a9dedf5df091be40080268b1ea37 |
| SHA512 | cc412093325ad289c1967634af0b52af93ba8803fc82564dc351069df7474e60c75dcd28e6771ee794bfda4a438de92670a29fed303f93069dd32a0f04da2e2d |
\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 7821d276baeff25fad899ef2c0711269 |
| SHA1 | 1d57cd1b4c467d6599d6617d5dfab35c62b174d4 |
| SHA256 | 302524c068160a1a797efcd3e6eff4be30af5cb24eff1637c807c0d3a53c445c |
| SHA512 | dff021f5123ba3d1e824744307f85d42c9966d43d64e1660e6bd395546f0954f6a17d06707db9b1f6fd972a20d199ad36bd7a707c1a1dd5815281dfca28be979 |
memory/2412-155-0x0000000073D70000-0x000000007445E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | 8d1956bf206d4f8296f7c5270f3ecab2 |
| SHA1 | 4e297f3265b4614a64fbe980ea8f679a820e9dde |
| SHA256 | 5b38fcad8a1b803acf3263b6807e35fa2299fa61adba280f4766a304c975ba59 |
| SHA512 | f1d9ad38fa5ed793e5a8085d819b4a1b7080757f01d58c069f3d42fa007f512a305bfaebb4864cfe24d131402c1f877116660242e9bdf024f6d0b7340ab67035 |
memory/2292-161-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2292-160-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2292-159-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2292-158-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2412-157-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/2292-156-0x0000000140000000-0x000000014000D000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 2cc616e355787b5e4872c1dc6195ef8b |
| SHA1 | 1482e7b046a83b34e48161b8eff07839f9f37da9 |
| SHA256 | 43413647d3b6d8a79d2360ea196f285be24c7c9cc88079e3acaf31aa9ae8584b |
| SHA512 | b628db493387bb8270cf8b68a1c9d6df4dfb6ad4ff145ae2044fc5c21ddb152fdac3f74fbf299328154c793c4e67c62468b6e5109be2145ac34380acbb9577a6 |
memory/2412-178-0x0000000004BF0000-0x0000000004D95000-memory.dmp
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | 33d42fb0b07b8287ae6bf31ea6ac7bf2 |
| SHA1 | aa3184284da9bece322a275c8695c9791486083c |
| SHA256 | 6002595ec2d7b36e01befda2599acc80f0f1db196369ae3359d1f2e464ee1ec2 |
| SHA512 | 08ba7ba98c3ecfe45d87a3945d19c76b5f9cd465356ff1c29c0f700fca971f109936dd819ad455c20ee82b767ecd98a982ca1a58053d582f530492a8b5e20f3a |
memory/2412-175-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2292-174-0x0000000140000000-0x000000014000D000-memory.dmp
memory/2412-173-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/2412-172-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2160-192-0x0000000073D70000-0x000000007445E000-memory.dmp
memory/2412-190-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-188-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-186-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-183-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-180-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-196-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/1496-194-0x0000000000780000-0x00000000007A0000-memory.dmp
memory/2412-193-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/1648-214-0x00000000043D0000-0x0000000004410000-memory.dmp
memory/2412-212-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-199-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | 3b0cadf09d3c76d762277a6163492866 |
| SHA1 | 994084c140aaf0744b55fe74caa2c1241c65b90c |
| SHA256 | daee55b813327d93e886a156ce913fbb732919585b2dcd85a496d932575408c2 |
| SHA512 | 5b7be778645d9b218c0747c2c2fee2762873193b9cb10399bf04cf71dec92800708e4e9200d6429e3d49f0d3fc0f7755eeade36d6cefd5d2b8454665a87e1973 |
memory/2412-219-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-223-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/1496-237-0x0000000000870000-0x0000000000890000-memory.dmp
memory/2412-233-0x0000000004BF0000-0x0000000004D95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 7fde9ea27a1fa4502e91580d28984f6f |
| SHA1 | 23d2365b9ab1521c5b8b06630aa54815808fb82e |
| SHA256 | a6675cfa71bb513444984baafb3dae7384f1d75c49f87da5122c46ef72efe39e |
| SHA512 | ed278a590449890d804c05c572a68bdbb92fc53b2d4a37f13e7fa3a01e9a5a4ab0312d370ebf1e466a25b25c98160a9d6f3955e34225e21362b3414490306b49 |
memory/2412-231-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2412-229-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2076-227-0x000000013FE80000-0x00000001408BD000-memory.dmp
memory/2412-226-0x0000000004BF0000-0x0000000004D95000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | e192ed56e9f5156b30ac5b5764f1eea1 |
| SHA1 | cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5 |
| SHA256 | be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3 |
| SHA512 | a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b |
memory/2632-218-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2412-216-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/2412-215-0x0000000004BF0000-0x0000000004D95000-memory.dmp
memory/2632-197-0x0000000140000000-0x0000000140840000-memory.dmp
memory/2160-241-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/240-239-0x0000000000F40000-0x0000000000FA4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | 891a61781d8e853c614d640ac257490e |
| SHA1 | 1a94fd11bd95c9fb7209653cc13313ea4caf0e4d |
| SHA256 | af783838f02a415f2ab1cc39c6fa281321f7ca34cf69aa8d28fbe1734273001e |
| SHA512 | a11e5f6b553154871c5818d9fc8bceb5b213dadcd901d4fd8404e1d616405cdccc55e1fc03e3e446dc719a6db40fcfdd704547b9b85f455a74169163e336ee92 |
memory/240-246-0x0000000073D70000-0x000000007445E000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
| MD5 | ac0afc876f0ca45df73db2cf8e409f93 |
| SHA1 | 182f2556ccfd605ea06375346eeae57f13e7999a |
| SHA256 | 9cd5df102524be8d4d89f1e48f16a52f1d6223b52ca8aa7b46466ccc20469761 |
| SHA512 | 278bd37c6f2f974ffb75154bd88b9ec58746502a722c6d8fc338c891e55d3e6396cc9541108ada49746eaf54aad1b5df9646a9e28d8377b6d90a04fae41e0448 |
memory/2160-259-0x00000000048C0000-0x0000000004900000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | c1821ce28796e9a3aec5b56e75b58002 |
| SHA1 | 85a6bc4ddd97e735f3f6ffcb13194ed842556db2 |
| SHA256 | daee161aed005b79e196a20b4765aaeb7135f0c537629227f1803523dd57e225 |
| SHA512 | 7ee3a621231569c636e457658ee5b1f90206b5889fdc87d41938f623edcfc945367dae886e5a29924f9ce042bc69d965662cd7786b09ddb1bacd1f1f263be15b |
\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 4df5830d800f63bf5cab9198659e837f |
| SHA1 | 7878766a0e8a816873dd6176456cd093405e6e6e |
| SHA256 | b474ae0b0e05b6eb1341d44695adb021669126a693359e6003999516554a71b9 |
| SHA512 | 79b5d87a41756b49f70567638d0ac1168d1ccf9c7cb97428b997b0e653ffdaa0d0cf6f4f1543c7de01d32d8f29afc5c77d9dd1d313cba2db2b704da5e692b5c8 |
\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 5d33b3a3188e3037481a5d991de15b62 |
| SHA1 | 095e8c1e8169328ba3106becdee8403bbf55a6b7 |
| SHA256 | bfbb91c5998dd8c6429e9c364c713562c75f17988d37ad154443675e06311d74 |
| SHA512 | 86e1a5e63ad00631fd99729d8c32568d9f806a22e7bfe039ef184ac60135c703b6682d6dd0c61a36e32d3c8b8ca1bb8a8ff294bc5d923a63bf3a2639a31c7bf6 |
\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 78619d6e6970feb412ce8dcabb7585cc |
| SHA1 | 83e14922bea1ea33616c8086746d60a114883227 |
| SHA256 | 67e7e524dfe74e244f0e1737fa87360648ec6cf5eae204bc6911ddc12b0e9d20 |
| SHA512 | 70fb9b8a813bb372c7e3c583d01f37aa314254bfb1aa6d4841a532fd686be5deae6fbc862b5835620b6a0a5cb9361325c59b4d918983123fb375b7d366737d59 |
\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 0aec92a35de4d3b38a828aa3d159f8c9 |
| SHA1 | f4acf623c2860f911fe45627f3d91d2f4125fbff |
| SHA256 | 6b5f9cabda1df4991a99cc4c14799a18d6cd64385d899993f129029fd607d418 |
| SHA512 | d38f1acc6b3181b341746bfd65f9d4b57f67e6870701bb649e516ae25083defb629a3a1cce7709d2802ddb089a20e3c0ebe16ba12b38a4ed0215b55ed09b84e7 |
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | 05203f3fe3ae89700c06989192fc8288 |
| SHA1 | 2ea8a68ef4dd1addbed2b15c85102aed543dd208 |
| SHA256 | 37f1d6bf38f081f4b206ca402c513c0aae46a6c7be2628275a95808bf6d4aa48 |
| SHA512 | 125b091ef7901e353f8e6abd9fc4b95d2c891c72c69464ff3c4eaf59fae94bf0461ef2846782bfc3d2deb2a848f813287d956c85a08d2b65e580207addbfe418 |
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | eb1a06fb52af43f59e3026d4cd2d0eea |
| SHA1 | b60be2b636033b1ea11e403a2859b70904b44819 |
| SHA256 | 75b8eadbacb7322e90a65a9c6f292c30b12da324780062c25455c74a408842df |
| SHA512 | 0a19b77e2d2dc7d6ae2c1fd8c975fa9f3f6c3a420a6d35a713ed14689d4e0a61579c6273873cb110147b023291c80b55493ba6957713022e55c5b58845adfa2d |
memory/2412-295-0x0000000002840000-0x0000000004840000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | a7f006c2a771dff8ab38e0c92ae68901 |
| SHA1 | 93d815656cc14500e750cc49368810a40dca76e3 |
| SHA256 | f85b39abd48101835c2639d1eee358adedc9c97d136e22df8b2b7d75d3912c7a |
| SHA512 | f37cc5c290bbd114932ee44dfa11d70fb509ab2e0abc871e5cdda908eb8e47592ddc14377df32225aaacb8ca6a19afc75621afb1ba331b0314ac7af5de03f976 |
memory/2284-304-0x000000013FE80000-0x00000001408BD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | 9aa8737202bac7dcc71ef4c77939f82b |
| SHA1 | 25b29b7274fb3ef7d16052f8400d24540621aff9 |
| SHA256 | a177d02e062d3068da14ad638fe58ce76d614fa15c1890f668747c61bd132aff |
| SHA512 | aa55987a32b3e259376594df68a2008007353953a2bf390b44b908e5fdaee181d3b216aec46f8679aa5f5e4164a0a412511621c6249d3cab7e1eba86d8494a7a |
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | 8f7534577ab0ad5244531336762384c3 |
| SHA1 | 09e06b30bbb2bbc35942eb51dd6e98b5fb9d71ea |
| SHA256 | 155b8f7fff3c43e9186c169883b94b1ad3e6abc3f76c552b955122d3def6bf32 |
| SHA512 | cbfe5d2431998164501741b65db76397ea32d70d85034f2d72b104185f4429bfa5264e311dabd3a90c3af3bb7d513caf3596b66d9cb52107e1df68a8c6111a93 |
memory/1020-311-0x0000000000B30000-0x00000000010B8000-memory.dmp
memory/2076-313-0x000000013FE80000-0x00000001408BD000-memory.dmp
\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | c2237128f1f5d9befcd2ddb412ab0948 |
| SHA1 | 4fd15f4e02a3d7efb85dceb4eb0fb034c25dc67f |
| SHA256 | 6f1757cbf7967926b98b05fb72bdd1dbd4619c9b19b5229136957ac9e72fe943 |
| SHA512 | b74167dd17df852ef35527ac623a8b6daeeb2ebd5981053256cf9e619dd3f07c25ae24c0c87b456982867ff53e9b40911fd1d81fcf8ee9bea12acb3637162da7 |
memory/240-314-0x00000000023B0000-0x00000000043B0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | a71653df1af7053fe4262f792a565c2e |
| SHA1 | 65515ffb5e661cce97611297ed4b02a51104dd77 |
| SHA256 | 51283a1b7b2134bc395592f3f906df6eff4c1fde866b94b94d454057a65035fd |
| SHA512 | 807137404f2c547c8b05faa9ca61feab9883a87456546fd0038ab27cb3a09b6a847aeabcb426ff32dde303982358651233f87d74c022259814e86029cc4c5726 |
memory/2160-321-0x00000000048C0000-0x0000000004900000-memory.dmp
memory/2688-316-0x0000000004B80000-0x0000000005108000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | 044875570d21149ef40f32ef0f92575d |
| SHA1 | 0cb9b080be7a0964128b04e754ceb6ff3c55f18b |
| SHA256 | 209a21a7c8e08fe880d5c073379064e49c3328c9d356198d84b77303c1d21f8d |
| SHA512 | 0340a9c650cedba54c35503eb51311f9f044571889bde51daff7b62cfa0c2cd06b57ea0eb5d8ff36134a46ce54cd429821cc7519f1749cb55553784a35e0b4f1 |
memory/2264-326-0x0000000000C40000-0x0000000000C94000-memory.dmp
memory/1020-328-0x0000000077440000-0x0000000077442000-memory.dmp
memory/2160-325-0x0000000002380000-0x0000000004380000-memory.dmp
memory/2264-330-0x0000000073D70000-0x000000007445E000-memory.dmp
memory/2264-332-0x0000000004D40000-0x0000000004D80000-memory.dmp
memory/1020-333-0x0000000000B20000-0x0000000000B22000-memory.dmp
memory/1020-334-0x00000000009F0000-0x00000000009F1000-memory.dmp
memory/1020-335-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/1020-336-0x00000000008C0000-0x00000000008C1000-memory.dmp
memory/1020-337-0x0000000000B30000-0x00000000010B8000-memory.dmp
memory/1020-339-0x0000000002A10000-0x0000000002A11000-memory.dmp
memory/1020-341-0x0000000002BA0000-0x0000000002BA1000-memory.dmp
memory/1020-342-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/1020-343-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/1020-344-0x0000000000A30000-0x0000000000A31000-memory.dmp
memory/1020-345-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/1020-340-0x0000000002580000-0x0000000002581000-memory.dmp
memory/1020-346-0x0000000002BF0000-0x0000000002BF2000-memory.dmp
memory/2412-350-0x0000000073D70000-0x000000007445E000-memory.dmp
memory/2412-351-0x0000000004BB0000-0x0000000004BF0000-memory.dmp
memory/2632-352-0x0000000000350000-0x0000000000370000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 3853abb35ab617a117144f119cdc9808 |
| SHA1 | 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae |
| SHA256 | f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef |
| SHA512 | 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-30 18:37
Reported
2024-01-30 18:39
Platform
win10v2004-20231215-en
Max time kernel
156s
Max time network
160s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
ZGRat
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Office\12.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Office\14.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lada.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000778001\\lada.exe" | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Checks installed software on the system
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.ipify.org | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Dctooux.job | C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\nseC09E.tmp | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\nseC09E.tmp | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\sc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | N/A | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe
"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"
C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe
"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4136 -ip 4136
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3572 -s 1116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 372
C:\Users\Admin\AppData\Local\Temp\nseC09E.tmp
C:\Users\Admin\AppData\Local\Temp\nseC09E.tmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4136 -ip 4136
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "FLWCUERA"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "ACULXOBT"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4136 -ip 4136
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 388
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "ACULXOBT"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3572 -ip 3572
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5032 -ip 5032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 1176
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4136 -ip 4136
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "FLWCUERA"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 716
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4136 -ip 4136
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4136 -ip 4136
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 704
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4136 -ip 4136
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4344 -ip 4344
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2276 -ip 2276
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 1340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 620
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 780
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 644
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 712
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 816
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 660
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 880
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 808
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe
C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\8F55.exe
C:\Users\Admin\AppData\Local\Temp\8F55.exe
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3164 -ip 3164
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3164 -s 352
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2160 -ip 2160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 340
C:\Users\Admin\AppData\Local\Temp\A57E.exe
C:\Users\Admin\AppData\Local\Temp\A57E.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 340
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 356
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 360
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 652
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 696
C:\Users\Admin\AppData\Local\Temp\A57E.exe
C:\Users\Admin\AppData\Local\Temp\A57E.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 708
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 744
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 768
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\24629723-5095-4dcc-820d-a2fab3cc7eb8" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\A57E.exe
"C:\Users\Admin\AppData\Local\Temp\A57E.exe" --Admin IsNotAutoStart IsNotTask
C:\Users\Admin\AppData\Local\Temp\C29C.exe
C:\Users\Admin\AppData\Local\Temp\C29C.exe
C:\Users\Admin\AppData\Local\Temp\A57E.exe
"C:\Users\Admin\AppData\Local\Temp\A57E.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4164 -ip 4164
C:\Users\Admin\AppData\Local\Temp\C945.exe
C:\Users\Admin\AppData\Local\Temp\C945.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4164 -s 568
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4696 -ip 4696
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 604
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 372
C:\Users\Admin\AppData\Local\Temp\fi.exe
"C:\Users\Admin\AppData\Local\Temp\fi.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 376
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 392
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 680
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 724
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 748
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 780
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 908
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 860
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 804
C:\Users\Admin\AppData\Local\Temp\33D7.exe
C:\Users\Admin\AppData\Local\Temp\33D7.exe
C:\Users\Admin\AppData\Local\Temp\3ACD.exe
C:\Users\Admin\AppData\Local\Temp\3ACD.exe
C:\Users\Admin\AppData\Local\Temp\434A.exe
C:\Users\Admin\AppData\Local\Temp\434A.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Bathrooms Bathrooms.bat & Bathrooms.bat & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2920 -ip 2920
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 980
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 952
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 4172 -ip 4172
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4172 -s 988
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.179.17.96.in-addr.arpa | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| NL | 52.142.223.178:80 | tcp | |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 185.225.200.120:15666 | tcp | |
| US | 8.8.8.8:53 | api.ipify.org | udp |
| US | 173.231.16.76:443 | api.ipify.org | tcp |
| US | 8.8.8.8:53 | 120.200.225.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.16.231.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.1.76.144.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 95.30.79.20.in-addr.arpa | udp |
| NL | 94.156.67.230:13781 | tcp | |
| DE | 144.76.1.85:25894 | tcp | |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | 61.4.79.80.in-addr.arpa | udp |
| US | 8.8.8.8:53 | modestessayevenmilwek.shop | udp |
| US | 188.114.97.2:443 | modestessayevenmilwek.shop | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.97.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gemcreedarticulateod.shop | udp |
| US | 188.114.96.2:443 | gemcreedarticulateod.shop | tcp |
| US | 8.8.8.8:53 | 2.96.114.188.in-addr.arpa | udp |
| US | 8.8.8.8:53 | secretionsuitcasenioise.shop | udp |
| RU | 185.215.113.68:80 | 185.215.113.68 | tcp |
| US | 104.21.16.152:443 | secretionsuitcasenioise.shop | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.16.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | claimconcessionrebe.shop | udp |
| US | 172.67.199.120:443 | claimconcessionrebe.shop | tcp |
| US | 8.8.8.8:53 | 120.199.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | liabilityarrangemenyit.shop | udp |
| US | 188.114.97.2:443 | liabilityarrangemenyit.shop | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| NL | 195.20.16.103:20440 | tcp | |
| US | 8.8.8.8:53 | i.alie3ksgaa.com | udp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.16.20.195.in-addr.arpa | udp |
| HK | 154.92.15.189:443 | i.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.15.92.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.64.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mealroomrallpassiveer.shop | udp |
| US | 104.21.47.178:443 | mealroomrallpassiveer.shop | tcp |
| US | 188.114.96.2:443 | liabilityarrangemenyit.shop | tcp |
| US | 8.8.8.8:53 | 178.47.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.13.222.173.in-addr.arpa | udp |
| US | 104.21.16.152:443 | secretionsuitcasenioise.shop | tcp |
| US | 172.67.199.120:443 | claimconcessionrebe.shop | tcp |
| US | 8.8.8.8:53 | 191.179.17.96.in-addr.arpa | udp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | 4.64.42.5.in-addr.arpa | udp |
| US | 188.114.97.2:443 | liabilityarrangemenyit.shop | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| US | 8.8.8.8:53 | pool.hashvault.pro | udp |
| DE | 95.179.241.203:80 | pool.hashvault.pro | tcp |
| US | 8.8.8.8:53 | 203.241.179.95.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| DE | 185.172.128.79:80 | 185.172.128.79 | tcp |
| US | 8.8.8.8:53 | 79.128.172.185.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| US | 8.8.8.8:53 | 67.179.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| NL | 94.156.67.230:13781 | tcp | |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | 65.179.17.96.in-addr.arpa | udp |
| RU | 5.42.64.4:80 | 5.42.64.4 | tcp |
| DE | 185.172.128.109:80 | 185.172.128.109 | tcp |
| US | 8.8.8.8:53 | 109.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | galandskiyher5.com | udp |
| RU | 158.160.118.17:80 | galandskiyher5.com | tcp |
| US | 8.8.8.8:53 | 17.118.160.158.in-addr.arpa | udp |
| US | 8.8.8.8:53 | trad-einmyus.com | udp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | ji.alie3ksgdd.com | udp |
| HK | 154.92.15.189:80 | ji.alie3ksgdd.com | tcp |
| RU | 158.160.118.17:80 | trad-einmyus.com | tcp |
| US | 8.8.8.8:53 | brusuax.com | udp |
| HK | 154.92.15.189:443 | ji.alie3ksgdd.com | tcp |
| KR | 58.151.148.90:80 | brusuax.com | tcp |
| US | 8.8.8.8:53 | 90.148.151.58.in-addr.arpa | udp |
| HK | 154.92.15.189:80 | ji.alie3ksgdd.com | tcp |
| DE | 146.0.41.68:80 | tcp | |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | 67.214.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | novoscanais.com | udp |
| PT | 194.38.133.167:443 | novoscanais.com | tcp |
| US | 8.8.8.8:53 | 167.133.38.194.in-addr.arpa | udp |
| NL | 45.15.156.13:443 | tcp | |
| US | 8.8.8.8:53 | 13.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | snnclermontprojects.com | udp |
| AU | 176.97.69.235:443 | snnclermontprojects.com | tcp |
| NL | 45.15.156.201:10208 | tcp | |
| US | 104.245.33.157:80 | 104.245.33.157 | tcp |
| US | 8.8.8.8:53 | 201.156.15.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.33.245.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.135.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | 233.135.159.162.in-addr.arpa | udp |
| NL | 94.156.67.230:13781 | tcp | |
| US | 8.8.8.8:53 | olivehr.co.za | udp |
| ZA | 41.185.8.154:80 | olivehr.co.za | tcp |
| US | 8.8.8.8:53 | 154.8.185.41.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1b22542f-964e-47c1-a2ff-631fc610a6fb.uuid.realupdate.ru | udp |
| FI | 109.107.182.40:80 | 109.107.182.40 | tcp |
| US | 8.8.8.8:53 | 40.182.107.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 104.21.47.178:443 | mealroomrallpassiveer.shop | tcp |
| US | 8.8.8.8:53 | 4.121.82.140.in-addr.arpa | udp |
| US | 188.114.96.2:443 | api.2ip.ua | tcp |
| US | 104.21.16.152:443 | secretionsuitcasenioise.shop | tcp |
| US | 172.67.199.120:443 | claimconcessionrebe.shop | tcp |
| US | 188.114.97.2:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
Files
memory/4764-0-0x00000000000F0000-0x00000000004F8000-memory.dmp
memory/4764-1-0x00000000000F0000-0x00000000004F8000-memory.dmp
memory/4764-2-0x00000000000F0000-0x00000000004F8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
| MD5 | b5ee067743155c953eb9b6426ede5062 |
| SHA1 | 0725e7b508a48778c10a06c446845b0571480716 |
| SHA256 | f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4 |
| SHA512 | 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5 |
memory/968-15-0x0000000000C10000-0x0000000001018000-memory.dmp
memory/4764-13-0x00000000000F0000-0x00000000004F8000-memory.dmp
\??\c:\users\admin\appdata\local\temp\F59E91F8
| MD5 | 3853abb35ab617a117144f119cdc9808 |
| SHA1 | 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae |
| SHA256 | f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef |
| SHA512 | 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8 |
memory/968-19-0x0000000000C10000-0x0000000001018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
| MD5 | d61549ecb12f6146a43ec82d3b7544b8 |
| SHA1 | b4f934b1e19a069deac5757afea0846befbb9a0f |
| SHA256 | a375c1678958022e8a8f0a2f1d1944b644d596b67cc3b451b84924828670a83d |
| SHA512 | 47b2e2f1b778ae281901d7244ef7e98b228675b060b2644ef0c88e206e7f3499b2c7f9c338371e48fdcfd8c823affe090277aa821500392d1840eb7b1548b263 |
memory/4052-36-0x0000000000B10000-0x0000000000FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
| MD5 | 3c9da20ad78d24df53b661b7129959e0 |
| SHA1 | e7956e819cc1d2abafb2228a10cf22b9391fb611 |
| SHA256 | 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319 |
| SHA512 | 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4 |
memory/2736-58-0x0000000073080000-0x0000000073830000-memory.dmp
memory/2736-59-0x0000000000FE0000-0x000000000104C000-memory.dmp
memory/2736-60-0x0000000005AE0000-0x0000000005AF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 69afe48764884ca23c54c4d130852920 |
| SHA1 | 6c5346dc00f4ad98661b441739d811b053cb15ef |
| SHA256 | 9d01165f624c2a5ecdf50a8479133bec68f8736b88945cd029ad38f45554d021 |
| SHA512 | bd745269959e13366a1b6c42aa8029ac661a4bc924b651311c0de853faa80d5db0d88e05343e3dc084c804598053349e183b9a936083de9cf45fc6d689e45983 |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | 76d9428b60c1a34374cd8e1aee51c3fa |
| SHA1 | 84190a0f8c61802abf34f9da886234e9defcf55c |
| SHA256 | 4a42ce6b05a117f7443cd5a15b814278383ebc84c502086dfe6bb453233c1f0e |
| SHA512 | a39a13f53a9691348b381daeb304d9b845d9cd1d295a7a005bdd534b527bae40fbab3ea194932631b1c5466af9a866cba271150c393f82a4c9d7741ff32ec052 |
C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
| MD5 | d63cfdc6e14305fa2c6e6d5ef197bf4b |
| SHA1 | 64aa8ddc6c598d9441784d5c8f77a1082abfdeae |
| SHA256 | 506d478d6e6c22f04413784551b4405bd15c48c448c82584f47ad2e86a65c6c4 |
| SHA512 | 119640e354253634b1c5b1ce70e33c7104739cab7ad00747dbfc80772db40d8c6180a1980bb54ba488824a2086d1c40de266b0e05425ea103bafad172d48b48f |
memory/1316-82-0x0000000000400000-0x000000000045A000-memory.dmp
memory/3464-83-0x0000000002940000-0x000000000299E000-memory.dmp
memory/2736-86-0x0000000003500000-0x0000000005500000-memory.dmp
memory/2736-87-0x0000000073080000-0x0000000073830000-memory.dmp
memory/1316-88-0x0000000073080000-0x0000000073830000-memory.dmp
memory/1316-89-0x00000000050C0000-0x00000000050D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe
| MD5 | e2695d45520fe4058a6df4dff94b51e9 |
| SHA1 | d78899abd8d0cca04c062a9bc5a5a3758c77683d |
| SHA256 | 9f51a2ea69977f334c9bc84a4b16a144b8480f978eb975a0e8027a4614c36e8f |
| SHA512 | a7f30148367905b1ed413fda9f7c008e651f723a39b582ea095c14728cdc971c43918136c760cbac8d5731db471067a7acb3f311111022f529b9b62c978cdfb7 |
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | b2f3f214e959043b7a6b623b82c95946 |
| SHA1 | 4924ee55c541809f9ba20fd508f2dd98168ffdc7 |
| SHA256 | 73858a7bbfbc90c05f17abda15758e362f59be5bf440b3dab4b3f0bb8ad44d29 |
| SHA512 | c22d3f4e9cf3615034c6a6657e6b1773cb37cec983a87c61b0d0414dad15baa1fbf53e77b4049e9ab3f0a13070b21bb82c523bfa95787035c35a4b38f1b77e67 |
memory/1316-119-0x0000000005870000-0x0000000005E88000-memory.dmp
memory/3808-129-0x0000000000A20000-0x0000000000AA2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe
| MD5 | 99a53dac9029589e6cef523bae9062fb |
| SHA1 | 0fb7f9dc42e0a369ae3f0d1f286053ba17a0708c |
| SHA256 | 14559f3921e2d97eb8679cda8b563e11f1469975d53545b58cc042c89948dd93 |
| SHA512 | a3eb25f0d74b715c43be233628baa065f6d822bbb5b4ec8ebe53b69564a3912eac12d9314a6a5d644de50b8213f2335b898c66cbcbb6139c18be284b881dcd57 |
memory/968-130-0x0000000000C10000-0x0000000001018000-memory.dmp
memory/1316-131-0x0000000005250000-0x0000000005262000-memory.dmp
memory/1316-132-0x0000000005380000-0x000000000548A000-memory.dmp
memory/3808-133-0x0000000073080000-0x0000000073830000-memory.dmp
memory/3808-134-0x00000000053C0000-0x00000000053D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe
| MD5 | 5a6358bb95f251ab50b99305958a4c98 |
| SHA1 | c7efa3847114e6fa410c5b2d3056c052a69cda01 |
| SHA256 | 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5 |
| SHA512 | 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0 |
memory/1316-154-0x00000000052B0000-0x00000000052EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 1b7c22a214949975556626d7217e9a39 |
| SHA1 | d01c97e2944166ed23e47e4a62ff471ab8fa031f |
| SHA256 | 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87 |
| SHA512 | ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5 |
memory/228-164-0x0000000000400000-0x0000000000454000-memory.dmp
memory/416-168-0x0000000000800000-0x0000000000854000-memory.dmp
memory/968-153-0x0000000000C10000-0x0000000001018000-memory.dmp
memory/3808-183-0x0000000073080000-0x0000000073830000-memory.dmp
memory/416-184-0x0000000005660000-0x0000000005C04000-memory.dmp
memory/1316-182-0x0000000005300000-0x000000000534C000-memory.dmp
memory/3808-188-0x0000000002D60000-0x0000000004D60000-memory.dmp
memory/228-187-0x00000000057A0000-0x0000000005832000-memory.dmp
memory/416-195-0x0000000073080000-0x0000000073830000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log
| MD5 | 84cfdb4b995b1dbf543b26b86c863adc |
| SHA1 | d2f47764908bf30036cf8248b9ff5541e2711fa2 |
| SHA256 | d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b |
| SHA512 | 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce |
memory/228-202-0x0000000073080000-0x0000000073830000-memory.dmp
memory/4052-203-0x0000000000B10000-0x0000000000FF0000-memory.dmp
memory/228-205-0x00000000056E0000-0x00000000056F0000-memory.dmp
memory/228-204-0x0000000005780000-0x000000000578A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe
| MD5 | d177caf6762f5eb7e63e33d19c854089 |
| SHA1 | f25cf817e3272302c2b319cedf075cb69e8c1670 |
| SHA256 | 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0 |
| SHA512 | 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25 |
memory/416-212-0x0000000005290000-0x00000000052A0000-memory.dmp
memory/3300-230-0x0000000073080000-0x0000000073830000-memory.dmp
memory/1132-235-0x0000000002390000-0x00000000023D2000-memory.dmp
memory/1132-237-0x00000000026A0000-0x00000000026DE000-memory.dmp
memory/3300-236-0x0000000073080000-0x0000000073830000-memory.dmp
memory/1316-238-0x0000000005670000-0x00000000056D6000-memory.dmp
memory/3300-248-0x0000000002FD0000-0x0000000004FD0000-memory.dmp
memory/1132-252-0x0000000002420000-0x0000000002430000-memory.dmp
memory/2612-249-0x0000000005540000-0x0000000005550000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 167c40ace009f5d5cda541008804c3b3 |
| SHA1 | 541bc50815f39227b9e01e5e4db6a08c02cedf4d |
| SHA256 | 620bace13215ee69bcbdf8ac237798e8ab2ff052492303e2bac32d0a5a03f44a |
| SHA512 | 60aa62eb8803bc2a8e95ea3ecadeb93e3859288d1b06a1d63451f48b10b8bbeef862c978143b419cf82d9f0fb6e1792cf82dd466f184173ca9bc8a7ffae09c15 |
memory/3300-207-0x00000000055E0000-0x00000000055F0000-memory.dmp
memory/1132-255-0x0000000002420000-0x0000000002430000-memory.dmp
memory/1132-257-0x0000000002420000-0x0000000002430000-memory.dmp
memory/2612-259-0x0000000073080000-0x0000000073830000-memory.dmp
memory/1132-260-0x0000000073080000-0x0000000073830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
| MD5 | 6747645562b4eb9982530bcaff9b5ea9 |
| SHA1 | 3ef13dd142859e97618a725936153a8b2a9cbe6e |
| SHA256 | 3937fe8bbbdda0eda4331e192367fbaa0e2197348946c695a8d6fa1754e9e318 |
| SHA512 | 2d248a05c60c24078b84c6461df39d25ca56505d7f5a5a162c31e06f68863aa5c866e460c4baeab1768d85d4ce5dc814914467dfc4a1e27ed1e0848537765ff1 |
memory/3572-262-0x00000000020E0000-0x0000000002169000-memory.dmp
memory/968-267-0x0000000000C10000-0x0000000001018000-memory.dmp
memory/3572-268-0x0000000073080000-0x0000000073830000-memory.dmp
memory/2612-269-0x0000000006610000-0x0000000006686000-memory.dmp
memory/3572-270-0x0000000073080000-0x0000000073830000-memory.dmp
memory/3572-272-0x0000000000500000-0x0000000000501000-memory.dmp
memory/3572-271-0x0000000073080000-0x0000000073830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | c89b808eed127b16efabf9fc7e1a7539 |
| SHA1 | 2b807e0b749f2a25e2a7d405a33cd4eba9bfb4c4 |
| SHA256 | 87165d68bc37c8c7c274b05ec8d384fad47dab056d28d40e8331d3f1fa1865f6 |
| SHA512 | 01a055ec190abf085b459e55858ec2d3107e4ebc783e84739e1e133784c9cd387c78a49423cdff3ba11f1c59f9a02cbe79a2c7d64935b9ae453b361f8903c03f |
memory/1316-273-0x0000000006380000-0x000000000639E000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 85af6c99d918757171d2d280e5ac61ef |
| SHA1 | ba1426d0ecf89825f690adad0a9f3c8c528ed48e |
| SHA256 | 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e |
| SHA512 | 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e |
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 5b3ae28c22163ec2ccdcbe365bd5e98e |
| SHA1 | b14f4535bf89ba6f93a13425cbc70f7a7023a632 |
| SHA256 | 2fe00c7f60dc86770fef19b50282f5e84dbd35367888b63d5b4c59bb5fdea701 |
| SHA512 | 3e0f8848f6e8cbccc7ed338d4b4237eefa3a8ce58b835c3dfbf31aed43b16d5258c4fd04cec6ce25a9ea7345ea9aa330bdd9be9399dcf7d9441199e2adaaecb7 |
memory/4052-303-0x0000000000B10000-0x0000000000FF0000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 5954b26b32e7a5b770697a3cff355776 |
| SHA1 | 2d0326ce0407113d5b1600a100b62ed0db6d2a00 |
| SHA256 | b014e2d5e3f0488db5c7ade30d041c3b655e700722a0ad5177d64c5aeb74d8b2 |
| SHA512 | d27637248d07f789d3079007e9a1d73e03ebe8528d2d206f027408d61236802dd07e81487fbd9c5e1e0022171779258a73f74574c2b3ef862d390057e4aff947 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 7c4d4bcb186222b30cb6bd497b81d67e |
| SHA1 | 9d4aefaab25330ab90f809562e667a5490021022 |
| SHA256 | a5fb1a83241155a5f52e57214726e3363f7bf1343344945fe28ada1891cb6a07 |
| SHA512 | c9a0f1b5a57dfba865e7b87753342b43598cf2a0382450704bd6a17a15f95de0db9d56721ace0e3c46d7eda357b7a09b0c91ab4dc920818f1cd0a2657fec8e3b |
memory/964-306-0x0000000000C20000-0x0000000001374000-memory.dmp
memory/964-316-0x0000000073080000-0x0000000073830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe
| MD5 | 8e72f2ae474fd6478d912e0cdce84aa2 |
| SHA1 | 778f039762cb6f20f55bdcadfeeaac84659e4250 |
| SHA256 | 5d5003c9e1797d5ccd80eccf63ae86165e32b964489e21e8e8e40fb2200f5846 |
| SHA512 | 482ade349548d9922cd6bea8903273fd1ad3c067d4283ef05c88fc246479528da958e4f179b7b2f0c97544317442c028541f94b9ef72edb30f9b8a88f8aee2ea |
memory/1316-319-0x0000000007580000-0x0000000007742000-memory.dmp
memory/1316-301-0x00000000072C0000-0x0000000007310000-memory.dmp
memory/1316-323-0x0000000008050000-0x000000000857C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe
| MD5 | 2c470494b6dc68b2346e42542d80a0fd |
| SHA1 | 87ce1483571bf04d67be4c8cb12fb7dfef4ba299 |
| SHA256 | 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9 |
| SHA512 | c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 657900a44e3f156b1b41cd8880d7ba58 |
| SHA1 | 920e566fd16006ab01a390cd7cbbe299f1508858 |
| SHA256 | 558de08d8f821244decabd033d0f050fcc56b81fabe3328feb7cc47785c5293c |
| SHA512 | 4c76b73e067443121bbcd38cf04b7e014532202c6c693217f35fe02660960719126658b6bc6ff24944286b382b6614dd2bdd7c8d39a7a3eb9e52d96d674204b3 |
C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe
| MD5 | 3292d9c4eba1356c4e4c36335ac126d1 |
| SHA1 | 03a8540021b5e1fa7e29f3920208367de0bee53b |
| SHA256 | 5e5deee33db5bcf3e0901cf48eb4c648cae9a43fe6729770ac503877e0298b1f |
| SHA512 | 4c635beb35caaddab40c95d269d28fb3dcbf8d1f61e52156e08a2e546127cac164266dc700cca4cc1234a31fd97c636ff067441764a516bdaed4f1e4561fd82c |
memory/1316-351-0x0000000073080000-0x0000000073830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | fd7431015eb5f5ebfe9e4a7397bb7b45 |
| SHA1 | fc0bbfb3c8d8c10fa1cb9e5024431d0dc0229914 |
| SHA256 | 47ccc5eb2875be84fe389eedd4c9cccfe54ccd3acd4fc7ebfb5edd937b466a04 |
| SHA512 | dec0698ab0fe8beeee499af410255707239d19d7d1806b42f4124694ea0f38011e89c61d53e79f173418151ec8fc43322890e0aac84d1c5025aad60b678ff208 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 1134157103677769c89265df57bcf894 |
| SHA1 | bbff7986c4d4bbd7b4c568dd953e2f8306723f15 |
| SHA256 | 09f83421cfb3a04ac90cde66e9f6c4353e1e90643011265a3ef700c77ab4aa1e |
| SHA512 | 764607ab1e265d63caf14a217916d898ea108e786bf2773809d8449c3cb888e9a9c1320e678866365e44eec7ec5dfd5a9c629b82afeadf072eafc75a152c1800 |
memory/4536-348-0x0000000000850000-0x00000000008A2000-memory.dmp
memory/4536-355-0x0000000073080000-0x0000000073830000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | 6acabfbf3067cc65eff0ad8b5b1713d6 |
| SHA1 | a5475b92d6d66f369adcc6049f6ac187e660ecfb |
| SHA256 | 504ade6da126086149c10be85a8939cda46d2e54eb9b0e377a8845da56605bae |
| SHA512 | d1de774725d36e817477a0c7f08aaab558a0352f424a3a60a5ef8b70d7778c70c5f990ccb34466154f4ecd058772af6d001a2fcc643179136c8f75bfbd3b9166 |
memory/1316-372-0x00000000050C0000-0x00000000050D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | a1470335c14e84fd1f158878a5776ae1 |
| SHA1 | 98ff4297b83233ce26c0a116abe76312af645398 |
| SHA256 | 8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5 |
| SHA512 | cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | ee670d64bb9f38d525d84161da6846e6 |
| SHA1 | c87f616c4065497ff25b9009de9bfae906449e1b |
| SHA256 | 7e8f93a4278738b02a5e8320ee5cfdb95ca4f1912da16e7d16d00e319f56d5f4 |
| SHA512 | f06d08b07518726dd1d51de792ee635e4edec92030a183c8821c9c4c2e227f25871531134c8daf625523c8f284d94e8d9341297c3fc924e3cb28b970116be6af |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 76e05318d5ede45911c74ba0c8db690c |
| SHA1 | 946f515dfa9253b6b968e2b13f82fcf4ded8719c |
| SHA256 | eeaef59dfa6337ac644fc10a8a3cccbf8671fc592d6295d5734924b81f463470 |
| SHA512 | d44a5f6f6bb83c80759fa8d4e2387d2ebb5f43bc6aab688595384964e968ef0399bb643475951205f6b99d510f715070220a074956ad4232443d2b736f516263 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | a5d344063cebebd1b117651dec543d26 |
| SHA1 | 19c0e97d9c0c71f839f7e33ed575712133adda15 |
| SHA256 | 83101cef4a25a8fd60beb4930fbfb6f607f8f7164da53178dcd66b566e75fc6e |
| SHA512 | 2cfd589ade402475aad0c74038dad69c27a4ff8b72e242e1cf454888f3a5ca1dc8c6c1482c81b5f33b15517967d22f0cdf300d2a8e66fdf30e4661d386b1242c |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | e62b18f1081a1402f262790a65c87ec6 |
| SHA1 | ca4861afbb456897acfad573e356a1dbe38ec44b |
| SHA256 | b81ff4fe7d6ec558669e02d0b21905ff92027b0c27c498eec2a797afbf8d89ed |
| SHA512 | dc843eb18772dc2677b84effd3e4de2104dcc1a7605101404f81a2fbdf6b09a5c261ef9f187147a475e3d6d75fda2ec3f6517d89f9f37111985c34f5c72a8430 |
memory/3928-400-0x00000000004E0000-0x00000000005E0000-memory.dmp
memory/3928-403-0x00000000005E0000-0x00000000005EB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
| MD5 | 049799b5d329a8d716c6dfc79971a946 |
| SHA1 | ec26cd66f8cea16c363f54982b53cad9faf3c9c4 |
| SHA256 | 43c38487ff04337871c72bad167ab8c68c826653e393f17c08f02cea2d0c97fb |
| SHA512 | b5ba4e952389d4fc88cf988174cc7da2a390d34236b540e0463fed4f3b7478ca4aff254cd43094c981e8070b00640cd2c7287d0e9b6bff05bdb3ec7e5d988286 |
memory/4512-418-0x0000000004BD0000-0x0000000004C68000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 0b374be36fee0eae8b1e305f1e4073f5 |
| SHA1 | 3e5f24441b9f00c3e5beb7ef2438d1868259d852 |
| SHA256 | bbd48c58bc41696a56c317d9650057c725642e5c1dee71a8b4f0b9cbd9095ad4 |
| SHA512 | f8abf77020dfe9cba6c8afb6535a86338a8923dac7d3a81ce78110302708611109c3b80104178ec6dcd95ce7d9e60829fa8b88c7411aa726699aec04eaaccb9c |
memory/4512-423-0x0000000005220000-0x00000000052B8000-memory.dmp
memory/4420-424-0x0000000000C10000-0x0000000001018000-memory.dmp
memory/4052-426-0x0000000000B10000-0x0000000000FF0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsiB235.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
memory/5032-451-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 774510bcff294f80e47a210a19483749 |
| SHA1 | 0de009eca6fe604d132b052a424479b76ca72448 |
| SHA256 | 207e61d940900c1a17cc112b66072482aa0f11d4933f0387bf9d9b8f6487f955 |
| SHA512 | 076c64b82bf55e174f2283829292f5a21c072f57fa107900f9f013f82e94c833264e4cfe5a83d81830162d054b35c21f67778dcf25f7fadd6168d70b0b511741 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1dfbfa155719f83b510b162d53402188 |
| SHA1 | 5b77bb156fff78643da4c559ca920f760075906c |
| SHA256 | b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831 |
| SHA512 | be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad |
C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
C:\Users\Admin\AppData\Local\Temp\nseC09E.tmp
| MD5 | 5c3f598a5fa9502e9d392100eae20179 |
| SHA1 | 2c1b9ccac0521af27fa5f9c2f264f1eef70eff38 |
| SHA256 | dc0336d9aba86d84c023e0eb121f7e0a2a1d1bfd858e6c456850b8a7ab2d6a63 |
| SHA512 | f6d68f1a329ce63cb8a7fd9897497cf4ab9308c83db84f1be66a9cc6bc753502805dec8bffa6b4fd7d7464d793c69bcf4a82ff1d958f5214ee01d98b5563108b |
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | f693118d35022f48a92b629d26b0d7ab |
| SHA1 | 342bcbacbdf8f7b89411bf142f7fcc845927c8a6 |
| SHA256 | 9d532d05ae4bd069328e2f41174de31e75d09e4139eab0832543c69f0853381b |
| SHA512 | 2ed2a6fdec52853b7a07f3cc99b34222a65ab355a71eef377ae173680b2a60287f2f6891c91bf12632c967ff099823ded7799bb4e633396f6c6083f94e26060e |
C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe
| MD5 | 7c0ba784bebec7937f81678fcaadb25f |
| SHA1 | 683cd093c62e84049d9efd613ad11a28e6f85408 |
| SHA256 | 073f03695106b6421edea02778675f93c0ae97f2371e2e5d683c6c0c69c30a37 |
| SHA512 | 8bbe22a2d313b504c78a4a15aa2cdb7b5b3206e01c62d4bc3903777e0a10165d99f00db11b1c6b24de4ef53547388fcb1283a2d89089270f74a199213432a554 |
memory/3928-455-0x0000000000400000-0x000000000045C000-memory.dmp
memory/968-498-0x0000000000C10000-0x0000000001018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | d6c567363ca4a4dfc5cdf55212b3e660 |
| SHA1 | fd807c5196e896a49e2e6de76d6a2d8c4af14cf8 |
| SHA256 | 65faba0142a6d50ae4f1688d4a37159b392bfbf792dbb909ed78c99d09001660 |
| SHA512 | 367cea2e466381cc555a714ca582e48233db80d2ee8e61ee5b1dbb2cf6c369ef2d3df9e91514fcd60d8d5c41cdc3e8c1917468d59ce4aaa5997b408fffc135b8 |
memory/4136-514-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/664-516-0x0000000000400000-0x00000000008E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 7e57b1d3e6235707e8cee9a1ea3dac7b |
| SHA1 | f1ec29954b20003fcfe6ebfde1b48a9a5cee9500 |
| SHA256 | 649975caa3da21f28169981e03cfd74da5639101c50d2300d7eb0e6d2819fcda |
| SHA512 | bc8c710daee489ccb3bb5664d88017103a2cabfb7b26b452de01e1eeb7e2f242db38e32b559e9ff30031c19bb3515246fe9ceb0479c61ee3d490d6729994d90f |
C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe
| MD5 | 5d33b3a3188e3037481a5d991de15b62 |
| SHA1 | 095e8c1e8169328ba3106becdee8403bbf55a6b7 |
| SHA256 | bfbb91c5998dd8c6429e9c364c713562c75f17988d37ad154443675e06311d74 |
| SHA512 | 86e1a5e63ad00631fd99729d8c32568d9f806a22e7bfe039ef184ac60135c703b6682d6dd0c61a36e32d3c8b8ca1bb8a8ff294bc5d923a63bf3a2639a31c7bf6 |
memory/3464-439-0x0000000002590000-0x00000000025A6000-memory.dmp
memory/5032-436-0x0000000000400000-0x000000000048A000-memory.dmp
memory/3928-405-0x0000000000400000-0x000000000045C000-memory.dmp
memory/3172-545-0x00000000035D0000-0x0000000003669000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | e192ed56e9f5156b30ac5b5764f1eea1 |
| SHA1 | cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5 |
| SHA256 | be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3 |
| SHA512 | a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b |
C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe
| MD5 | bf2a3e48b0ea897e1cb01f8e2d37a995 |
| SHA1 | 4e7cd01f8126099d550e126ff1c44b9f60f79b70 |
| SHA256 | 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3 |
| SHA512 | 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d200fc985522b12b2d984cef3c499b0b |
| SHA1 | d6be524852684fe8f1f74c8b1259c499a14f631a |
| SHA256 | be3ae061accf0d5c954afdb2e4cd4b702c5f89ee70fcf889cd1aa0192c0e87d2 |
| SHA512 | 9edbf64b12c4c81c9bf98e9a0fb26f5d1d39ed178596d6dabca01450a762794395bdb73262fd1a81bdb01d08d3e0f6514dd73ff31b8f81ff1520dffdd31076f4 |
memory/968-381-0x0000000000C10000-0x0000000001018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe
| MD5 | ac7cf2550db3533c96266fbe9969e7fc |
| SHA1 | cb72ed014fa216146ff0b563315f75a7547ea4a3 |
| SHA256 | 67a708e60ba23dce20c3b3ac1a1ced01ec666092a9699c487a6c33544c36a1b6 |
| SHA512 | 935d7351b040663043c02c77d4d68b2c87ad17e4e2c1ef523629f02b63ecbd05a0f54618bc202dd45d51b382cd37952fef769154eb23b24504c98c1075864324 |
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 9eb75f17e86d6a366a71f605e5795685 |
| SHA1 | d35e5e5d378a6c860fd1af9150d157c057d276a1 |
| SHA256 | c4ef98292bd27a8071383f4dd4bbde3a55ddde91e9b35218e09afa7b158153da |
| SHA512 | d7f47bc822d23fd8a455d40a8eb9c2d9e49d6891e6cdfbc0972519012790e78d6323ae8dd1eaa1be60b8fafea3e011bcdb7ca2daf1de8518f3b10bc7599ee8c9 |
memory/4052-553-0x0000000000B10000-0x0000000000FF0000-memory.dmp
memory/3164-558-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3572-573-0x00000000020E0000-0x0000000002169000-memory.dmp
memory/3164-561-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3164-575-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4512-584-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-593-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4420-591-0x0000000000C10000-0x0000000001018000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe
| MD5 | df35f19c7d7e1539ca17e4d839b20a04 |
| SHA1 | 7dab9f9d3ff0c6f4ee4d7f33ab81ac7118afe193 |
| SHA256 | f50c34273870841df335fa73d1cd9c2acb9de70e4ed77dabfcc9eb98dcff9b54 |
| SHA512 | 90e210ce12d846c42fa724ad1be934362134b5449dbe6bad49e380087bd2496fe973c4e63731ef291cc854685cd7129e980676816e4298ef617ee56896b5c00b |
memory/4512-596-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-600-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/3164-599-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3164-604-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4512-605-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-621-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-624-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-629-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/3164-628-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | dbceafeaec3dd9e1b63100a9dd193016 |
| SHA1 | bf2e9ec8870cccf0693c926c0ea32748ffd1d27a |
| SHA256 | 40a9fe49466290a4bcbceecb05bcc5945715c517d036bbaeb4dd29c906bb2fe8 |
| SHA512 | 1232f517017a6922cac7efe3d4ca9b79f2a9a728d06b5fb1cec0efb510f9fa6ddb80cb93bf1f24a065ecac0176c9cde4f630fc823ac003ee6392ab1f8294852d |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | 2ca27383e19fb2b6b589932aeafbce31 |
| SHA1 | 16a6713b6492cab3d36ca103345349d9eecc04eb |
| SHA256 | 5f3e14a1b71a82ee8cf8f73555d23b22df4e5c78206ae72b08c70aa3d54d1e9c |
| SHA512 | d3cfe1f8d05ef6799d4eaa6568f25f580d7b5f91ac35263b090dc3db4a1033d23a130a965a8d5d6d602ec3867930eac171f7574bc500861a595160396d30d939 |
C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe
| MD5 | 945a7bffb741fbdce3650b47e27bf9a8 |
| SHA1 | 4919ab6c979e28a9ac954836fdeaab5279c66338 |
| SHA256 | 2f7552b276fe4a4aba557a21ae3f86f21bfe41d6912bcde303ba3959d63831eb |
| SHA512 | 12da58bf427f919cee410e335824e1db421acd8156c10fa78be17aded4ac48b73816416f55f6fc4b14287c17f270573ba753cefee3039c9550fdc3339976d649 |
C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe
| MD5 | b897adebb560f4ab654a1c8aa7ba7030 |
| SHA1 | e7da3bba5dffa1e0964ca9c66b75869aac7ca298 |
| SHA256 | 7cb78f472c9c8c09428cdb574bbc93ac6ede90ac252433f4e4ff9e10c44280e2 |
| SHA512 | 48034558433dd13d5fde00f9e3c53a49026901ea406698baabba18c4e0deebdbe9941bd09900b8be11a51ab9a7cc59feace68de711f2adecf2cce9b6f3d7658d |
memory/3164-610-0x0000000000AD0000-0x0000000000AF0000-memory.dmp
memory/4344-602-0x00007FF69DCB0000-0x00007FF69E6ED000-memory.dmp
memory/3164-594-0x0000000140000000-0x0000000140848000-memory.dmp
memory/3164-583-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4512-576-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-562-0x00000000050E0000-0x0000000005285000-memory.dmp
memory/4512-560-0x00000000050E0000-0x0000000005285000-memory.dmp
C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe
| MD5 | 5dec9f02f7067194f9928e37ed05c8f6 |
| SHA1 | 06f13ca068514d08f0595ded4ef140078888235a |
| SHA256 | dfecb99cc255e99b5df34a042f0585c0e8458a4e0075e7d513d2c0b492c41806 |
| SHA512 | 98f980ab103c54c4b1b344b738bcaccd10a35923749a730dd3386355897156d382f01715d07a056ff7451e876898a76268328f92d1e8203b254bb7a082f18e7c |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 5ea776e43112b097b024104d6319b6dc |
| SHA1 | abd48a2ec2163a85fc71be96914b73f3abef994c |
| SHA256 | cf650d13eea100a691f7f8f64674189a9c13d7948e31468963e10a23726dc341 |
| SHA512 | 83667045b7da8596fad90320880d8d7c83f71a1f043d73f7b68a0ad948ae2e530a753d5c7943a096a307e696f8d9fa433025b30078af6d4530d1a2f2a4b12ed2 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 3058f10b2fe431d9f8a487a35cd89ba3 |
| SHA1 | adf31cfada940e96a02305177bea754d4ee41861 |
| SHA256 | 73e5d1b5c0d2134f08a76a09b913efa9076bd492e509cd0346794db436c54d30 |
| SHA512 | 4f59602a4f557a9947d15a1ed13d8e1b09d0ba3660130fa7e029219b21062a3dba55f7da6db0efa9f2f5ac5053dda51ed4e183ae171789374e239c4d7609eae5 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxhhvbl1.cu0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1000003001\toolspub1.exe
| MD5 | 3459e4e3b8c2023cb721b547fda205f6 |
| SHA1 | c4cc7eb4d2e016b762e685a87b16144fda258f9c |
| SHA256 | 9e5c6920cc755310726ff3ba27373a487206238dd24667a58c0c67219db79cbd |
| SHA512 | eba48ac97ca9d2ca6626cd7fbcdb17f5a7173e03f6d8164c9b0c91902741e38043800d8815e0385ee3e57690fcc5a77d71f2c811b859e3e5d8a886b96a0070bc |
C:\Users\Admin\AppData\Local\Temp\1000004001\rty25.exe
| MD5 | 5fd7aff48d27771ca0aec6776afefb93 |
| SHA1 | 5d57e1e85a836b736d3b3c2056d500d1d2b92dd2 |
| SHA256 | a9498e18f267a568b57d3a281d14118c70ffd1aae42411ee9a7661092beee97b |
| SHA512 | aea36265cf13aa252ee06086b22002165401fed256d1bdfd26aee61f4b26e7c29b430237a6941a5a09f923b246cf84cf75b110aad9f01c694e992c6b076bc293 |
C:\ProgramData\JEGHCBAFBFHIIECBKFCGIEBFBK
| MD5 | c9ff7748d8fcef4cf84a5501e996a641 |
| SHA1 | 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9 |
| SHA256 | 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988 |
| SHA512 | d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\fi.exe
| MD5 | 0d9ff02c10ae0f3155c124505a426c2f |
| SHA1 | bcf9d785386a0569a6f048b23210545bddf5fcde |
| SHA256 | 063e57b671067b9479726cfd31588430d3764f16ad15bf04e859c336df3d5fdf |
| SHA512 | 0b75825f2ff6c6938b57e356630e846680a7c9902094691d18588ddb432f18e601c7f6d208b92976565b216d7d004a11d32c7ac0c3355dfe1cd14ff7d3d80ec5 |