Malware Analysis Report

2025-01-22 10:25

Sample ID 240130-xa39pacaej
Target b5ee067743155c953eb9b6426ede5062.exe
SHA256 f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
Tags
amadey glupteba redline risepro smokeloader stealc xmrig zgrat 2024 @pixelscloud livetraffic pub1 backdoor dropper evasion infostealer loader miner persistence rat stealer trojan upx @rlreborn cloud tg: @fatherofcarders)
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4

Threat Level: Known bad

The file b5ee067743155c953eb9b6426ede5062.exe was found to be: Known bad.

Malicious Activity Summary

amadey glupteba redline risepro smokeloader stealc xmrig zgrat 2024 @pixelscloud livetraffic pub1 backdoor dropper evasion infostealer loader miner persistence rat stealer trojan upx @rlreborn cloud tg: @fatherofcarders)

SmokeLoader

Stealc

RedLine

ZGRat

xmrig

Glupteba payload

Glupteba

RedLine payload

RisePro

Detect ZGRat V1

Amadey

XMRig Miner payload

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

UPX packed file

Executes dropped EXE

.NET Reactor proctector

Loads dropped DLL

Adds Run key to start application

Looks up external IP address via web service

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-30 18:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-30 18:39

Reported

2024-01-30 18:42

Platform

win7-20231215-en

Max time kernel

7s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1603059206-2004189698-4139800220-1000\Software\Microsoft\Windows\CurrentVersion\Run\plata.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000674001\\plata.exe" C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2740 set thread context of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2412 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2412 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2412 wrote to memory of 2348 N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe
PID 2348 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Windows\SysWOW64\schtasks.exe
PID 2348 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2348 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2348 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2348 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 2348 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2740 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe
PID 2348 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 96

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240130184023.log C:\Windows\Logs\CBS\CbsPersist_20240130184023.cab

C:\Users\Admin\AppData\Local\Temp\nso9926.tmp

C:\Users\Admin\AppData\Local\Temp\nso9926.tmp

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2692 -s 596

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1980 -s 608

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\taskeng.exe

taskeng.exe {5F051BF1-A74E-42A2-B617-96D9D4C425E7} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

Network

Country Destination Domain Proto
RU 185.215.113.68:80 185.215.113.68 tcp
FI 109.107.182.3:80 109.107.182.3 tcp
DE 20.79.30.95:33223 tcp
NL 94.156.67.230:13781 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
DE 144.76.1.85:25894 tcp
NL 80.79.4.61:18236 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
DE 144.76.1.85:25894 tcp
HK 154.92.15.189:443 tcp
DE 185.172.128.90:80 185.172.128.90 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
NL 195.20.16.103:20440 tcp
RU 5.42.64.4:80 5.42.64.4 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
HK 154.92.15.189:80 tcp
GB 96.17.179.205:80 tcp
GB 173.222.13.40:80 tcp
GB 96.17.179.184:80 tcp
NL 94.156.67.230:13781 tcp
DE 20.79.30.95:33223 tcp
DE 141.95.211.148:46011 tcp
DE 95.179.241.203:80 tcp
DE 45.76.89.70:80 tcp
NL 94.156.67.230:13781 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 e4aaf864-ca24-4ab1-a555-149ca2e87c21.uuid.realupdate.ru udp
RU 185.215.113.68:80 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.38.228:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
NL 94.156.67.230:13781 tcp

Files

memory/2412-0-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/2412-1-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/2412-3-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 b5ee067743155c953eb9b6426ede5062
SHA1 0725e7b508a48778c10a06c446845b0571480716
SHA256 f0f556c5c015b66dae84e587e1c2735c532d4b1702e694838f7a66557be58ac4
SHA512 22afde42ebe8662746ba3c879a4978caf096e4b23503a12b3c74d32f80c2c647927bb458505071868ceb43f5eefcc026638ec124e85742cd7c395ddde48f0db5

\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 59f87682ea0f96038af795d76d7576b9
SHA1 da7064996d0621ac733c62c05c1406cb80cb9a32
SHA256 fd6c6b378eb28579b6b85c9e22d89183135ffcf3b9e0d03f0d0c5b362c093c2e
SHA512 b109bd6bf98dfdb77fa6bf9f9bd7b5fe6d24b2709a1658c8c864dff8a23d3d9d7b43843e7267484518423575e42dba69d9fc1787b00a6f199555928ffc479b73

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 a4a4b24f2c0fb5776819130d56de6c51
SHA1 9b828ba633d04207554289cec22e4be5e946c4f7
SHA256 966e09eac7b6b99fedd740382fb5d2515ef6c924b430dd62f26164169bc32a41
SHA512 f2972b97248b29717231cdeb4d68d195618a42319e740e33ce5fc2cdbb1af575c2002e2cc6ff5defb280334fc5fffaf3d3812d957195752a32c163bbebf3f19f

memory/2348-13-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/2412-11-0x0000000000FA0000-0x00000000013A8000-memory.dmp

memory/2348-15-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/2412-14-0x0000000004B00000-0x0000000004F08000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 92cb0f08d01c7889df619cf1cd8df835
SHA1 4671012a06a0317608d0c005076749d422a8fade
SHA256 750e320d013866b11eb925ceab48863832f5ece0b8dd4c02c398fd3a97629a02
SHA512 44c8bcb443139972d216f00aa6a11977be61acc6e6c2332adfcd585810cae847eceeff92be9e63934019004044b96bd2274e81bc6d8e1f435d9157d66e9df88f

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 f9b7e76c511da015b542ce230e1e00e3
SHA1 44af494184088b70f339e1729b61f553ab59738a
SHA256 edc70da5e0078d61e4108ebb6172b3e46f3d8eb5bcd0d821b73030f71e9e88fb
SHA512 e958c2b16df096db34eb726c6184fcaf43f354f0a3a20b17bacb1b7366033da8705dd13cb2436114713cda372369571f8501bfceef24ec7ceea123d89a332d11

\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 68ae0355e2c4dbe3e1d5482623b3e92d
SHA1 19afd7196940ffe7125d56eec8b825094166bb97
SHA256 540ab267471e0a289b4af768ab9711f17bcc1ab8fe00cc2aa35a7b73ad94c182
SHA512 c389d33e51c0d36850fa15736ca10faf4d9d0ebbbf6f02a1bd02e9f4aec0584aaa65432503c58c9e5e8caaa939d68a7d9e9d10203ba60eb77dca5677737fc702

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 de4ea41cb2d4d873d3a482effb047750
SHA1 541ee8dca03b9570edc74ee14a08c1a50c660345
SHA256 7235a3bb8fb9fe6b34923cd1f7c5e62886c02cc0843779b80c2c0517ac248c94
SHA512 4f5f9d556f7a1f75546e27853ed4047ec02e03aee1b261459bbf618f6655fd4895e40576761decc58592984d1dc625538b01b7f51c658464f464f4a6249d8681

memory/2348-33-0x0000000004880000-0x0000000004D60000-memory.dmp

memory/2560-36-0x00000000001E0000-0x00000000006C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 b9e9256b0267b18882acd6f0a577e169
SHA1 2062aa1a198c28748d4ef5351c1fc11d7fcaf0b2
SHA256 c9aa0643e3a72827e03cc529a8f7d2909e228f7c29c7989dce6889a64f26c5a7
SHA512 03bf79d034b846966a430250c5ef90364335549a0c39974c27316e788a73c39b156577cb5dc7624206909310d2c2264deb17e77083a152a4a3cdd5dde15d20ed

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 3c9da20ad78d24df53b661b7129959e0
SHA1 e7956e819cc1d2abafb2228a10cf22b9391fb611
SHA256 2fd37ed834b6cd3747f1017ee09b3f97170245f59f9f2ed37c15b62580623319
SHA512 1a02da1652a2c00df33eceda0706adebb5a5f1c3c05e30a09857c94d2fbb93e570f768af5d6648d3a5d11eea3b5c4b1ceb9393fc05248f1eefd96e17f3bbe1b4

memory/2740-52-0x0000000001310000-0x000000000137C000-memory.dmp

memory/2740-53-0x0000000074020000-0x000000007470E000-memory.dmp

memory/2740-54-0x0000000000520000-0x0000000000560000-memory.dmp

memory/2740-57-0x0000000002780000-0x0000000004780000-memory.dmp

memory/3056-58-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 a9bbd210f9146d37a06e834cfedfb30e
SHA1 2eb6c05dcc079cb6ec45cfcc1833156aa2e17b1a
SHA256 4622cbb3c8d568c727f931414509a06f7b388e880f91a909a1debad024ca5cad
SHA512 ddc8fc7600ed60dd21eb0c2ef5cdef15d243338cef1bdb643467066d0c1791002a7a46678a3e70a9a96c1096bd87310c392d9b9562bc71ea666f26ba855534c7

memory/3056-69-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3056-73-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3056-71-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3056-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3056-76-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3056-80-0x0000000000400000-0x000000000045A000-memory.dmp

memory/3056-85-0x0000000000400000-0x000000000045A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 7c0a78d47ec7ada11444be9a1d43e041
SHA1 e040a8d54e7c698a53def2e2ddac9d7c69d97960
SHA256 e84d69819215dbac436f66f0ddbba4b998234c9141fc46fbabe726d64fee6087
SHA512 93149f62d043428fe236c855961f28a84a8928f57cf145b595191481e535a1e5d251f8f309dc91c29f5ad45df7f5ba5bc119bf6fb847b8590c5c3d2b7800afe0

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 6c432c98b8720e5aabdae028f5a7717f
SHA1 8dc9aad4c08fccbc8b2951740be8c1e98415b4e8
SHA256 805f2e82f5917fc19b71aa0869702f947b2e5c9488f8ac4b0f836c72f5bc21a7
SHA512 e3bc794a4d33e76686f210f356d6be94151d530c92348c711c3ee2e6653e549d2abf0db8bf9bb244f86a8d0511dc019777c79561dca4c30cd1bce34d49b10851

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 e2de978f2e20fbc6e274151aec5fb1ac
SHA1 20546a97609643fd7a1296079691d7d022b32e19
SHA256 797c5f3345ab6b719d8f325c548ed9550776c99c5de57326f2ec324634eb6c7b
SHA512 857a1b9cc2c9cb1f5354633357f85ae22d1042e77f54af2c97985e94c6f4833bad3af6a03297d6b804f13f97f0d080b58f56b5ae64f0a9e148789ba6d2957347

\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 d6fe2b314c1a75c27aaaf8019523b236
SHA1 95bde3f2e543bafbe783ffb7030d6cf299282e21
SHA256 8c106995c8cc380e527401058c8a39445cc1dd4a52091af65640d4ebced25228
SHA512 9a704b33d550638366be928bd908a9abc8498b236dbcd6256d7cbdf6cfecc8c77d0a16906b1ca69cbd6efb559787c5f36119eea5c86f81acd7903fc06265a3f2

memory/2740-87-0x0000000074020000-0x000000007470E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 53b7b4947077144227e29a851534f49e
SHA1 75e218b448434bb984a7e3e5fb72d0668d3d584c
SHA256 14d68b2c834214991ef029ad08ce73d5c0c5860d666432c2c48ba10a6fe376ac
SHA512 0dc2c6948e33030b2b356bb9825dacff3f8170ce6c34d2c9c4da62345504bad22404973dbea1e424f9afa7527eb396c767357adb928370e6b181ba2c16884ad6

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 d862a73a26d5c70a5cd31b524bb81810
SHA1 734f87986991580809695e87818c59582ef673a1
SHA256 bed738bc1455a2eda6103ac2feef7c6f976cad30c462981584c6242fe859bd65
SHA512 a5687444e2473e5b36a739e229b532f3c635c4a4878af53599edd2f9f47818fc6fe950f1b999773441f6eb015b61ea254ea122b6dcbea60dc8be468e441f3997

\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 1d061f423f1e845585df535415dc0f5a
SHA1 8b6fc0e278afe5db868fdf3ce738c2b28992d2dc
SHA256 7872de8500c5fb2cae01cb8d6aa6de247e5bbdc6f8b30e3cb31ed25df7cf6442
SHA512 7faebcac0e8d3dd4a8d9341cfa8a7e483fcf464ad103336cbd4fdccff0447a37ef89714ba1897384e7d08a6ccf476ec97bcda9072f0426166815c2fa995f7707

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 c77b0e53cd9dce2e5084cb234f5f07fc
SHA1 7fcab53d639ac57444dbf11b4c2f3a258430bb82
SHA256 800d790a50d15d4f44ba463e493b17f2c4dd44f5584cbc0d67f16a41b5105a80
SHA512 4247d450e7777815e378fbd7bb9b5db0b79885daf11053a38ee2cf56f2b7a4b45d0ad58e0c7f0cbeae03fd9598db5ac47ac19669116c37583c693c82db3d797c

\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 34d56bd530bf47ef9dabae26222c7d6a
SHA1 7eb9e49a4b90a9bed362f0430e8e945dc13ba835
SHA256 d038e28d0992df1b5faafa6a9d630d1a021e213c3a5b21ff118ef8febb995750
SHA512 5621dd838a5393845566f4f54779d467b8aace2676acbb718e9ea0e96bcf9aadf48d5d543e6358491289fd049027ad06ee60ece7fb7140b80524f77952d660bf

memory/1116-117-0x0000000000280000-0x0000000000302000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 db9522e14d0b52886ee87369ce8abc8e
SHA1 ef9b8da71c47426a663dc7842b0f666e9f8fdd5d
SHA256 22697a9fec8ef3f8bda45fa853030d02ec01a9cd97417064a330c49677c363c8
SHA512 9a933a7882886d7fb8f79bf120ceb980c295c54bf402d8b6f5a952d84a2901c502f3af9b2887cba2eeee4e1532820802653ee1fa66e4a0f705b352d516120b24

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 8738383d9fdefa1515f269a804f742e2
SHA1 a70462ed54fbf9256ba6a680fc171942fcec4915
SHA256 a6fe4818e5745fdef0bcfa769686fd254884e97dd9d47ae0de869e05feeb65a2
SHA512 6dc61050f99f87133bfac8f003c7215c16ec61a346820dd51743d77e37d998248d7a15a9c948454eb455ae08dcd33a7b24cf9e68ebfffeb6583c77826f7fd457

memory/1116-119-0x0000000004B70000-0x0000000004BB0000-memory.dmp

memory/1116-118-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2444-122-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2444-124-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2444-126-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1116-137-0x0000000002050000-0x0000000004050000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 bcda9c8804346c1cb70f1dec67dcca45
SHA1 663628c44cbd6aa681507fdf918910d06849c1d4
SHA256 2d579323d077d5e67a04e8b863f68c9518707206a7a87d0c0b9f8d18ee22da2d
SHA512 c24a164c684a863fabc1ca9aa4bb7e5d0640f5efac6905f161d28fb41aad48a7240c18ab0df64a85213a590121256e16498892ee97aa3fd0eecace960273e329

memory/2444-138-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2444-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2444-145-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1116-146-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2444-148-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

memory/2196-155-0x0000000000B50000-0x0000000000BA4000-memory.dmp

memory/2412-154-0x0000000004B00000-0x0000000004F08000-memory.dmp

memory/2348-156-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

memory/2196-166-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2196-168-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2348-170-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 b94dcd1a26082fc254b1747b04e434eb
SHA1 c13bff885ae68d39bab0a3922d641e645ddfd0b3
SHA256 36e3195644d81858522653fb8dd4ddc25128dc30af345e957b9dd950047cbfe8
SHA512 7e7cbc8c0dde0252bca6b2abf62f008c3d4e24a85b6aade2cdbfea28a7f32485da05928a11e82bd23937e3847bd2188d003d8e709e0535676974d345526b108e

\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 453d6ea8e32a160af22f657a76559b01
SHA1 5d2edd5af1f5b544a014245882f0344ff5c75ce7
SHA256 2c85b66804096d6c673c49c23816ccb86eb205fd06c7e39ba8ea3d1d73b24aaa
SHA512 7e3571aec8e4a87727be432afe4e5d6f278608fae0d3e99e5d271015dfa82dbbbe492df9bfaec81db8d773d1a12eda55466ab1a8c56afa58f09c9a1d2e0dca2c

memory/824-177-0x00000000012E0000-0x000000000134C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 1bb6be1568ef441984c53d34155e9d04
SHA1 99a07225bcff69d733ba8b4041c803cabac026f7
SHA256 6c0e3bd7ba4c44c65b705d94e340f91d11d82aaee04a4f31b9598da65b0d304f
SHA512 6736d22c482ec60a6bc328d68d478a90b3d519a5dbcd39fa832814fd780b38ff9678391e13dbabb95ef4aac034d84a42eee626fee1b532a2a955b4916f8ada45

memory/824-178-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2560-180-0x00000000001E0000-0x00000000006C0000-memory.dmp

memory/2348-169-0x0000000004880000-0x0000000004D60000-memory.dmp

memory/2348-167-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

memory/824-206-0x0000000002750000-0x0000000004750000-memory.dmp

memory/1704-220-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/824-219-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1704-221-0x0000000004820000-0x0000000004860000-memory.dmp

memory/1704-222-0x0000000004820000-0x0000000004860000-memory.dmp

memory/1704-218-0x00000000003C0000-0x0000000000402000-memory.dmp

memory/2560-223-0x00000000001E0000-0x00000000006C0000-memory.dmp

memory/1704-225-0x0000000004820000-0x0000000004860000-memory.dmp

memory/1704-224-0x0000000000850000-0x000000000088E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 29a6171de8569211786dc94cdb24af0d
SHA1 81841ef2fea3c54892cdb6273d212a297db0b497
SHA256 df49449ab2849fcd722dd9c62c413478718dde419d50e2a6dd3726c9e8aa92c7
SHA512 3945e13ea0c9f60d2960fc8efbb756acc5fac92014aa982babe12e5759a5d1e605a3bcf22ef1ff30e64be76d1725abc21265df4191181e2f7b1893964a8c00df

memory/1704-235-0x0000000004820000-0x0000000004860000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 3aa0aaa4acebb32823a1635b62c2a0a6
SHA1 1bbc70fc940ba370409583884b2fa9281e45a9b2
SHA256 a829c8a55e8e781e2fd43670d559a2b141df2b9a062e34aa9c59b4fd8788f29a
SHA512 4867fac8cae80da0ee5205bcfd3f0dd7db4b5b75faa0a8bc84714b41f5b55d8dfbe1fc399b90ff1d4c519152f9a230c223e31f56db0458c3182376b14b2108d5

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 eb6c83140608accc2a28b52b4322e945
SHA1 5bd799eb07c3423111bc988a3c4aca2a58f01a26
SHA256 cea9e4fbb0d41b74f4ab9610ea069f69aea11b8ba8329b9c026ff3eb5f92e1fe
SHA512 70a25c5746c9c0f68ece380d4202a7a902bb0fd64b3e2eef119c99d762e0b3949db85b00bf6533eb7c5573e99e2d9e27f3684f819853135b2ed5e90cce1105e2

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 1e2a5a7bfffdb81aae79d1b101e98c86
SHA1 102e8aa79da9aef38b878f040057c6a2505a39a5
SHA256 377a2633e67310721bf31ddf20864d0896d24e73b05ef1161b5d9267c14959f9
SHA512 113add0c9b79c57bf71c836a6f2bd3747166f1a9f0a2f9e4308db120beceb9243f7d0b482063e2b2518f32b536c64a55a6c6ccdd27d332a392c5fc3283ee0dac

memory/2264-244-0x00000000002E0000-0x0000000000369000-memory.dmp

memory/2264-249-0x0000000000020000-0x0000000000021000-memory.dmp

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 31fe625bbd65ebbe542f011419f6f4d8
SHA1 3f769bc462c2649522926172a0205b5d6140cdc2
SHA256 d444f5ad3007b2a2c2224bb0084e262e8a13638366740b45d02e6f2108210754
SHA512 4c4ef8777b8d914ea2082b3db15dc0910df0a41230f4c5cd7e126024a273a2f6ebb72dc4fa3335a550a9e6d1378b070b9aa2e2a6480d53de500fa4703374de69

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 00537aac50406d655f3b015a5e13fc63
SHA1 9c521bb9b66a65cb2d3b59f8fb46146d0b9b9b14
SHA256 d47655bd7e5b4ec04ab1731447fa63b7d05807cf5585a9fef51ca5d3d436406c
SHA512 db15a12b6a5b0bc35dfa37b1187469aa4e36ebedcf3e3d0051897e68029250f874b41ba39cdda6ac40ddfd232cb890d382f1e8b1a246522ad5bce60ad7edb929

\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 827ef01fc83a38b249490401ff10d43d
SHA1 1bf4a00e7a2971c12efed76be90980160e57c75a
SHA256 389e920689a83ebe208e342cd87c3eee4b6cafdab307cdd58ddab5a35b4acb21
SHA512 4f024951b6c3b4f3e20cea587a9f85a7d5b81bb7db35650f0828a97e693265a2ab9f3745497e581891c79d9ec39ad70f5dc46b63d7c960a2f4883abd5d6a4df6

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 57d6744bceeab4384a7b56e2ddb2f93f
SHA1 f6fbcec1aee8d350840e6ced629967d8f00fc064
SHA256 51119eaec9712c8628815b5848188d4fb0fb7c608341b446ee8d9ac95379e5b1
SHA512 ed1dbedb9bf0d71be075ee3563f246ee9b73febb936f1fd908a406f71520402b891f459469f81bbb9441b8c7396348a94d003dada7c07b72e8e1b0533831ae7f

\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 5686461c8c3d7168f1df7fe3f56a008a
SHA1 abd1ae49c7ee4a09cabbef4e96c609ce737657e3
SHA256 afb9924c376a0bf1e8d71042292de4adf1ca003b0fe9e165a4e259a01613b250
SHA512 880d285b2847672eb4e58a704c53dbaa0637f07cb60c158ea072657ab8a812c434abdf9f9226c2da46a0baaf093f2dae5d9e8aeb45bac18c9017bf5b81ac38e7

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 93e02cbcb2908b86d8cd10f089ac8052
SHA1 5c1de70cb91330c536ab199451e5669da74b07c7
SHA256 bbc188a9e1cf647f368a52bc6e4c1f43fce5e2129cd344078d6e1d5fc328983d
SHA512 55ae9a425995ab123f6129bcbdc1446bdabcc712723f5e155061812cef6a8e9f9993f4c3597070839d4c4b050f6be0a26ef7b69a2773fbdf85cf2ad722758c6f

memory/1408-276-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2196-277-0x0000000004D00000-0x0000000004D40000-memory.dmp

memory/2196-270-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/1408-275-0x0000000000AB0000-0x0000000001204000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 5321949474730b0f50cf7c4f7c66cdb8
SHA1 d2c02a3054e673647f53b269f69b98d4efcae355
SHA256 c4e4bbf69d6025ff6936b869242123a66c3ffa049d1237f12bc4a467545492bb
SHA512 dcc3a3d0b172d5f2aa101a54e5a3114c6ef9ebb8d31c4ce11d0cd52ee48f506961919ac8f9636fad386cd5a33cdb818a07fd7bf6179558f6487cf7c161705bd0

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 a1470335c14e84fd1f158878a5776ae1
SHA1 98ff4297b83233ce26c0a116abe76312af645398
SHA256 8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5
SHA512 cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 119b1f6c2ffcb088d13abc44caf9e09d
SHA1 184574e198cca0b56665841375e66cdb040662ee
SHA256 3c1d24a3baa03dc2b3c42fcd68d76d8a210d0a8f274d2bc53105d1474eb1cd77
SHA512 c5c703ec8b4c75043d7d3d5eb896c3a6203283c5c75d70881fc48c28daad74ad48563adf5af370654151c1c0bbbac164db2fed538822de9d8ff6046337c5bda2

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 0499835a45a160cae9764bc0f6945648
SHA1 b0c65573861e3692b7f50b8f280ecd9840a6a35c
SHA256 e567b3b5677805b1127e19c2d39a21031dc6de50989863980fe5fefbbfd36834
SHA512 cae6aa094df25a640be2ac1826ce96343040a705f28871b79b4771c764a009751c1b742bd4d532ebeef929e3e1782ea514c605eae1b5b647c2b7ce4c62bbca79

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 f2268c03c62aba860f340ee379fb701b
SHA1 0d7629dc4ef639e2e5cc482a7498e44cc13963bd
SHA256 8c2645d0e700a61d720990bc5eb4de11a901f1b44116b4575fb255eaff656934
SHA512 b95c874be074f5668fe570ff3089bd3103e2a9114e42e7864088e3f526a3933e17133328810d8fc20c8204b66aab8882d1e5d7fbc576bf45000b798d48e4eb0d

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 84c97ed0ff7ade5f650409015378100b
SHA1 860beb7b2ba9b3b9d50c12c925a1158faa45c7f3
SHA256 a888c0f8dec10a04287454b0b9fa3434c5e21ffb8c8ee13fec42901bf0388bd7
SHA512 9fd20eed5b9782ab9b1ff8a1146e906d2b55ce8faa2a0d65d5e3ca858478b24c9688cb71e8b769205e1aaf21b31939ba800bc065c6ce2588304e67f26c49b266

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 60eec05ff0a27c5a3eec85363aa08abd
SHA1 c8f259ebea3484dbbf912f74201f1c7d85cd8c20
SHA256 0e8592908c6ab02a32f16ea44ab4596e44b5d855f6dd3d733c7ec795195d0c6a
SHA512 3ae5770ef95849e5c2b3428d90e4b24d19f824a5fd09b4e4540cf12bdf2b089ccb43a14d9e15f8cc08136f827ce151690791a7229999ec5203cf1c6d611f4dc7

\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 511de61b61a96cf35481ab655e0cf2b6
SHA1 26e2c4a3f5745e177064c77c53745b29a5e232a1
SHA256 41e0d7497557ac3096314378e65f385d4311ab454778cca867016a45e9f2b116
SHA512 a96451fad8dc36b7b4cd75d41905e50190ebae6b515898cbff4d8d21648a13ece4608dc56814cc441aa682e9adb22d0c9688dc5dd20c53c5fd4f0fe14e132793

memory/1920-306-0x00000000005A0000-0x00000000005AE000-memory.dmp

memory/1920-310-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1704-308-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2500-311-0x0000000000EE0000-0x00000000012D8000-memory.dmp

memory/1408-325-0x0000000073FE0000-0x00000000746CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 ef1a808dd52f6a60f3decad399efc547
SHA1 63a81c82975b871239bdc61fc1c22fb705f263f2
SHA256 771a763f010cbe0f5e8091541e5942bb4ec4a685b25fc125fc7deb7fef1e0ca6
SHA512 233a0c76cc0c2dd7cc7ead4773539a2043f7a57e9c108e80542d13c9ee5abbe2f57ce0bd429b73336672ab76e45804eeafea4f1f3d04d0ab46615cba9d4c5f24

\Users\Admin\AppData\Local\Temp\nsy934B.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 0910e7dd57cde15011c56d4a55860a0b
SHA1 cd218c08f6686cb88cb7fe96568b29343f5615b6
SHA256 e69ca345a131329ee846d4ff743ce6a0f3bb55ad8553c5133b71899be6a34274
SHA512 2fb178b91730aa1ddebced8cb86a3e0e299c4bd0323086cf7d508847eff117fea78ecdeec7d348863924a9722622fa7043ce889a964903af603011fa13c49fda

\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 70ee14330e42b8e6a6fe54ad0596e256
SHA1 6c906de16adab274d83c726ae34341e4c93346b8
SHA256 b477c703a50ebe860cacd043193a0d4240fcc5eb64ad153ff40e9da3402f43a8
SHA512 0baaae800df8fd53585c34c88473a068391c9830f0849fc36cd6c69252ffd66ce1130fda1d4f6ab328347f1973e5680dc2445e03fca0cbf45e188c783b5ef5e6

\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 31201661705a0c56f6729c6e6d35e606
SHA1 e38f271969466be95da5426aa8623a92788280b6
SHA256 5ae4f2c36e99b04682836acf3a5255e0d1429bb36c1483c73b8e35515c5fde8d
SHA512 f42d7508e1ff2edf28e6f4904ee8797921eadcef063f08db2d21442a5cdb9283cbf1d1223cacb4e0ecfd91daf6893d1bc6a1e85b1a0be0f0678cc6c28869f8a5

\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 0886410353ffe00b67cc93a071d6ba1e
SHA1 73f26504a37e70a4b9a5e9deae8d8d94113b7e60
SHA256 9ae5ec8c0a645e6c8e6d60db2e3f41763f3eafae5c5f90942451d710d304d62e
SHA512 8c8113398fa6201386372b00954888e3fe3fe74072957a9f5ae55dd6d22e8bd0dffc285d4b1ba8ef4b4d7a611bfee611781b6573ede8f4a1ee8c0dbf27f7fdd4

memory/580-324-0x0000000000070000-0x0000000000078000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 f0caf022fa26e664a7f1d44f463a1ea3
SHA1 a17c8b58424e5a4ce716a6736a2433bd78bb15f5
SHA256 a6a15d889362cf32d064a9e5935eef901681918270169378c49030ec453f403c
SHA512 3999ee0e4384ef77fef5db5d893383f4327e8ebf37f23927923d6fa15bc5fbd8306638f4fa2451676b1df8622e7e3af93981a1e1ec517b253113c7d089aab757

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 6f76fef3619ab1d60f5e4fe9acda36e8
SHA1 35f6f80cd8566f650643f494e010018c7406dc41
SHA256 55d8619f46a7320afe1592a4a0addf11d0a95a379bdaf4359449b82b4fd71af6
SHA512 df02d1d284270f21e6e321799bfa719688380cc160ff13cc04ff301531fbbc7b921ecdae00a9f26a101e2799f3cafef9686f1e3ebfd2ca5a0563c6d045c38b05

\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 210c9aba098b30423e672f80328a0dfb
SHA1 101c81c71b152fbabc1b3bb4b264da32789974ea
SHA256 7091eadfe09a8f38b680b9c173f1b0c1d4cc8acfe935596e05d20ad95d21d6ba
SHA512 e167956a8b8ec67301ec2c8dcd944229fccf5d3416a41cce5540790e9e6ef86f32e516bd3116581ae6cec882bc5093748b8a6882361c1eee7755e40c5865c589

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 0041e7a4da795957ae393a9a1da2ed97
SHA1 7933d04c9258a02a2ab08798ee8a10446486fb71
SHA256 884e7fed36cbe58a1262213768ab50840c97a36c5128d656bf06fcad4adaabd2
SHA512 3911f0473e1aa93146fabbf205aa31224309028e71566512c77d64de88608d7023c51ab1081555a0a9e0d43417e9fdb465917cf3e2d754461e26e33f0efb9910

memory/1920-305-0x0000000000400000-0x000000000045C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 94bdcdc1b6e547deed4596eff52de082
SHA1 5c07320a53a2b444cbcbb16292689bf544e4ddce
SHA256 dbda57ae47fb5c3189fbd3676515556b6254101c5957e481a288f81aeb6f6381
SHA512 12ec33aa185077d8c6ecec4e2ee20b8892cf3bc947eb0c0c3c7be560317470e9b1dbcf3092296efb3287fa9fdb7f662f59624c33b001e38c2a216f4f629d3288

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 e01ad4c603d39ee85bc763d0fc5dfe58
SHA1 1ae60a0e1ee3788961df4f2831ce9dcdc8155a1a
SHA256 d359b40342dcf99b14728581a48243b86848bacd986792eca1fabf704af28f72
SHA512 4723367fbe5b9e59deacb43e0cb4184713dea0d8eb4d59c9c1f4c603b89e2019fc1fafbf544f17407c4ddfa84bf4af9dc957a677eaa1131d5476de8e5bbc511e

C:\Users\Admin\AppData\Local\Temp\Cab9964.tmp

MD5 ccac426d55ddf0472ee090b35a032f95
SHA1 11d77d0fe57007c11f1563ee56a5af8972427c33
SHA256 9c0dc2ac6c4f87e7b116149c117e63eb86ddf4b2409d8c594736fca34cb3389b
SHA512 fa2ea38745d811ea94f1670938f59825bd428fd0ab582b5f0f84e34c8666629925084d3b98dc99293b5187ba0550116d3ae5e7f46b1c30466710cabf057b68ea

memory/1656-390-0x0000000001010000-0x0000000001062000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar99F4.tmp

MD5 3d43c22daee74b22d5860d67033df3af
SHA1 fa9e562e21c8ba8db31f087ef35e23f23963d4e5
SHA256 425678b2ce13e821c8a913f22d575db4696b5944bfa32df42e313327dbe4c679
SHA512 7bc6897b8801b8dabef815832bbdc7f176b1b55b734ef0e35bf743ba474bdec20b59800c51dc5946ae036ba339cf0a5a6c8ef3f15991d498b2fe0a6991c70e71

\Users\Admin\AppData\Local\Temp\nso9926.tmp

MD5 5229f453849fbaf1f4fb22a557833ee9
SHA1 e3c6d8c0a48c21d070b31c0375e17ac73add0e85
SHA256 99d9dd4054d62efb3c4aca4d1a457adb576403c053dcbc66e2b6ed269c6cd77c
SHA512 486a0a00173fdd9332d49a39277f2a6ef504087618134a44eb98b8764bd1fe3d0b20ab6b995512b4cecfd44195fba7605f99a306f5efeef91aa975988884ae48

C:\Users\Admin\AppData\Local\Temp\nso9926.tmp

MD5 3c5805c818e850a3e9a427a0c217f1a3
SHA1 e13398df13146605caea431731ad36d834cfe25e
SHA256 95a9df281da22dc93a51ef9adf9d6a83783e6fb402a3a0892519ceb3e2abefad
SHA512 41c0ad1ffc0646740277af2b4a9f0d0600bf27a9939c8c7661b1016b6879d7aff28bbeffea0eb84dcc4b09ebd09ebcf7fae13025a503fad69a4c71c1fccf67db

C:\Users\Admin\AppData\Local\Temp\nso9926.tmp

MD5 69ccfb535cfa2b3d0fb557c7fe723460
SHA1 3b5f39d0d2f5c2ec3608fdf92cf62debea22b353
SHA256 6cbbeeec9edcc60aacefe3d37be88dc610955bf5ae8dd93fff99d2b18c799dbc
SHA512 9708e0d9e48569aec0bf14803bbcc8a923e73a646e214128d658916862b50c761065cbdbc41ebc7e0c4e97cde1ae67ba77486d5fdc8c52a2903283152f263af6

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 2c470494b6dc68b2346e42542d80a0fd
SHA1 87ce1483571bf04d67be4c8cb12fb7dfef4ba299
SHA256 1ca8f444f95c2cd9817ce6ab789513e55629c0e0ac0d2b7b552d402517e7cfe9
SHA512 c07332228810928b01aba94119e0f93339c08e55ad656d2eaff5c7647e42bbf5ab529232163fb1bbd14af3331a49d0fb537cfb5eb83565f674155e53d4ae41b5

memory/2348-428-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

memory/1656-430-0x0000000000F40000-0x0000000000F80000-memory.dmp

memory/1644-440-0x00000000FFF00000-0x00000000FFFB7000-memory.dmp

memory/2500-449-0x0000000000EE0000-0x00000000012D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 f53bdb413917fad0f96979906603832c
SHA1 972256a53dcc65e3ddca2070ed0d9d3ab8018281
SHA256 b5a04d8e00046b1b8e007be6bbf2b01e5ca4d4af887c087ad7f3867b52249ef8
SHA512 5d0eb03f84bda1e52b7f5a4793c69bd4af8178487ab9e8de40517a39063ad9230c871626ecdcba74c393da549f03f72d14772e26e6febf789246ea46c666f81b

memory/2500-451-0x0000000002A00000-0x00000000032EB000-memory.dmp

memory/2500-453-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2480-454-0x0000000000240000-0x0000000000241000-memory.dmp

memory/1656-455-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/580-427-0x000007FEF57C0000-0x000007FEF61AC000-memory.dmp

memory/2560-486-0x00000000001E0000-0x00000000006C0000-memory.dmp

memory/2692-485-0x00000000047A0000-0x0000000004838000-memory.dmp

memory/2692-487-0x00000000021A0000-0x0000000002238000-memory.dmp

memory/2692-488-0x0000000073FE0000-0x00000000746CE000-memory.dmp

memory/2692-489-0x0000000002160000-0x00000000021A0000-memory.dmp

memory/2692-491-0x0000000002160000-0x00000000021A0000-memory.dmp

memory/2692-496-0x0000000002160000-0x00000000021A0000-memory.dmp

memory/2692-497-0x0000000002160000-0x00000000021A0000-memory.dmp

memory/2692-498-0x00000000023D0000-0x00000000043D0000-memory.dmp

memory/2080-520-0x0000000000220000-0x000000000023C000-memory.dmp

memory/2080-519-0x0000000002BA0000-0x0000000002CA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 53993d08d637b05ed7173b886ed102e7
SHA1 5d75f14587829c42bca8c541fc49bc5b8433326e
SHA256 b451e5703dcf4175560ff4272ffcca23b28d385b528b601082844a43deaa4403
SHA512 a0cce8f0eb9992aff79e33475b43f2795565736dfe0d292a8e9a19486a95d54098427c4f0c4475ef12d3d93e5e7f7a717b1f288f073eb0a9bb4c61ddacbd3733

memory/2948-526-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2948-527-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2948-528-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2948-529-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2948-534-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2948-535-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2948-549-0x0000000000060000-0x0000000000080000-memory.dmp

memory/2480-547-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/2948-546-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 9c0445bdfa67e6c68287f9226054f381
SHA1 d6db1626e8db10c12de551401af28cc0d16ed653
SHA256 498e0725c2907b9297b7e6d01eb500ad79db9dc5aa9b0cee085e16f16e8f7535
SHA512 6a9144216f68f6e6809997afb4bebeeb27045aa6906ffee17143eb57a4e14b1ed747b06e1b82bd2f5981bc55bbd2b776163010664b947ee5c6093992ae2396b4

memory/2500-536-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2348-559-0x0000000000BF0000-0x0000000000FF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 e192ed56e9f5156b30ac5b5764f1eea1
SHA1 cecffa0e69c8dea9d5044d4e22d416ccaf8b29e5
SHA256 be82f5ae74b72c8e3c46ae70180f6ef917983ef9e009bcbf0453757b1d0735d3
SHA512 a5b5d560dc39b30fa1b09ce188ee5d9e0894c16c4d4b1cdb57acddd54a60ce0ad5d8d2b1638f15ce38df3168e423aa20ac22898669372d00ccadd92e28880c2b

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 132161cb4f110c95fcebd61cbc3b243f
SHA1 d7225b4e9e5696a5a32f1d4eec71f955385db04a
SHA256 eeebf30c17ffbbff2b54c08d6d4bee5da9282f78d6852a67750007a775db1520
SHA512 4b7117fb4c0b19db115846836dd8b8090c38273beb4ea24e47b481886785bc66ede6b9c9d08a9a1e4f9c2398b7a5e0ac0d5cb1c44849c08bc504b4a7a3baca20

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 af1e54caf5bc7e3431391a940449d08f
SHA1 5d2ab0c1701d7b1dc76fc5a6e26df635eb24874f
SHA256 9b14e81f3730400946bf3de6e85ad2d72f3b22508680bf2b29a44e78ec1e1fed
SHA512 4dd45c47714ba4e6d05da11053a2cc88cc938578c779ed51c2f90a6e368895a46f95fab3b45d77b7849ecacf9815cfc4f702cc2e570fa3a549340d9d275f299a

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

MD5 f02b44bab4b594ba094252dff8203262
SHA1 91a33e64a3a465355e61e265f70ab8fb7a6ccc2c
SHA256 14c200d21a180b9b4a2fed10e45efc6adad9996946e1316823b7f78d8ff7e0d9
SHA512 8ef65bca8df72b44e1c3b20ce9f1e7ad895ef93ef57ad0c9819b75627604d39a2d5424764d10ef83522072fde6025b93e871ee879abeb5ea60de6e582d692267

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 1afff8d5352aecef2ecd47ffa02d7f7d
SHA1 8b115b84efdb3a1b87f750d35822b2609e665bef
SHA256 c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1
SHA512 e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 29cfe5623e1d51b307cfa6000312ba89
SHA1 f2461b2a21a28b7eff1857d4593b9897e0563e99
SHA256 570a5ae68b3732bf0111c8e4ef34d235e93c5a15fb63cca2a87793f386f97b44
SHA512 9e9f591d56dc70bd70f7961ec53c67e47837d321b9a038ca7d69baf5875d266a8e3bd691d95fd7db41ec1a10ed0586042de82d9740c7e465ecb3eeb1f4df3ce8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-30 18:39

Reported

2024-01-30 18:42

Platform

win10v2004-20231215-en

Max time kernel

3s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

Stealc

stealer stealc

ZGRat

rat zgrat

xmrig

miner xmrig

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe

"C:\Users\Admin\AppData\Local\Temp\b5ee067743155c953eb9b6426ede5062.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

"C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe"

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

"C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe"

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

"C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe"

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

"C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

"C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe"

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

"C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1052 -ip 1052

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1064

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3452 -ip 3452

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3452 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1052 -ip 1052

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1052 -s 1064

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 376

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe"

C:\Users\Admin\AppData\Local\Temp\nstD013.tmp

C:\Users\Admin\AppData\Local\Temp\nstD013.tmp

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2496 -ip 2496

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 752

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2496 -ip 2496

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4540 -ip 4540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4540 -s 808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 624

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 880

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

"C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

"C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

"C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe"

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2496 -ip 2496

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 892

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 776

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

"C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 884

C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe

C:\Users\Admin\AppData\Local\Temp\a0b3b7d4a5\Dctooux.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2496 -ip 2496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 844

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2496 -ip 2496

C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\1000002001\InstallSetup9.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 940

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 158.178.17.96.in-addr.arpa udp
RU 185.215.113.68:80 185.215.113.68 tcp
US 8.8.8.8:53 68.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 144.76.1.85:25894 tcp
DE 185.225.200.120:15666 tcp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 120.200.225.185.in-addr.arpa udp
US 173.231.16.76:443 api.ipify.org tcp
US 8.8.8.8:53 76.16.231.173.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
NL 20.73.194.208:443 tcp
DE 185.172.128.19:80 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 udp
US 104.21.58.31:443 claimconcessionrebe.shop tcp
DE 144.76.1.85:25894 tcp
US 20.12.23.50:443 tcp
NL 195.20.16.103:20440 tcp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
NL 94.156.67.230:13781 tcp
RU 5.42.64.4:80 tcp
US 8.8.8.8:53 4.64.42.5.in-addr.arpa udp
HK 154.92.15.189:443 tcp
DE 95.179.241.203:80 tcp
DE 20.79.30.95:33223 tcp
NL 94.156.67.230:13781 tcp
DE 141.95.211.148:46011 tcp
DE 45.76.89.70:80 tcp
US 8.8.8.8:53 33.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
DE 185.172.128.33:8924 tcp
NL 94.156.67.230:13781 tcp
RU 5.42.64.4:80 5.42.64.4 tcp
US 8.8.8.8:53 hiromcloud.com udp
US 188.114.96.2:443 hiromcloud.com tcp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 67.214.58.216.in-addr.arpa udp
AT 5.42.64.33:80 tcp
DE 185.172.128.90:80 tcp
RU 185.215.113.68:80 tcp
GB 173.222.13.40:80 tcp
GB 96.17.179.173:80 tcp
US 8.8.8.8:53 ratmarket.com udp
US 104.21.87.209:443 ratmarket.com tcp
US 8.8.8.8:53 209.87.21.104.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp
DE 185.172.128.109:80 185.172.128.109 tcp
NL 94.156.67.230:13781 tcp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp

Files

memory/2548-0-0x0000000000AF0000-0x0000000000EF8000-memory.dmp

memory/2548-1-0x0000000000AF0000-0x0000000000EF8000-memory.dmp

memory/2548-2-0x0000000000AF0000-0x0000000000EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 27c174230e8373ab0c45626f596c30b5
SHA1 63b7f40399b93dbd88d5f13c2c9dc229f7cd92bd
SHA256 eca93fc899cff5fe7d57862567d498e37dcd0ed370bbae2e27e1a5613476db8b
SHA512 596997c2b1d394a4bba8534daefb26cacb21a3290a703059ea6825ed8611d519ac6a6cf37236be2f9dc6359de0ef24c49351577b106f57bbe7178270e8f94c49

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 6449988029d6107c782dcc7b61c669f6
SHA1 481bfa317cf14ddbc14958107882aeacf513e79e
SHA256 c6cbe3a257e09e079b02182822e4c2e49b011872a9366292434122c927431272
SHA512 7712d5bf5aa153103e6432e98c1e65051fbb129b2664dfe3fa3524309d99b5297678fb9452334ce1188f7e60008affd73ffc9cbcc709f746d9ec816f9360ae4f

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 1ea699d003e51dbd4ca580a2d373aca7
SHA1 4fdf8dcf42698f005953e1ee00acc3cf1c124ad0
SHA256 ede381574a4d6a17dc0db583234b646e0871d4abb4022ffb250bf5499b2c689b
SHA512 fb925e7cecd876ffbf16ee4e6645946c20847938e64bb08c487a18f9e22fc4b8f5994d4ff4bdb7f4e1bb1774323f17db543904798ea5e49a7b9f052ffd0752ac

memory/2548-14-0x0000000000AF0000-0x0000000000EF8000-memory.dmp

memory/3376-16-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/3376-17-0x0000000000960000-0x0000000000D68000-memory.dmp

\??\c:\users\admin\appdata\local\temp\F59E91F8

MD5 3853abb35ab617a117144f119cdc9808
SHA1 03d8fb3499ba7e77d9aa75cdd118b4e7a74fc4ae
SHA256 f4a22e11f7d4a6ea0c60654edc821df260b093ce1ccb911f16b42bcfc96278ef
SHA512 0c79095134ef83f1eed98cdaff749fb557e6543789879fc09650726cc8c575ba18757975bb67e245846fad304ea3dd0abc0f489c810b8ef1b5f08d72e711e1b8

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 e5f11664e3333529ee0922026172dc06
SHA1 450fbebd2ae6646b4aa9062448f1cf06f1d832cd
SHA256 6819dc1df4063ebf301505b93b1369a56cb2b3962ba57c24d6268ac4a32a61e2
SHA512 ecd7065246d02ec031f70010ec225004600a8aa28a2b53216e0a25a12a9d1f04970c085cdab63cffa68b22d43a325caaa620a46482f8dd9dc5f5f537d71192f6

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 a41ac14f9e2f01c3e372e6dd2a476a98
SHA1 e2917b4fa0428bdd0873ccd7e93911f07e29071f
SHA256 59746557049703038768414318857600f14ac002be830371f135689ea7dee6ab
SHA512 d7117b4cd0dbdc914ef8d1657882dfb029d6f8099d51a1e321fc0f8b2e8345304807b9005cf22a7fe669acd4ee8b30f7caeee1de706a442ccc8eb2a262a4a13d

C:\Users\Admin\AppData\Local\Temp\1000674001\plata.exe

MD5 7fa3792f5534241dd1265ad5fc8a6feb
SHA1 c60aa1c4d222d1151affbfbb77c4ef7ea226f8c5
SHA256 b53c27b7889d9fc4abf0d2d8ed6912c0e2b396976df64a38c98943dd633a6a6d
SHA512 8d2528aa2cce143a9b99d2812ff0121b1dc8fe8bb3f2f0bae38504ef29f75bb149cc3a2bbb6f5a123c9595f5820570a23cb48e048e86607215650f981174860a

memory/3580-36-0x00000000002E0000-0x00000000007C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 96127ea4f52df1a64cc346e82fb00266
SHA1 c4390ac6bae28640e18e638f016ab7c9142217d7
SHA256 9d5c2eeb95e6d900d0a58fab06fc8e2b9abd573fe6b48a1c450a263ec16d1112
SHA512 0e05f2f1efa776bcdaacb95c6520b0697463505158cf08f059b60fb46023c67f281a49ba149a6c21ef88efd8a406e0a40c0c93ef4d1c213d0919e6def9fd5a20

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 468f847c171ea0f70db6f7ddcecea6f7
SHA1 83dc949d72a02e662e4a1c3417956d569d962c74
SHA256 7c5a14ab5fb0e7facfaf035423f94ae3aaf8fec6b3b557eec78b6c176e94265f
SHA512 571df6f4c2108e0c01b257226de0bfe6a1ad6bd7d796371fba877d6d78fd06c4e0ee81e77ae93e9c84370e4738130596e1cf2b47215faeb52f222db6de0ab66c

C:\Users\Admin\AppData\Local\Temp\1000751001\crypted.exe

MD5 1d48c8aecebd5f7b2aafdc650aeb5ac8
SHA1 8c377a3459ef039f3dcae4a3899b21cfe7a1c12e
SHA256 72f61732773b368fd26bb81d9a92277030bedd26a78e16236efbb9b7a8aae816
SHA512 7344695c50971eb970d944550f5939ae563488e84e5fa93b8f4175a68e42ade8fcd74fabe27bf8d9df4bf3348ea2907926640f09b6a549147ccee264a0f25c66

memory/4832-59-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4832-58-0x0000000000860000-0x00000000008CC000-memory.dmp

memory/4832-60-0x0000000005310000-0x0000000005320000-memory.dmp

memory/4488-63-0x0000000000400000-0x000000000045A000-memory.dmp

memory/4832-66-0x0000000002D20000-0x0000000004D20000-memory.dmp

memory/4832-67-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4488-70-0x0000000005740000-0x0000000005752000-memory.dmp

memory/4488-69-0x00000000017A0000-0x00000000017B0000-memory.dmp

memory/4488-71-0x0000000005870000-0x000000000597A000-memory.dmp

memory/4488-72-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4488-68-0x0000000005CF0000-0x0000000006308000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 308c2314b64bdec2aded03b723c11137
SHA1 f1e5e80a44627eb44181e159817fdd1d759202fe
SHA256 7580943d379eef4d72e945302876ca21c09942f29a314156bb1a9c0409e3b4a2
SHA512 1bb40c4e1aefadb84383a8b4a24937a40c7c857788fc63146d03b6df65b5a0723f3db9d273991f43f4b9960dba2105f7273047032e7686690d8bdb6f6f6bf65a

memory/4488-73-0x00000000057A0000-0x00000000057DC000-memory.dmp

memory/4488-83-0x0000000005800000-0x000000000584C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 76bd8bbe068b87eae785b195fad01c9e
SHA1 1aa2e1f9a10116e01c3d62e0b0cea33c4b58a0aa
SHA256 133f40bf39588f09f610f95b6e12b140dee251bf08a1f4b8c686f573fc5b1708
SHA512 d64816eba0e4a00917dccbf5bc7375f0ac057ba25fe405537a884c1b1832fb52aae444a4656edffda33fa25c72f51485cfc1d69e3fad71c480f6610757a115fb

memory/3492-94-0x00000000030C0000-0x000000000311E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000752001\1233213123213.exe

MD5 a39f6bfa88d802a6f2ba5aa23a412609
SHA1 92ec1061d37bb4ea6beada778824d2d071cf9f97
SHA256 ccc769b84860f63b4a98cc08962e06c1789534ad79f114b71b1ed0948a9a5d4b
SHA512 b35297eb1b76ec2b3c5dde4e0d2b4e9464f8b3dd59d4ef68b6d82fab0bf43417e55f8bee898595e0e6605cca10f1bd2c46b09723b79a0498c5d318d9d55e8141

memory/4488-95-0x0000000005B70000-0x0000000005BD6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 0b55735317de569db9d35eb9879fe374
SHA1 f266f8393cd0432e4ae904e4a132f5942544637e
SHA256 a6b7b5906ff24ce70ff1f030f8ce3f12f3b1946cd46afbf99188c9bafcc825e6
SHA512 3efea77c3c33335519712e84405035067ac87390dfd3771932c0806da72fb53af641d28cdba7162e88e1ea5232a467d15e4bcc58ec2c2c65324ad6e3b0b1768e

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 1c1141899f9c66770fb280ad077214ef
SHA1 b22112d9060154c5cc96874e86d24cde6d1eb5ac
SHA256 3fd8350b0d48523397cc296f2fbdb607276474512578d867292c8834f0e80550
SHA512 fb97f116b143eb601c7e7aaa235aa1c8981582d088db9ebcb6fda936cfb977880ecd5f12d0a86cc358b83ef3324dcf7dec1cde0ce638cd22e86ab7fdc211639f

C:\Users\Admin\AppData\Local\Temp\1000755001\1234pixxxx.exe

MD5 6a5f14a2dde0164cb2e7681dda399060
SHA1 edf4d57fd980ac736e547218cb9b88f25fe0e424
SHA256 f6daff6e757005081f7641ca8155f73c91088f5f66a0b2d26ab673ae490ceabb
SHA512 6be0188698dc6f5416d6a8e867e08eb0f366b0ea59412bd1287854b4d2703bec5fb6fc476f2e02ed80f61d39f2dd0b2da2b74cbd69785059e9e550be7bdde0b7

memory/4488-115-0x0000000006B40000-0x00000000070E4000-memory.dmp

memory/4488-116-0x00000000066A0000-0x0000000006732000-memory.dmp

memory/4488-117-0x00000000067C0000-0x0000000006836000-memory.dmp

memory/4488-118-0x0000000006880000-0x000000000689E000-memory.dmp

memory/4488-119-0x0000000007640000-0x0000000007690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 53d1e6237e314fe75269413f653af5f2
SHA1 b99258183c589170c2ffc008563ee442a81b9a8d
SHA256 60361e50781a6084eb11b1574227dc1a7e539302360cde09794aba3262d294d1
SHA512 eb965a63f5baa478327d010838b459b1d2b9d664dc919c9965936002caf5fcd3f20f4321189a6847eb32efe165552a00c4be0e08973f0a3e87cd5d5285a22a84

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 ef9ed89d926b0ccfef853700b997305d
SHA1 ed227dfd8f8bbfabe569cfdcee4362b0714e4dee
SHA256 185448eeb41a79a7458d5b051c776d53a65e9bde3d38b47c83fe5ea819e683ac
SHA512 f3ba9e80710ea3eeae42389c680cdf1500b75c0a8010b7b9b23008287300bb6b64ddc8cf2287b47c7cff142acc4193a56a43fb0391744d8a78891009bee46d1f

C:\Users\Admin\AppData\Local\Temp\1000758001\fsdfsfsfs.exe

MD5 3e38c124b5e2980f7327e3ab55323e1c
SHA1 90d1de6aeaff14a2b488f931ae44515b246367e7
SHA256 4e815edd77ef093db7a302d24152c9400cdaed01a3eb96bdb4cb1305744e97b8
SHA512 73dba9e0d9755483c45677ecbc1bbd91ec4372af243a91e7b9aea0aae099b0499f38d809680a4929a8edb17ae0549283ac7c060e92a1522b906763bc9dae6dc5

memory/4488-141-0x0000000008420000-0x000000000894C000-memory.dmp

memory/3452-140-0x0000000000200000-0x0000000000282000-memory.dmp

memory/3452-142-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4488-136-0x0000000007950000-0x0000000007B12000-memory.dmp

memory/3452-143-0x0000000004CF0000-0x0000000004D00000-memory.dmp

memory/3376-146-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/1476-147-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 5a6358bb95f251ab50b99305958a4c98
SHA1 c7efa3847114e6fa410c5b2d3056c052a69cda01
SHA256 54b5e43af21ab13e87ff59f80a62d1703f02f53db2b43ddca2bbd6b79eb953c5
SHA512 4ba31d952bffbe877a9d0d5df647e695e16166d0efe7e05e00ddb48487ab703413351a49043965d5d67ed9faca52832ed01bf9fa24d5943fd591b2d263cf05c0

memory/3452-150-0x0000000072950000-0x0000000073100000-memory.dmp

memory/3452-161-0x0000000002720000-0x0000000004720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 67288bf8c6422bf3cdce478a606823a6
SHA1 0ece41cd4816ea0473ce504729f5c9f2af548e08
SHA256 6f4539fc9a7b90a076aa88e147874e6f01e84070cddfe20296125436c8ab1143
SHA512 aedf33b50e923d1147751fda875d03d83022f5b0a6f0b090204d76dc9c5920b4bee95280bdce0f65c8c213fd8617f4fae8f1e65029e5929d5eb5e35efb25fdd5

C:\Users\Admin\AppData\Local\Temp\1000759001\sadsadsadsa.exe

MD5 f01f7f85d109b874b6f510a036f7224f
SHA1 ba89ece6f41ac7287ec190f5efd41fa09b86a69a
SHA256 83cdd5660bc23d4aca23df5a5c8a8b80b6aa48d82826ac6d105d8ad084724069
SHA512 a92f43bf93d1aa2dc1cc05ef692b3159703c5dd528896abe4ac17f04cf023bb24b41e02eadf17eac67548a5c5dc59c77184ede4f6b2a7ac87dadace70dc3ad1c

memory/1476-172-0x0000000005930000-0x0000000005940000-memory.dmp

memory/1476-177-0x0000000072950000-0x0000000073100000-memory.dmp

memory/3580-179-0x00000000002E0000-0x00000000007C0000-memory.dmp

memory/3408-178-0x0000000000110000-0x0000000000164000-memory.dmp

memory/3408-180-0x0000000072950000-0x0000000073100000-memory.dmp

memory/3376-181-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/3408-191-0x0000000004BC0000-0x0000000004BD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 a1f66ae0344d4f02ac56f99f7e2280c9
SHA1 83b57b6ff55d112d1eae9eb2fe3461c4e94adf21
SHA256 d365b38134174cf6c60036b34e3df05a5b058535dd6005d67f499cd7a390ebe4
SHA512 7dff7eec5720d7fa4ef75934d0678da9f6580ff65e91612c1c134b0cc0b262824aa9298eab9442a1a420fe0b6b4d3d19180b82008a9da1135411515f13ada62c

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\crypted.exe.log

MD5 84cfdb4b995b1dbf543b26b86c863adc
SHA1 d2f47764908bf30036cf8248b9ff5541e2711fa2
SHA256 d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b
SHA512 485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

C:\Users\Admin\AppData\Local\Temp\1000761001\crypted.exe

MD5 79a68278e6a4e553bb3c1fffa2a4960d
SHA1 cff6503090cfd4aa4f031dcf95f949027f2827da
SHA256 fb00dfb3ce47f0993befce39f23341872551f492b42a775ba6315c6d49994bee
SHA512 f3fc2440971d5f5c7d3b08af0685abf7aa1742eec5a59d8673c7a143fbadcb1890babe389673739788b16541f2b1c4fe87a1431856dbdad41dee423de665ad0d

memory/1072-214-0x0000000072950000-0x0000000073100000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

memory/3376-170-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/1476-160-0x0000000005770000-0x000000000577A000-memory.dmp

memory/4832-222-0x0000000002D20000-0x0000000004D20000-memory.dmp

memory/4488-232-0x00000000017A0000-0x00000000017B0000-memory.dmp

memory/4588-234-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4588-243-0x0000000005300000-0x0000000005310000-memory.dmp

memory/4488-247-0x0000000072950000-0x0000000073100000-memory.dmp

memory/392-248-0x00000000022F0000-0x0000000002332000-memory.dmp

memory/392-250-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/392-252-0x0000000072950000-0x0000000073100000-memory.dmp

memory/392-251-0x00000000049C0000-0x00000000049FE000-memory.dmp

memory/392-254-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/392-253-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/392-249-0x0000000004B00000-0x0000000004B10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 8d4deb566fb7a0dd48c7183f6f4467a4
SHA1 486f52d512582fe573dbe1560cd2b1c4150f9057
SHA256 b2ac1aa74984a23c969512aaca3eb8e0dc7d266bf0e293e64d8b314c7b94940c
SHA512 dc3401ee15729b862e9ac067142f9203841679e95a5e2fa9c9f7ffbac2516e3af97c71c36f343ea5ceff3231d22ede27dcd8cb0336ed690fc2b72a80ca46db37

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 b53f14960af2d7bb708caf93afda37d1
SHA1 6a3dfb5fd62622bf6439d2edcff28043b56744a2
SHA256 b4be2f0a016ed4458c136f18a4d7a91e538d0611fa486152f22274758cbf3e9b
SHA512 17b71922a353051248e53f25e0ed026d48721b6e257b4af47c240bc81a34f8912ac0d8aa093551b0594ab30657f9a71bc4cf35a3efe58457c918187207a571dc

memory/3580-235-0x00000000002E0000-0x00000000007C0000-memory.dmp

memory/1072-233-0x0000000072950000-0x0000000073100000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000762001\leg221.exe

MD5 d177caf6762f5eb7e63e33d19c854089
SHA1 f25cf817e3272302c2b319cedf075cb69e8c1670
SHA256 4296e28124f0def71c811d4b21284c5d4e1a068484db03aeae56f536c89976c0
SHA512 9d0e67e35dac6ad8222e7c391f75dee4e28f69c29714905b36a63cf5c067d31840aaf30e79cfc7b56187dc9817a870652113655bec465c1995d2a49aa276de25

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 1e53d645cc9217ddd832e3cf5977f130
SHA1 c88f488607dea1fcb66aa87b78ecf89afc54f054
SHA256 d0095626687b2a9dc45829effd9dd7378f41d0e9236d31a0c733858bad31aff9
SHA512 97410d425877ab3e4d8f407e9aeab3a7d01f35fcc6292589b9603e746794b13855d5fbc8ae13232c01f9a5ce839d5a79ede329891e4790018d42ac08ea12db9c

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 3c8dc5c8f7f97d45c8e0df5fbbf7ed54
SHA1 645aa389fa1ac15ffda1af5ee022fb79eebe1adf
SHA256 96dd11b8d51dfb59488422d0feca06498447f145242cd29bbffd52eab4f1bc1e
SHA512 5dde1c7bef95361b341ee73ea9bcd521965238edb6371b086371386c0369324ebc9d96740cc7f152464c9023297c739b9a8098b809dcb1ad4c41ca83b2e6f214

C:\Users\Admin\AppData\Local\Temp\1000763001\55555.exe

MD5 e724d58050dc8508acceb7ce3f0cc21e
SHA1 5895dfea54c9d5a327b8ee070c35d06097e5d2c3
SHA256 63b9d09e018482490b74b86e5b0ab5a77b615ebe4934a92e10dddbbe0407cddd
SHA512 b7da677d0944b6614dad1e464d2fb4313d50f1024f1bdc0beeb565c3f165bff52ca2d3fc1f15aff163779bc5334e55199df4b7bfa6f37bbb64dd3542e99b5616

memory/1052-272-0x00000000020E0000-0x0000000002169000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/1476-288-0x0000000072950000-0x0000000073100000-memory.dmp

memory/4304-287-0x0000000000CB0000-0x0000000000CB8000-memory.dmp

memory/1052-290-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1052-294-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1052-291-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1052-295-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/1052-296-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/4488-293-0x0000000072950000-0x0000000073100000-memory.dmp

memory/1052-292-0x0000000004B00000-0x0000000004B10000-memory.dmp

memory/3452-297-0x0000000002720000-0x0000000004720000-memory.dmp

memory/4304-298-0x00007FFD72E20000-0x00007FFD738E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 bf61dc290f7e069550e59fc13e32adf0
SHA1 c3aaec4c94465b9ca8de553deb12717dcce48d0b
SHA256 fa6074fc80f47bef195033272a808bb5aa4e96aa331fc9e159a0dc900abae267
SHA512 9579caf579d78020057f2f62c7477eacb80f1d33f51076a16a1f9fe36132b5aaa4115d27e9bb1b2050d241792d269bafa7a05251271bd1b2556a59073cb5a4db

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 b7b99b4a94482acaa4f17685c7e2432c
SHA1 d2f592cfff205aae09a89625a198ac6906a14ca1
SHA256 0986b94153b775d550f3cba07d7fd9cd769f59ffd90de0769ae37792358020cd
SHA512 4d4e27e143b7d667b9bdf2c6093ff02e7b5ca212186e29b1cb5ede5b97df732ee88e382bbd4183a1e65ec22d88eb071e78858b160557894307e6cc02dbfd1100

C:\Users\Admin\AppData\Local\Temp\1000765001\workforroc.exe

MD5 29372a1815ae76fd1ffc1dd147e55309
SHA1 e68227311132ee0ef3775255106591ae73b30cf0
SHA256 b0d94112108304e42f5eb7718e38ae98fa5f6a60c0ca244592400041783f0447
SHA512 e326b7d6e484d92abf3e0c924f23be505eceafedfd1db75b3421e657c64a9309df43270b1772caf482147d838e6980fb7fa601bc9b6b5df5761dd3afaa3dd7ef

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

memory/3376-319-0x0000000000960000-0x0000000000D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 200b1c60da6fc9054e1e2d663631c4d5
SHA1 7bb07397fbaecfc78ba6c2a68766a2f3ec7f7326
SHA256 0d56dc5dd47ca61acf714a3be56dabca87eade25d8cff6906b0d2ab6e9386b0b
SHA512 6b0197e3701662d5b3b7343bcf558ff52439b820843169ec0a919fbee4ef1ca454c27039392445eb08a28a4c646148f67e3cbed5a9355bc6fd1b627e22eefcdb

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 78e5834f012f618a7ff4f522dc84478f
SHA1 748bd3f40644f5dfc22e989b29e5c628a16eac81
SHA256 7013303366b459bbd28f3d336e737c7b98f15b2bd8f8d5e13213e16b027b6504
SHA512 f8ed67aa884a221e9cc48eb38cf436e4bab28e4bbbbf53df48dde91a72c0e818d749813f9dbc8b7706a8c912a18dde60a82d1978ca7bec96d2c419331653f5fe

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 2fe5c331febfd46742febe8c6cf21dc3
SHA1 32321977a33ff6896efce62237e89e0edafc06fc
SHA256 c1e3f8d054af016ac26292cb4cd7003449569aeb7103fe2acdc7bc4e2431a47f
SHA512 077689d8fe7183304fbf5151f3206071c5024dc144fb2c4db570f3f706fb2066bc3c749b12bfbb327e8a6a2f582db74a57895ab256efd56dff9d8af299c93384

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 29d9119429e4a52125c7c51b8eb860b9
SHA1 34bf9feaa414edc0e1f60f819e0eb0212fb341f4
SHA256 09f0d91f3b4de2b95e85b60e090d132904a19ff96396e0644db67fe1ae0af4e5
SHA512 744fa006da29cdaeddc3a17da440d694595b020662d809783a0411dddbcdb838e65ddb19f4ee962997c7570442b42eb5308adfc36c86cf32c4dd393a5d9f03b8

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 85af6c99d918757171d2d280e5ac61ef
SHA1 ba1426d0ecf89825f690adad0a9f3c8c528ed48e
SHA256 150fb1285c252e2b79dea84efb28722cc22d370328ceb46fb9553de1479e001e
SHA512 12c061d8ff87cdd3b1f26b84748396e4f56fc1429152e418988e042bc5362df96a2f2c17bcf826d17a8bae9045ee3ba0c063fb565d75c604e47009ff442e8c8e

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 ab828b685f7aa53ec05cdef371cabb04
SHA1 dcb0bfee1fc16a8159e9e52d9d76fe45ee5f6708
SHA256 2018bc5c006b06f0ee1ce529c6b6b57d30181aa94c8efc776232eeffd713349d
SHA512 7eaa726b702a5b628cd625e827689cca51c8cf865279d2722e07ce199cf1454403d90f0ee9f14788c72b57d83bcb0d12fb633acee23a3195ee102e4667cb7014

memory/3580-386-0x00000000002E0000-0x00000000007C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 9b55612456060063b973d8386ca65445
SHA1 d88fb18aa643f2434e4afcad6f5b4cd5e4654f00
SHA256 c913c8c09f8769e5de06c06fda55f45717ac50e0a816142b05ffae01dd4ed3ab
SHA512 ff43ecaa4b7c46f3285f66f62034fc3be2ed33fe54620a0df17db728122eb19a5dbde98122f3f2b2ff6b9f6f451422adf5c2c433185a021c0765833a4b58065c

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 f02a317489122ed1bed9d43714c7460b
SHA1 dd8b43d21b0b363be8cb57813dd06bd06ea3413b
SHA256 34f12d02e09d430dd27e88cb7c9a528365d0fd4c9726c32d9383b6aa094315e2
SHA512 4c84e718213b415df918a436b2f7d323b5a0a3306f8b92551e1ea7f74952d26d3dd1a32050c1836d9f5b86424e661911cca7b3d0f6fdf8617a5d9b1130bb6132

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 d3e15e6433957072492d7537c7103ffc
SHA1 1cf17363b59dc9a4c266ca2b996ff617168bffcf
SHA256 b48cc81c37ab98436c02efa65c71d25bd65f2753cd3c2484b6c1a783ecda3730
SHA512 7aad0bb2f8145db5856a8a9bebfc4c147fb72e691cfd8dc5295652b98f3d07a4d32451eb4ad7cf417542a712dafed2e6bb2b758c7ce9edb65b991ecf7ae3a870

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 75ca2ec157fadc3f6ec3306880eebb03
SHA1 f8175074f0123605c5afccd0d45fcb766c7cb227
SHA256 67e4e6ee63c596f1b529ca55065cd1771ae9c995ec0fe6b39236635b8cfe38ee
SHA512 3f0dd043d70f1f68a23ef072c6a8e595cb4457ebc12ca887b52c3526b8eb04d1cd239194cf52b66501494ee5d89327f78bf355b6c55f88d5132422a6d537bc01

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 7c0c307e6864728b8751a23c1ca4e50c
SHA1 91f80243b2af56de69a1ab2998c0c36018bf158d
SHA256 6407610f589fa0c5599759d93d178f9d3d20efe39025b05527d66c449ab90588
SHA512 d9817e594b038ba998bdf72800dceab7ae2c4375c0515f74d6ce83fb427f9ca5507723eff01f8b45f025f41d7893359ae915de27cda9ed11dbe9763c04207c69

C:\Users\Admin\AppData\Local\Temp\nsvC70A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 103fe4519a9f4731df11549ec6d64f5b
SHA1 e7a0ba0b5210b07580e874cd334d88510a3f6c2d
SHA256 79072a1a087ee99e290ac0796964e591a420cb0336ce2ea6791fc612f6d4bc88
SHA512 1ebf0545160d292dfae594d852ae12515139a79c83e9902987a0371d4f84afa3a4b7e364b40474bdd83f51134b94b3545257eb2d0cca0c7d6743e2022e964063

C:\Users\Admin\AppData\Local\Temp\1000770001\redline1234.exe

MD5 536042d3205547cfb1491576d1cd2605
SHA1 0768c1cbe23a60899ce68f992f65c47da0903174
SHA256 0fc6ff0082efc2c2313d3d9046de116766197ced68244647b0f7a03d65e3d407
SHA512 e2b5b44342ac70365800d364594ec9e476c4b35adef17ccc14c7356550225448eb1e91fb408a2756f1e55977e0113c4d76efce2fdb80cd61c772a91e2f1ce145

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 c44030725c74e22e8be206ce4fc89f3f
SHA1 54ea71dd328a081a7e19d08e8223e63dbaf7b116
SHA256 5923d158c9e47fa5630f80725fd24daa8bbc06cd6f36b33af7de581a0235a032
SHA512 e6382e10388f9d0f6c0a1f821cafa5f4066f415a1729a089167f1c85b687c1898f87eba043afe329728d548708d341ba1384d8c0b33ccca5e4053b9090697f4c

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3c9e73d56626eff2709b17db4dba5a41
SHA1 a85385860a5909ba05d90e2dd6eea03d71e2c974
SHA256 dfb9654c32ea67813e573c4e317191d8f8349cc2f838d79f528771bb2b224690
SHA512 a8b6d64ad416a3da1b00b7eb4d452e87d590688a96d49195e10d7e1cd8f182a86bbd9ea11f56455c12e298b0178986038bec99eadcba0af57f9fba3e1c3af799

memory/1052-416-0x00000000020E0000-0x0000000002169000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 165722f9cf6aff2d73888a521ace02cf
SHA1 918a09e601540a9936fd198ad670fac3f57e6e71
SHA256 9e5cf756afbc072f8054df6c45e8cfd73c68c41936289083f2e5d1d1743a50a7
SHA512 0202aee8547f1531710ee650dda08ec4df7b208a6b9609558e531cc8c6b5b6ee7b659cf47b343317ec2944442f348cc071d76c4aca80837ac8da2c0d6f8bf966

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 56c2a694c7f04ffdec5dad4f8dbedcc8
SHA1 315370f477eb2dfd2b9863ceac10ebabb2a7e31a
SHA256 53b63d540e3a863bd8c915889e9a80794137b1f5db495cae8eb9fb74b1da1b61
SHA512 331f9c00653cdd5f477b092e4a5ecc6203d2b0a2dd44a84cfdafdd23f42b71b87ea5ea9885898914f9c3e09e5184aedef2090c8920a037d9d8835396ce0bad38

C:\Users\Admin\AppData\Local\Temp\1000772001\2024.exe

MD5 01f297830abac75bd05bc0f4b1a892fd
SHA1 979fb6a18c069ab0de931d6bceae3cb51fdc604f
SHA256 43ed50183c5e9f378cc3115e1ef9fd6c08cdd8a82ceff6e1678680c6e04f0828
SHA512 1544638ef18f3f50bfd242a5312da407da6de64c0b691e95c0ea817ae04d66d0a488e2acbe8643812adfaef99fa89d8f95e6e5054740dcc1c9ba9aba4b06189a

C:\Users\Admin\AppData\Local\Temp\nstD013.tmp

MD5 8e57a91d26c101a640b59bdad5d4ee4f
SHA1 eedf9a193fb86e094f1a8d4dbb2ac27bde24d7ce
SHA256 caae820a345811c2a474913f27900aa589b4615805f0c4e637e08f66dc013cd3
SHA512 b3d34ea8cc6c09a78ccf202edeec872a1725ec0c2e5e1ac0c06c9b3ec50e87269809ab978d5a69b39aab8d6d07b666fcb9e0e847b8616ea26eb6e48be9871552

C:\Users\Admin\AppData\Local\Temp\nstD013.tmp

MD5 44983bc5ea77bdb992c96792770470d0
SHA1 3f625eae286b1d1c70465d90589706a5ba4eb20a
SHA256 4dd78f26738ac8de6abca3fb1fae005932fdc58e1d7bb809bcb8ed6e7fa84c14
SHA512 b2c262fc0be18ce0317ae1a26b83868da957bc27186feb6151d95bbb863ee8ddb6d543de1f7e6eb877a1071b331580e74e1d20604e189b25e9efc9f22919c8dd

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4ca0c421729901de64542c5ad8ed1eda
SHA1 945d98f7c5894cd89160be5cb297661594be66ab
SHA256 4705de24d2bdc8c1271ed89881a3eeff5b2de7ce4f5b4b60462d8e17a72c65ab
SHA512 1bc4ee6a786cf9436db1584bb813c0442043355d88c1d9ed994c8f1d8c97600ce3c79da23c08141e52f5bc46632cfbc10ae165a038c21cc089da50c0cdd46e96

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 a1470335c14e84fd1f158878a5776ae1
SHA1 98ff4297b83233ce26c0a116abe76312af645398
SHA256 8da2cb8ea28028e84ead59e8d7e4f97325351ddab33df6704d3cf8894d5ce7a5
SHA512 cb43793944d547f6d91a546619848f02605e42ed6160954fa89e5297b0d252a1ddf3747d5fd96912fabcad6ec90901a15da5e755838916fe80396742c79008ec

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 13ae85a1f6ca10779bb0ba7f70c8e46c
SHA1 45f276448e118c4e346ab77f956a801ab59f9a9c
SHA256 02c0d408b47e310b3fbae0bc56b402778a5eb1b9ec3df61f7ca8370ab141e51e
SHA512 66223cd784c65a6c3f938aab459945a0123fa542d81a110f09d8c2f6d282b6a07d158098b2359e071e46b9b571ed04d9ebcaa1b50cb5a963f2f884fc127bbe8a

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 a8e28e229367a3459b90d35b3066a5c6
SHA1 c287f0a8a6eb4993d9e092a09d3ad7f33e3a8f68
SHA256 e62ccb67526dc8745e32025be6e6c10dccb7ad960bc44907f6d5cd95665cd82b
SHA512 13ef92dfeae2c4661cb8f77ed1de418b6fbbf55565945339943224bbbe407cae27666c156341316de7b60dc1bd9b6a8e05d4ad77f68814c06fed4acfa1eb5182

C:\Users\Admin\AppData\Local\Temp\1000773001\mrk1234.exe

MD5 c729e00a7509e1336dae453a6e35a126
SHA1 9da4993cd3641c00b6fae39283941570c49bef8f
SHA256 461ef0cd5ea0a15b6ce7e089b356c13b6107a95bd1445fe17d6dccdf374409d6
SHA512 eaba49bb56a0e58ce350bd6146f6552108f6097bd84a86dd995b4be0f217bace65b518aa3f5c65daf9424de129e5b80ed15040557f71e15943885b843b6ff81e

memory/4540-484-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/4540-489-0x0000000000400000-0x000000000048A000-memory.dmp

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 38694a16916fe7d2f242b17b3dd62300
SHA1 5284bc170f9da1ebc04c2703833ac3dde9ad8205
SHA256 7963f2b4f207f017fff122b099a5970c5badcb7bb41626951e5474d96c1779a6
SHA512 6d1c7586053f982901c86ca21a1dae8da76591085dbd9a21c43b15249a1505b42b51a8a07d5d2af40e073a165db246824670649536183221bc04516874f63ba1

memory/1812-503-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-504-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-507-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-506-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-508-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-510-0x0000000000660000-0x0000000000680000-memory.dmp

memory/1812-511-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-512-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-513-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-509-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-517-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3376-519-0x0000000000960000-0x0000000000D68000-memory.dmp

memory/1812-514-0x0000000140000000-0x0000000140848000-memory.dmp

memory/1812-505-0x0000000140000000-0x0000000140848000-memory.dmp

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 15184ce8bf9de0eb51928d48b3ae9235
SHA1 c52845669aff82cf12626f2132684a1f3ff8521c
SHA256 82548e60b0327da4ff5698609924724df05267e8d3bccbf760f164f4f490a83c
SHA512 8f86a8e89c5956521e3c4275196105a23a27b627771ac807eaf9f56490ae1e526fb37f0a32f371df139997355651e7008c3038a216a0291baad03ef16832310d

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 2a9bf78c62dbbd1edd1bbf8b9b872e99
SHA1 201ce2eff5ca8f72c29dc9f30db1a457bb43ba0d
SHA256 e7b93e493b703c28c727fbea0ac9fdfb4a2106f9fa592bdaa7336f45bb9f8115
SHA512 dbf50335793a0ee09b817cff40d3aaa030b43fbf11298abf0313e7e9d55b352e422958dcf8199e080856e06f390e6bdc1492f522ecf4fce453a70e5b8e63ac32

memory/1812-540-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3580-545-0x00000000002E0000-0x00000000007C0000-memory.dmp

memory/4788-546-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/1812-542-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 70fd1cf7fc9a04c64d219f19df044069
SHA1 7f3254ac6d0bfbea75cb2a7ce0f8f1cd4dacc16a
SHA256 88a7d9fe2ff58ba58193779c8c7b6e1b2ea57844b398742622b25977902fa503
SHA512 d9e599f37af6e260d944c6c78b123432497d3505f7d3f5838ace0c54bf383c87c676b94dd12133c93093d96d47c911d945b4a7fc8a3539a22c16570fdc2b4450

C:\Users\Admin\AppData\Local\Temp\1000774001\moto.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2496-547-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/996-550-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 3e95957777f0d85478d62e9a2d5cc7e1
SHA1 33d9d0ff5e361f7f74974c1550464310773bdec3
SHA256 f9fcb65f6a74fdad2b2bb7047f5809c2e0a470627ce856bff7d77f068eae7a42
SHA512 4976fab293756af215bee3aacca9993343c32b5d64895ec465743947aa311914e6834b9412e6e71316a1999050623bfe4fc46baa5e99229f539c1c201499a43a

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 77fd012ff957df1c59372ff20f1eac34
SHA1 f809ca3edf1586c07b15c53ca4fbcadd539feeef
SHA256 ac2133e0c3640c6fa4f245392ed32259ef22ca66401b67dfb861e922cd757061
SHA512 a1dbebcf3ea7d044eaaef281d5c1fb60b059832e4d5a11e5cdaa768762575f8835bb7d4680d365ef5ff8aab4d4b52d3aaa922d31a74cdcf2d273fc8cba9592d3

C:\Users\Admin\AppData\Local\Temp\1000775001\alex.exe

MD5 e2047a44e8084f33a036d440784c064f
SHA1 08ed774705a515e109477f7dc5b34c9ff5df676d
SHA256 4e93e79338d94f0fbc56f542d2423ea7cdb0ea93acde0dc6a5e6659344c26564
SHA512 4a40c061e91676edb55330a39a61c5f8a4938e0ad84cbc031c7063430952f4c3b1ac3815dc63eadea1ced8594c371742bf157ef1da80c0e72ff12d42689a7c7b

memory/996-566-0x0000000000400000-0x0000000002B06000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 2463558e6874659f7cbb715c49fcc0f5
SHA1 a3dfcb083013a1a5cb690279a2c7de481bb8906b
SHA256 4a0ab90d2200ef9ee3bc4b3080e6f1989868eff375d9846cfbe21e24410aa902
SHA512 847ef3be9dbf151dfc92dbe48df9891efd4c2133100cda0264f07ea8369a212da8f730183b64b80c70e70e3352290307edff55117dbe665f0d07de76b57e4eab

memory/3376-608-0x0000000000960000-0x0000000000D68000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 2e347eb6b152acea2a6194cf6a780408
SHA1 50c9d7843d3ab6210f2bac48b7e8dab8c7369360
SHA256 66cd318c99f071445232465b28f33bbc7149b12256cca916f52d8fb6146c249f
SHA512 00a17396defc868f04d0500ab54462aa70d77b43a9126c1cfec368e1f2c2af470ea36d576a9e900baafc204653d6f8e20a4ef405340baf42fd3787cc88f2f12f

memory/2368-615-0x0000000004FE0000-0x0000000005185000-memory.dmp

memory/2368-612-0x0000000004FE0000-0x0000000005185000-memory.dmp

memory/2496-614-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 6a6b59367972b954c50d23dc4b010317
SHA1 8a75480021457d96ec3279cc3a35eee2135ae230
SHA256 a11e961022db0b9c1daadfbe15d35af7a2c38bcb426bd73e9bb4ebe6e1cc241e
SHA512 148bacbd2d502987bc109d9fea10a349602e8b32ae864de30ac6eb2d45e672a0b67794c33b07f35b602d17871fb66ab11bf9a380763cf9d422204179955997a8

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 504d3418d39b1bc605c83f6704b57588
SHA1 35537c4f7b3db797448b97b8d205c7b9ad714ade
SHA256 ea0beca5adbfaaab242d59e482e369a55dbb1ba3f30f19b7737aa5114fe584c3
SHA512 b365d4f8e7dda989512828401d26e8734443d6ff5bb5bc56ca7bdc71b0cbe1bb59df84419f3b089d0d5a99608ac855646ac1380f658f33035f96bba8d3d79fc0

C:\Users\Admin\AppData\Local\Temp\1000777001\rockrunn.exe

MD5 7fde9ea27a1fa4502e91580d28984f6f
SHA1 23d2365b9ab1521c5b8b06630aa54815808fb82e
SHA256 a6675cfa71bb513444984baafb3dae7384f1d75c49f87da5122c46ef72efe39e
SHA512 ed278a590449890d804c05c572a68bdbb92fc53b2d4a37f13e7fa3a01e9a5a4ab0312d370ebf1e466a25b25c98160a9d6f3955e34225e21362b3414490306b49

C:\Users\Admin\AppData\Local\Temp\1000776001\goldprimesupp.exe

MD5 6bd6667e4fd1e6df4f5490ca99576a2d
SHA1 931414a40d5b2b3e8643a4e702e8dd730932bb79
SHA256 02b613f5a91473a9a63711b9dd8bf6a1c6ce08df848b2e83239831c38f0c08c3
SHA512 eb584bec48ecd53dbd1e42d4879f8ced12c4c65286b3d03dea9a076d02666e69de14270e8b7ab91096f403e6bbd33741b64c7931d7709ecb045a7e07c55e3237

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 cc633c2e68c639d47a7651d02cd8aed3
SHA1 252128a87efb53e2de19159d58e5a0a16b3fd9a2
SHA256 5e49eb98ab0dc61504d4bf721d01ad77d6d2ee74ceae4e038943b511e35fba0e
SHA512 637a2ed661dfd3fde9770f7f18fd632613252bab6ff4805033c517de5af2a04b008e23eec513d0cdc9cc8b7e749c1e0726b47aca55463e417df0f752fd4873b9

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 ea45a22ed60cf409ecda74c07b16e7a2
SHA1 0affd7edb7b1d41a4b575f638602332cf1df0070
SHA256 d82df5169ee582452cbb29a7195be3e8793074cf05ab5f60cedb166f4747ab57
SHA512 bbf22870ec79c80c4ab2c1686bc958008ffc463ab6b08f91bd8665da5ccf30cdc0e0c071d364ed7fe65d6b4dc47ee63960ba9ed9a69b704873b83bb67d2df431

C:\Users\Admin\AppData\Local\Temp\1000778001\lada.exe

MD5 1d56b3368bf684f1f7c9b8a007d660e1
SHA1 04e9eea1842a8af730afd798785f733ffa9ba4b0
SHA256 6fe36546100c591b81604ddbb813e7719c768a43e66569732236df79082fb106
SHA512 0f58398f4c8b950d547820555a6f7b6767e204ca87bb5ec8fa3d26794e3976134476408e2c0e58a95425103e20cea63d02fc11d62a712273d6af6677b32bc453

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

MD5 dee7d0d8bd2ad3843c8ccb07e2589f62
SHA1 0874cf75960b5f7d940127b61583f70f78fe3595
SHA256 a3a7c31620f56946de840e2e38075d7c8a54e1961be46be32d2b74142dd33d58
SHA512 22ce4748644e5a4fd5dfe09c814b91aac60b67a129488c3332c2cf87dcb7bdf39a7b4dd16502fcbd731b9a07cc4a0b3c5175bcceebbd843bda0393c730cdc944

C:\Users\Admin\AppData\Local\Temp\1000779001\MONTHRDX.exe

MD5 448f59f9fd30e0830cf889a5cd05b07a
SHA1 9d07e973ef3f3ee4ddbf7175720c2d954eb45bc7
SHA256 b7e17b73d23ec199950888a660bfedee36a478b9acd00d57f94468abf5022456
SHA512 94f41288843456d235579b6d76dab776aeb44eae3356bd64c384b530394eec47e4ebb240908ab8e8af058b086b1522f1022b593760e4a0a470fbc4a90c1c0745

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

MD5 a16955d768127632a5e3b0ab96ca6f01
SHA1 14e81256f18d80467de4bcacfe8adc3d053ad78a
SHA256 3f3cd624c4a47e6db3163d6b143be70c29335698b969c5b7376fcdf19da16be4
SHA512 bc0b40f8044652b513657bf689ce5c76bc05892c59b1f6995b760a2b2099a9faa60d7f48d9ffe788ba66dc6c63cf6715e600bfee23dae6a9af2a44563b1ee9b6

C:\ProgramData\mozglue.dll

MD5 ea73e3111caf541647e3c104b340aa06
SHA1 f09b89135ce7bd645b5fbf90312b7972e82eaed5
SHA256 7ab420f49b68702eef854e16adf01a28e8a5150019eed0f50d9e6e67a802c2ea
SHA512 0382353860f46db558dd0bc6b396c299eeaa9deabfd02269a91dd38eeb0560d3c3d2e319cef7641ce43ad28f0aff0470696df9bef77a0d365f682c5de58372e5

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 a65425059a6641b127431335d381a68b
SHA1 ef981560eed77adfffd667d009ea7cd51cac68f3
SHA256 f8713c2b09b5159a8ed4a843849a214e543b641c0d52c20f8c78f38a7a5a0f12
SHA512 0cde0250a16f5702b119d842b9b920b294ffc8c5aa8ae19ce3cb2bc018eee55c147615a15e53e9ff1af4af61d89a97de2a217a6da1a626886421af12ebac6007

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 464bdb0e067c6e16d56523ce61a1a70d
SHA1 19f3419c9416d063fe824f986eafc953fdb39cff
SHA256 6ad8872e3748eaa8aa7028adb20361f6d8a236ac6db59d91f51334eb01293b08
SHA512 05b635fc7f3b2c93a0eacac5783252c25378b85b8de7b60eba879e4e5a4871d2e7c7600a64f62f1997c89070344c04d843d865adeef2f31e8fd08b81a8fd9f71

C:\Users\Admin\AppData\Local\Temp\1000001001\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 2c34885e7b9da8a23bddd94ab0e6ec75
SHA1 0103441e0f189c131982bd4bde890ae27b216201
SHA256 5b50e8a5192dce87dcaed0585be2b7034e5d82f0f3a8872673ca21845f0a08f4
SHA512 93b6452693e7be416c99db8d0f00021e9ec75d597f4ad2f2924071e6ea02f2c039ee5185e28a9814024d5a2b30fab00920a56b6f5f3d48d97422223f93d8d4e2