Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-gw14fshbh4
Target db6b310f6f2641e8ab313eacbcd826e0.exe
SHA256 1d549992b957a68fc4a38a3a813771b605aed20e0e2d79787252754ab82bf029
Tags
amadey evasion trojan djvu glupteba redline smokeloader xmrig @oni912 livetraffic pub1 backdoor discovery dropper infostealer loader miner persistence ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1d549992b957a68fc4a38a3a813771b605aed20e0e2d79787252754ab82bf029

Threat Level: Known bad

The file db6b310f6f2641e8ab313eacbcd826e0.exe was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan djvu glupteba redline smokeloader xmrig @oni912 livetraffic pub1 backdoor discovery dropper infostealer loader miner persistence ransomware spyware stealer upx

Amadey

Glupteba

RedLine payload

Glupteba payload

Detected Djvu ransomware

xmrig

RedLine

SmokeLoader

Djvu Ransomware

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

Stops running service(s)

Creates new service(s)

Blocklisted process makes network request

UPX packed file

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Modifies file permissions

.NET Reactor proctector

Reads local data of messenger clients

Drops startup file

Checks BIOS information in registry

Identifies Wine through registry keys

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Windows directory

Checks for VirtualBox DLLs, possible anti-VM trick

Program crash

Unsigned PE

Enumerates physical storage devices

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: MapViewOfSection

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 06:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 06:10

Reported

2024-02-06 06:12

Platform

win7-20231215-en

Max time kernel

122s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe

"C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe"

Network

N/A

Files

memory/2520-0-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2520-1-0x0000000077BE0000-0x0000000077BE2000-memory.dmp

memory/2520-14-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/2520-13-0x0000000000650000-0x0000000000651000-memory.dmp

memory/2520-12-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2520-11-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/2520-10-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/2520-9-0x0000000000A10000-0x0000000000A11000-memory.dmp

memory/2520-8-0x0000000002440000-0x0000000002441000-memory.dmp

memory/2520-7-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/2520-6-0x0000000002670000-0x0000000002671000-memory.dmp

memory/2520-5-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

memory/2520-4-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2520-3-0x0000000002450000-0x0000000002451000-memory.dmp

memory/2520-2-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2520-18-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/2520-19-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

memory/2520-23-0x0000000000AE0000-0x0000000000FA3000-memory.dmp

memory/2520-17-0x0000000002680000-0x0000000002681000-memory.dmp

memory/2520-16-0x0000000000A70000-0x0000000000A71000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 06:10

Reported

2024-02-06 06:12

Platform

win10v2004-20231215-en

Max time kernel

74s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe"

Signatures

Amadey

trojan amadey

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u19s.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u19s.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-252 = "Dateline Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2512 = "Lord Howe Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-181 = "Mountain Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-222 = "Alaskan Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-364 = "Middle East Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2391 = "Aleutian Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2412 = "Marquesas Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-912 = "Mauritius Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-462 = "Afghanistan Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1502 = "Turkey Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-451 = "Caucasus Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2342 = "Haiti Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-392 = "Arab Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-341 = "Egypt Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2571 = "Turks and Caicos Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe N/A
N/A N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u19s.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u19s.0.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u19s.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2636 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe
PID 2636 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe
PID 2636 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4900 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe
PID 2636 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe
PID 2636 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe
PID 2636 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe
PID 2636 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe
PID 5056 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
PID 5056 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
PID 5056 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
PID 5056 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 5056 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 5056 wrote to memory of 3004 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
PID 5056 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 5056 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\rty25.exe
PID 5056 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 5056 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 5056 wrote to memory of 4244 N/A C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
PID 2636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe
PID 2636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe
PID 2636 wrote to memory of 3172 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3172 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe
PID 2636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe
PID 2636 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe
PID 1648 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe C:\Users\Admin\AppData\Local\Temp\u19s.0.exe
PID 1648 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe C:\Users\Admin\AppData\Local\Temp\u19s.0.exe
PID 1648 wrote to memory of 3884 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe C:\Users\Admin\AppData\Local\Temp\u19s.0.exe
PID 2896 wrote to memory of 232 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 2896 wrote to memory of 232 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 2896 wrote to memory of 232 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 2896 wrote to memory of 232 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 2896 wrote to memory of 232 N/A C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe C:\Windows\explorer.exe
PID 2636 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe
PID 2636 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe
PID 2636 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe
PID 1648 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe C:\Users\Admin\AppData\Local\Temp\u19s.1.exe
PID 1648 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe C:\Users\Admin\AppData\Local\Temp\u19s.1.exe
PID 1648 wrote to memory of 3908 N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe C:\Users\Admin\AppData\Local\Temp\u19s.1.exe
PID 2636 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2636 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2636 wrote to memory of 1168 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2636 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe
PID 2636 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe
PID 2636 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe
PID 1168 wrote to memory of 4084 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe

"C:\Users\Admin\AppData\Local\Temp\db6b310f6f2641e8ab313eacbcd826e0.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe

"C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5016 -ip 5016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1092

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 1252

C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "ACULXOBT"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "ACULXOBT" binpath= "C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\u19s.0.exe

"C:\Users\Admin\AppData\Local\Temp\u19s.0.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "ACULXOBT"

C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe"

C:\Users\Admin\AppData\Local\Temp\u19s.1.exe

"C:\Users\Admin\AppData\Local\Temp\u19s.1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3000 -ip 3000

C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe

"C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1220

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3000 -ip 3000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1260

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3000 -ip 3000

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\explorer.exe

explorer.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3000 -s 1220

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3884 -s 2364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 3884 -ip 3884

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5020 -ip 5020

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 348

C:\Users\Admin\AppData\Local\Temp\995D.exe

C:\Users\Admin\AppData\Local\Temp\995D.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\683043812824_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Users\Admin\AppData\Local\Temp\AD72.exe

C:\Users\Admin\AppData\Local\Temp\AD72.exe

C:\Users\Admin\AppData\Local\Temp\AD72.exe

C:\Users\Admin\AppData\Local\Temp\AD72.exe

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\13359d0b-2800-4dbc-a476-609512dd810e" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\AD72.exe

"C:\Users\Admin\AppData\Local\Temp\AD72.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\AD72.exe

"C:\Users\Admin\AppData\Local\Temp\AD72.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4380 -ip 4380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 568

C:\Users\Admin\AppData\Local\Temp\D7BF.exe

C:\Users\Admin\AppData\Local\Temp\D7BF.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4864 -ip 4864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4864 -s 1152

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4864 -ip 4864

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 triangleseasonbenchwj.shop udp
US 172.67.204.169:443 triangleseasonbenchwj.shop tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
US 172.67.152.52:443 gemcreedarticulateod.shop tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 secretionsuitcasenioise.shop udp
US 104.21.16.152:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 169.204.67.172.in-addr.arpa udp
US 8.8.8.8:53 52.152.67.172.in-addr.arpa udp
US 8.8.8.8:53 claimconcessionrebe.shop udp
US 104.21.58.31:443 tcp
US 8.8.8.8:53 liabilityarrangemenyit.shop udp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 220.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 185.172.128.127:80 tcp
GB 173.222.13.40:80 tcp
DE 185.172.128.109:80 tcp
US 104.21.58.31:443 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
DE 144.76.1.85:18574 tcp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
NL 45.15.156.209:40481 tcp
DE 20.79.30.95:33223 tcp
US 8.8.8.8:53 de84c557-5e66-4460-86fa-d196bf6e1767.uuid.statstraffic.org udp
US 8.8.8.8:53 trad-einmyus.com udp
RU 185.12.126.182:80 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 brusuax.com udp
ET 196.188.169.138:80 brusuax.com tcp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server2.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server2.statstraffic.org tcp
US 8.8.8.8:53 138.169.188.196.in-addr.arpa udp
US 8.8.8.8:53 walkinglate.com udp
US 104.21.23.184:443 walkinglate.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
US 8.8.8.8:53 184.23.21.104.in-addr.arpa udp
GB 142.250.178.3:80 tcp
RU 185.12.126.182:80 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 tcp
RU 185.12.126.182:80 tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 m2reg.ulm.ac.id udp
ID 103.23.232.80:80 m2reg.ulm.ac.id tcp
US 8.8.8.8:53 80.232.23.103.in-addr.arpa udp
BG 185.82.216.104:443 server2.statstraffic.org tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 8.8.8.8:53 resergvearyinitiani.shop udp
RU 185.215.113.32:80 185.215.113.32 tcp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 pay.ayazprak.com udp
RU 185.12.126.182:80 trad-einmyus.com tcp
US 172.67.152.52:443 gemcreedarticulateod.shop tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 104.21.16.152:443 secretionsuitcasenioise.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 104.21.58.31:443 tcp
US 104.21.83.220:443 liabilityarrangemenyit.shop tcp
US 8.8.8.8:53 stun.l.google.com udp
GB 142.250.144.127:19302 stun.l.google.com udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 127.144.250.142.in-addr.arpa udp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 185.172.128.90:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.179.201:80 tcp
N/A 172.67.149.126:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 172.67.152.52:443 tcp
GB 96.16.110.114:80 tcp
DE 185.172.128.127:80 tcp
US 104.21.16.152:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 104.21.83.220:443 tcp
N/A 95.179.241.203:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 udp

Files

memory/1684-0-0x00000000001A0000-0x0000000000663000-memory.dmp

memory/1684-1-0x0000000077A04000-0x0000000077A06000-memory.dmp

memory/1684-9-0x0000000005290000-0x0000000005291000-memory.dmp

memory/1684-8-0x0000000005240000-0x0000000005241000-memory.dmp

memory/1684-7-0x0000000005250000-0x0000000005251000-memory.dmp

memory/1684-6-0x0000000005230000-0x0000000005231000-memory.dmp

memory/1684-5-0x00000000052A0000-0x00000000052A1000-memory.dmp

memory/1684-4-0x0000000005260000-0x0000000005261000-memory.dmp

memory/1684-3-0x0000000005270000-0x0000000005271000-memory.dmp

memory/1684-2-0x00000000001A0000-0x0000000000663000-memory.dmp

memory/1684-11-0x00000000052B0000-0x00000000052B1000-memory.dmp

memory/1684-10-0x00000000052C0000-0x00000000052C1000-memory.dmp

memory/1684-16-0x00000000001A0000-0x0000000000663000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 db6b310f6f2641e8ab313eacbcd826e0
SHA1 38e7bc617d394084ecfbaf317e907ad49605de4c
SHA256 1d549992b957a68fc4a38a3a813771b605aed20e0e2d79787252754ab82bf029
SHA512 1f874313d16f58dc9c148b8e3d384178e3d123b69b906e546a9b13320f61e6e599e31f8e56bbea05091b11ad38c295c6db693efbca6f511a25c0dd5a5e54bd4c

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 53028d662e2781f198cfa4bbc37c34ea
SHA1 7963ea240382c484a0c366f9c0fa78fced392a73
SHA256 f43a1bfd04d33af86b6080e58f90e8b0f63fffb44b47be78fdd7a023b505aeae
SHA512 6d6216dac11d3d3fed95a0e859acf2b22fac4523e58b0fd7d4d63fcdcc3b4589a23c45988e66ccf8fc7e928b47f1fc741ab482fa126b687bbee7f3e7ad8294b6

memory/2636-19-0x0000000000630000-0x0000000000AF3000-memory.dmp

memory/2636-26-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/2636-25-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/2636-24-0x0000000004A30000-0x0000000004A31000-memory.dmp

memory/2636-23-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/2636-22-0x0000000004A70000-0x0000000004A71000-memory.dmp

memory/2636-21-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/2636-20-0x0000000000630000-0x0000000000AF3000-memory.dmp

memory/2636-27-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000064001\lumma123142124.exe

MD5 cad41f50c144c92747eee506f5c69a05
SHA1 f08fd5ec92fd22ba613776199182b3b1edb4f7b2
SHA256 1ac5eed2f7fc98b3d247240faa30f221f5692b15ea5b5c1eba3390709cb025c6
SHA512 64b89f3a3b667cd81f33985db9c76ffd0bb716ce8ed93f97c24d3c20e7236d91d02af9371a26d41f55b564702bd1f6fd7489055868fcd1610c04beb79ae8c045

memory/4900-47-0x00000000009D0000-0x0000000000A6C000-memory.dmp

memory/4900-48-0x0000000073610000-0x0000000073DC0000-memory.dmp

memory/4900-49-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/5016-52-0x0000000000400000-0x0000000000495000-memory.dmp

memory/5016-55-0x0000000000400000-0x0000000000495000-memory.dmp

memory/4900-57-0x0000000073610000-0x0000000073DC0000-memory.dmp

memory/4900-58-0x0000000002F90000-0x0000000004F90000-memory.dmp

memory/5016-60-0x0000000000400000-0x0000000000495000-memory.dmp

memory/5016-59-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe

MD5 6db8a897be4019f3eab67363b1eb07ad
SHA1 b54814b14cb8857cbc8f5e790cf33097ef6024be
SHA256 04ae2b02791f8b6145c66056c15fc0cab14a74f0c7a0406ee61fd9e9ed1a061f
SHA512 939938b357ec91c73a31070b705d99338a24c18e8bfb0a5fa6415651015025c6f3ba5714c7f19c676eeb7980e2c2b0250b40fe5ba6ff1c835690f7493e17417a

C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe

MD5 c099c96b5b7458fad628a1bb2cd2f409
SHA1 6e68bb0a8ee842a5150a523904aedd8faea370b7
SHA256 b5b913eb8847bff74fb6bc215fe480b08f5e6d3ad67e9d09075e184e406aab7a
SHA512 17a7b3278e2dfb5129b390a7527c3e608b3a1788af7f48f11d018ff784bb7393fc2d5c50f9171f33ace93737c74818f2847f13f964de56928e4437b5053de6fa

C:\Users\Admin\AppData\Local\Temp\1000066001\redline1234.exe

MD5 21c1c87956741999a93130aa465deebc
SHA1 ff1198064f937b463ef2a72113b78190b1d8a34b
SHA256 b124ccd6fce198f110a5d3983160d3c8b6ceed3bb92a0d9440038504ae639596
SHA512 e154a935122487af65261f15b2cb24379edc1145f4b6bb1cfb6172b157638f1ef7c9839006f921ffb79cf7e4111a90988dc49968b01528502b7da1668350bca0

C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe

MD5 17b04463e1ef0a058ee1d32ffa953e90
SHA1 8cf828c69cd4893f168ab0462ef8f2aff91cae02
SHA256 c82173bb1b5e7dad794d4fcdb06becb11fede8d17d0d58aa7f75bc6a7dbb55c0
SHA512 3ae696009865919c5fc98aa47d5cc615dc7465934636045201445fbfccd4a7c776d5b020bc04db013d550f2523c9817fa851dadcfa545c0dc914126dce5392c9

C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe

MD5 e2ff9d3e8f8c9f4ac428d70c99f72834
SHA1 69d1e2b34183f154681a9a2a9381be250eb90c25
SHA256 ad9fe84e87dc84fbdf017c411082f1f3d5a6f2a01d774e0b56670b57aef5bc4b
SHA512 2bf6126c3c6ed8e345436f720cbf803a605fb51275677c067c351b90c2e5efdc2da1e726745f407fb47a183edb362c12ea58e99fc9626f7085fb50e449ad8643

C:\Users\Admin\AppData\Local\Temp\1000067001\dayroc.exe

MD5 2304cbd2e7756b5b29513c1334cef827
SHA1 19611de0022661bbbbd79acc433f591798a99424
SHA256 7d3359176bf3cde6d52881141465328b0910eaf8fe17c8ca806177a7402f03c2
SHA512 7d8722209b82f0215e3456b937820dca7b1ee18eaa78f31802f100d504c57f4375de5834bf17911f4c5ce827ac2ff6324d295d0c40e7dc57da98a14b295902d6

memory/5056-96-0x0000000000720000-0x0000000000CB0000-memory.dmp

memory/5056-97-0x0000000072D60000-0x0000000073510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 f2507ec93437aec5eee29ef4d229dc05
SHA1 1c3b51e343d23865da2fa23672f80a138f3dd643
SHA256 9fea785222a3093d70408562de8410e58351a648669e2bfdc11020f8d6fda908
SHA512 79b84e8c494c57b5a12fc217ec1da4f68147006dadbe823b2dc9f5d21a351ef3fab14d978cefac5595e1cf5c99573047adb716b66c5095a008713d9fe3692b6e

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 a008b8030f4cc6e0eb61ad6bfff0f7bb
SHA1 55865c765731ba18b1dc3e4b3b6f97e226184c0c
SHA256 b14fcd307ba5b4e40e84d25657e3b1ebca291079bf373348185a4b967a976c84
SHA512 ba4e7190d53aa6bacc88edbe6f1c9686d3a2c75091c3a7b7392a8a4aed6e07ab9ec1d3c86a678bce67fdfaeb50c97a85b49eb96ddd0863dbe7ca73d83ec35800

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 7d202d7bc28d0b7bd7288436ba990f93
SHA1 31fa03d150338e1a254d602af2c70d33bd94df2c
SHA256 20f2fb842a81f99cd8de22e3fd05b2fd5d994544f45dd779b7b541c4474c3990
SHA512 c541881730d51a46ebd3c7fea6537a72f69d3190ec8ae2e895ea9045cb0db423c114d803b41dd51709f203243f6388ffcccb8875a13641770412382e983fba0c

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 b827c52b3b4a9cc3e26380a8c0ddcf02
SHA1 27eea5ba61adeb3bd7bbd564db2bb31707164113
SHA256 0cd7cefcbe85429bfcc7225f6dddfd69a972060934c6410554c46d223b2a6743
SHA512 1b27f936bb68c28d406973ee93d001e2fe118141b42f2a4d98efae92d5cc452685c7fe9e3cc40fc74e4f618e0c8cadd401a76cfacf125807c5db9ee764ae87d1

memory/2636-130-0x0000000000630000-0x0000000000AF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8af840245ae054ead2e905d1de1a6a86
SHA1 8d9c54e9dd1def7f89b9dac31146a30086174211
SHA256 d5568d0090f44072bcff8a84e7184be0b2737c73f5cf37bc9fdec7c253a13c88
SHA512 7e6c926d1e764e6744296cf7c0aa53da149154ddf48eb235843807430247da33b41fb1335d97fc6a7580cfa356bae8d4537099a69869ee8895154e92e17ebe8f

memory/1908-132-0x00007FF660F70000-0x00007FF661027000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 60a7a7b9134b725afff833dc650250b6
SHA1 5f963192f1bd1d3e2f7422344ac8f907b32c9dc6
SHA256 b78dcdfe760a1d783b805fa25b694b168532fb019bdb05af78a5b23b2e877996
SHA512 570786b6c011a3903bba3351d4ca983495f285adb7f16dbf13fc976d86c1eaa223c76c6d2e287e18d9a3e796a50147aa05f874476bbbefddbe2c7b441871ffd5

memory/5056-145-0x0000000072D60000-0x0000000073510000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8c20d9745afb54a1b59131314c15d61c
SHA1 1975f997e2db1e487c1caf570263a6a3ba135958
SHA256 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 fa11cd7fe21136e8ecbcfd2458501bef
SHA1 b37cbb5eec7e6a59cccf77303b488a1d5fd5c56b
SHA256 fb6bce34aac34c455395b4c70e2930bdd9331bd904869a8d4558925bc35246b5
SHA512 b0f0fe37c916138e7ab4ad8cd7691122185b21f9446f82e414d6830317589b19061a747f0d82a01e4ab37552a0f6f4d994d7e4c6473a50be612f4b1f7fc03df8

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 4919bc5381d815128929f69b5970f88f
SHA1 5a98736ebf6fd2e3adb13d567c76a3757fce4c52
SHA256 4c4ad33e8752dd89f5d47c88bef165aac15ee646baef33664486a2af5e7200ec
SHA512 8924d34dccddcdabcd2bcb11d539f504e26cf8908fedf194797f8f1fddb715b3fd08f3a0527be9c555013b336b002e28be2376e76b4c86121c23f33f850fa9eb

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 95e09927b7ea83f2be4e252f59c54d03
SHA1 b2731fc7fd7f9e0b654ca137b0ce53c404c55eda
SHA256 52a46afed1a2bd77da441ade3b8a17ee5fafe32e7e9647023e93576aaeeadf54
SHA512 71563aa83077343c164a4041bb02a8de8d3d5fd03bbf3a5c4ae7cd0d665c9bf7165760a0900c0eef240c81594d33492c7d339cd6c2376aed2594256a4fe0c752

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 4cc8806a7fc0077300cab58e6f066eda
SHA1 76740d83420abf0c513640a2bcd2127ce21ce953
SHA256 01b79b123fd6377cd83ccd1163434e884a75eb84b13f12ddcdd54e53e9f7756d
SHA512 8a7d312f31245809a6b21cf0e4d60497c8a76ed94f603a74e526ca08c788296c703d6ffff12a8efa3ceb548023fc62c9549a194192812d9f7dbf3fe6884d5b89

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 c41e86eb1527247d8e0ad81a4b4a3ea8
SHA1 7317227ad4dee1566eac82bb520fc16f620bc461
SHA256 dfc1fbe7aa13b53d04f954be27806a26cd5d3b076cbd5d250717fea8e61cc816
SHA512 4973e80c7b8c33b012c7ccb872278331b04cdd3b57c464f83194b5c10bb87cf20f4d6fc2420512547fc096e109d49710ca6c7a462a6c85820405bff7fad522f2

C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe

MD5 3e7f2b72da91a606fdc90845fbd23c29
SHA1 5457313257e163a7063011f1f971a62c653ff9d9
SHA256 10e88d44a585f0d1d85d309be2ef53fd22eddd3df297a1610bb129368459d2a7
SHA512 65574172e51d06883b94e06625d458c8bb45a6dfb7395188f3a3d5ec3a4c3282ab88823137e115906b0976086cced647ef31b6fce384e715c67b76441f124895

memory/1648-156-0x0000000002190000-0x00000000021F7000-memory.dmp

memory/1648-164-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe

MD5 155a3e8832b105232922d97c6a81d50f
SHA1 c83bd1b12803003033489611866875a1fbc5238b
SHA256 4e1760f1a391976691cf784b7b9f4d382335cfe4ff8b0a3636d35cb7bfb06e92
SHA512 db0382a0e21f3f4c850b94e0dac89321b7ed1cb0c5e24426d1a288960426531d253ba11630e1bd9574cbc7668864ea840daac419e6e195e9b81e4f7c06d0cdea

memory/2636-169-0x0000000000630000-0x0000000000AF3000-memory.dmp

memory/3172-170-0x0000000004D80000-0x0000000005324000-memory.dmp

memory/3172-172-0x0000000004C40000-0x0000000004CD8000-memory.dmp

memory/3172-174-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/3172-175-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/3172-176-0x0000000004C30000-0x0000000004C40000-memory.dmp

memory/4244-178-0x00000000007A0000-0x00000000008A0000-memory.dmp

memory/4244-180-0x00000000005A0000-0x00000000005AB000-memory.dmp

memory/3004-181-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/3004-183-0x0000000002900000-0x0000000002D03000-memory.dmp

memory/3000-182-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe

MD5 eb9513d0104d3b0f4462104e293058d1
SHA1 96a5d105892d758eafed0ccba58c6c455543ec5f
SHA256 e71f2336108c6abb8c6988849860467afa5b2e66043c565aa3ed651025c1bee7
SHA512 20d57547f0151b7315a23ca8f1dfa960bf8b87e8c0e1e118e4c241f522f8d7fb73fae81069dfb54ea0c68ab2dd9acf4774150db3f53083250cf4e4f0a8855754

memory/4244-202-0x0000000000400000-0x000000000044A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe

MD5 159b7d8f3c6717d12bb424342a12aa7b
SHA1 c5cf5d96a4d313e682d34ff81a4ea1f1df1a55cb
SHA256 ffbde60dd5f574a09df76203b4db916a2947a34fcf262011f389152c3475cb6f
SHA512 1ce698ec0a9bcd985a25b8c4ebf842c508dd33a9bc5382b56c31ba7f91e43f5985c7e6906240d9166bba8f264cf54b15d78677f9b47b9e5358458a581665913c

C:\Users\Admin\AppData\Local\Temp\1000069001\RDX.exe

MD5 1d2d5bbe35b439a6ca1efe5bcbd2892d
SHA1 6ff6f324869a01f141e0460decb5a459e4ca6f46
SHA256 8e2fca36961b170b3d74409ea481b9ae7fab0b9ae9b5a3c42212c6f147b9836a
SHA512 994c00ab64d33d543457f3c1f55a1395d1a3d3d1b6e2be8eff1b18cbe38d7af38591c3124a19da3f44d2bd8e06d7950bd887a111bf5ed424653144721b49e9ff

memory/2912-214-0x0000000000D60000-0x0000000000DB4000-memory.dmp

memory/3000-216-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2912-217-0x0000000005690000-0x0000000005722000-memory.dmp

memory/3172-215-0x00000000026C0000-0x00000000046C0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u19s.0.exe

MD5 4fc375fdb4048e011d5468d842b66f31
SHA1 bf0a948b408e22430ca79da41a62f2899b49b455
SHA256 02c53829ae5fc6e7367cf9c83928a8fd917659149bfe36e13a0957ac20e86294
SHA512 bdd6f3419bbf4f58fa83bb4c395a8704cabd6566e7bba8a1a84ce35dd66e69a125e442765d65fc38c6ba6a0b8241537269a9e3afeb0bb4e0dfe98870a24f8245

memory/2912-229-0x0000000072C80000-0x0000000073430000-memory.dmp

memory/2912-230-0x0000000005800000-0x0000000005810000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u19s.0.exe

MD5 97d2628cf80ddf6a657fad86ed2785fb
SHA1 bb00d5702fb9947a803fa139316fdd7106ba9a63
SHA256 93472a48d2707adaf3095b81fdb875420fbb26b9c1423a412af7edcc369c9a80
SHA512 33b02503a448be7aa7b84eb29fa174f82903bec7eec2d8850a0aa229cb73f249ddca8402ebdae8bfb97046f77dbde9b1f50056661ec7899f5f5aff3eff0de8a3

C:\Users\Admin\AppData\Local\Temp\u19s.0.exe

MD5 3b4664104823ce9ac95c6c266293da47
SHA1 06d208633691adb9e503f7db88d211cd1c1bb14a
SHA256 ace65b5476f4867af5950c63a9f155d17ed696863d1fa3da8ab2680d3ef518d7
SHA512 51ec88d9a9e44a0ce3a09eb0a5128404d70f0d5ffceebe4ea13ed3d9e5a0f2c581cb8161aabce512cf9c882499413754e5a8c53226e9a65353c3d43eac6bbab2

memory/2912-234-0x0000000005730000-0x000000000573A000-memory.dmp

memory/3884-241-0x0000000000400000-0x0000000000647000-memory.dmp

memory/2912-239-0x00000000084C0000-0x00000000085CA000-memory.dmp

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 5ae8f48ef6a8be1d0afb3058b91a84f9
SHA1 528fc937a0ae80129abf3255060508856cb9506e
SHA256 e189a97c0048ea188ba48da505958a99973c489d00a79c372a87d39d23ce7165
SHA512 54b7d29353f6638d7853df50060be1dddfc82f3cb28d68c1b7b25b59d540446626da0bf4ea7d42476ad457163fb89eb211e788a5ff6ca4dc7b0fd4898806948e

C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe

MD5 6c105fd3ab573c3fb85a02405000deaa
SHA1 927aad0cc3838226b17ced63de59f68a3567dac0
SHA256 80997fe9167b040850ebfb53eeec8f06c9cefe58a70fc8d9410e0d6d502389e9
SHA512 b9d9863be6326d98380620bd228ab1a2593cc92cab74a095d6c6fff72cbf3fc4a1d6c81a171b6f19cb20fafcb84f2ecb8f655b184b57bac5c330b8568070009d

C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe

MD5 c77916309bf6f27524036de6bc134807
SHA1 5d9a661edc131356678ae97ae90a807a62361de0
SHA256 98442a1c39a46047201424f4a668352dbac83dcf4b9fe68557d6aaf91dfa7d51
SHA512 98880274e94947d5cb573ccea70dc94092276e00e6e23e064d341815c3a55c7d00b9f10d0df6ee418c52a24935384f5786f005623ccd99bf8743b010f7122b42

memory/232-272-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-273-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-274-0x0000000001250000-0x0000000001270000-memory.dmp

memory/232-275-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-277-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-278-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-279-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000070001\daissss.exe

MD5 4ccc1ea9c6cb9a0cc93537ba78fd7f16
SHA1 2da43a11b937bbd1011acc92bbce90187fd89ca3
SHA256 3191e2dd34fc31dd727d8f17424aef2fdf4e0287f7123b3b9ebfd3f5f2fcd8ab
SHA512 6d9da3001ae6f479a1f67c9007c8d80094f2726381f4b74e577e4aad551ab48cfaa0de1b95c6e550dba459fd3a8e5d4d48468c22857c559cdec6a938b8f73815

memory/232-276-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u19s.1.exe

MD5 4624ef097cc08491a619222e57674ee4
SHA1 026a17c148f7ac5a4ad9a088ef868f59a39f677c
SHA256 ce8cf57a483421172aa707ed967d845ebdcf232e3a861d55e3b5a768a4257acb
SHA512 45d8709b93b35bf9d801dad15b303219f25eb57db6f4529670d6dea3b4dbc44a89551f067d9de8f699266266be7c402de543a2d035834b08e508989971b362e9

memory/1648-298-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe

MD5 ebd4a0e9740817b144a38038f41f1d7a
SHA1 480e0b6dbd4e3197049e0eb828b20ed10ec3cf3f
SHA256 ada247c83e4465be550ce9416171dfb76c969eacf698af366c82486577b125b3
SHA512 3f5cfaf99b9a62c45c3c12034ef0f8d4bb51b44760c909d45704b836239ea63c43b633e624c7a00f9f88bb209cf5ebb678ed59d937a7b4f17db7f40a01ec1f96

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 9f26ccea26f3095f68ef4c69761c4837
SHA1 d8dfe1ce2077a2948081cb6054d289739bd4b729
SHA256 a47030b3028079adf7eddb78fa185890ae45284066e97e18d7ddd5a7a1ccfd4f
SHA512 2a8edf3a7ce720a42a3a832bf1caf2cc418bbbd5c4ebb9fef2110a08948dd83fa4d0e9bedd3f6e1eaae5911e0702b4c602c27bb8fdc0345ef8f7f1cc071a114f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 43c7b7208987f869c83a5bb4ad5810f1
SHA1 8779cd8d0be201c00975fa8d40e24ea8e93c46b9
SHA256 19d8b7d099de92a03b5c811e23fca0ca68e8e6370589c5dd0790708c52f3f5cd
SHA512 923ab3229d1a7bca7f6f7a07b31955839fb86d4d1b5cef6fa848ca6d3cba93da4d477c90afdd3acb7a722a1d6926c041856a9bc7e9bf55af22e5e64958d9c289

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 70a8e1ffde3a6e39fe8f69afee617d58
SHA1 1c751a5b36310e0fa836ef936fd779512aa52eba
SHA256 4c32b6804ef004e0e5bc3b805402a7f452ea590b062ce11dd8f234bfc6d2fcf1
SHA512 390a374eaf98826f586d8f8868a5f6d239a835f79f65ab7aed8f509dc81fe0d8e163623671ff0e3e6f8cfc5ce9561dd7cc661ed167a2b97a06b818546e89e02a

C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe

MD5 2bcf22992f2f0dad077e8e8c9c6a12b7
SHA1 5eb6202076d4df3844f3cbf6c960e6a51fce4d47
SHA256 e7f13bb6791ce6bd34842256a2f2952d311f7b9556c31c424ece7af312d7a0a5
SHA512 08e6a09919a4cf8c0b992cc070318a0827acc7dcadf627033944ab34f1dafc826f6d2f6668136974f2cd6d0940cc44680c681310ab4d72c2f11dd7dc8588b29f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 5881ee7d0d790539bcfd3037e0ac16a8
SHA1 fbd3990117e5ad0d66bf62253e924daeff516aa8
SHA256 5e566c8cb35e5c47eeb7bdb08f84553ca7249d43a5c15f200f3d0a3b0f5728b9
SHA512 fc9c759b6f1e436088bf20a8a9114737a1ba4af995ba82c6b0d8f015207fae85cab55bc8f9aa12aed6700ed2618fe265020b0bcd54937aad338e8e07f7be9a13

memory/3884-337-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/2992-341-0x0000000000400000-0x0000000000442000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u19s.1.exe

MD5 50e49755c14fc8e7813b792198cf5288
SHA1 12c723d9f15326d38535acf08c9468632ca3d321
SHA256 64112431e3be8d75f0c96d268d94555f2d1cadf14d1eaa2d604fc272e3a51e57
SHA512 77dad125de5af02a68052670bc37694eccf765789011e7909c987fbf74844ddb1c31cd6495fba91fd9d1f1154eecb4a1744ff8ae6304683b6078d268cf0ab618

C:\Users\Admin\AppData\Local\Temp\u19s.1.exe

MD5 d615a026a0814bee0ee92f116aa1e41c
SHA1 9d2851b195cd32f66e0b52aa2fe6523902122004
SHA256 c6a6a2fa7b082ea32dd2f1101d5eaf0e735ebe14820c0631e77519125d8424f4
SHA512 09b5290404a43b8f9c3dd0605ac6694574874313d09358de0403f09c9f719185e403193def38e22f244ddd843b73f3c8885fab973496abfe67bc2e866e6ac0a0

memory/3424-354-0x0000000001610000-0x0000000001626000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000071001\rwtweewge.exe

MD5 6dfb50147bd28b04f8cc42fedb444af2
SHA1 305210443af78238d8cc34dbdc0ccd6ca6111bf5
SHA256 d0701deff36236f326c4d3f6108c61e025bb21c24f48ff90b9a128d14d3b094d
SHA512 df99c42103cecd4f0390183f4dcad6aa3ba2f6ccb20d19a703ffc4cb31688951b1a491cc9103512745022353328d33161f915e85e86f777388d0a07e8a207d43

memory/232-269-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4244-361-0x0000000000400000-0x000000000044A000-memory.dmp

memory/232-261-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-260-0x0000000140000000-0x0000000140848000-memory.dmp

memory/232-259-0x0000000140000000-0x0000000140848000-memory.dmp

C:\ProgramData\hlkwogclqprr\uwgxswmtctao.exe

MD5 4db23c9b4cb16ff665b5503f5ed06855
SHA1 bbcc4cf5181d6401e77559350f27552dbb9e7b0c
SHA256 bdcf4c6c05b70b455429f22c4225d1eafbd55e65247ed739d47f6a118aaa55c7
SHA512 9401a6c4fbd2f18fe59b0c65c554b350c22c4d40e49d44415b4f375955df152e763ff93151b87bd39dc880199b8ae5260309cadc425a60fdfeb7eda11e49403f

memory/232-249-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3884-238-0x0000000002160000-0x0000000002194000-memory.dmp

memory/2912-237-0x0000000006A80000-0x0000000007098000-memory.dmp

memory/3884-236-0x0000000000780000-0x0000000000880000-memory.dmp

memory/4900-235-0x0000000002F90000-0x0000000004F90000-memory.dmp

memory/232-396-0x0000000140000000-0x0000000140848000-memory.dmp

memory/3648-409-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3172-203-0x0000000072C20000-0x00000000733D0000-memory.dmp

memory/3004-200-0x0000000002E10000-0x00000000036FB000-memory.dmp

memory/3000-199-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2636-173-0x0000000000630000-0x0000000000AF3000-memory.dmp

memory/3172-171-0x0000000072C20000-0x00000000733D0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/3172-168-0x0000000004CE0000-0x0000000004D78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000068001\mrk1234.exe

MD5 bf2a3e48b0ea897e1cb01f8e2d37a995
SHA1 4e7cd01f8126099d550e126ff1c44b9f60f79b70
SHA256 207c4f9e62528d693f096220ad365f5124918efc7994c537c956f9a79bcbadd3
SHA512 78769b0130eed100e2bb1d0794f371b0fa1286d0c644337bc2d9bbe24f6467fd89aa8acf92ac719cc3c045d57097665fe8f3f567f2d4297a7ee7968bbab58b91

memory/1648-155-0x0000000000790000-0x0000000000890000-memory.dmp

memory/3004-430-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0n1ms1nz.yt1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2636-452-0x0000000000630000-0x0000000000AF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/3884-491-0x0000000000400000-0x0000000000647000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 25b5c52592b48eea782cd1901d4a5f79
SHA1 7a318a239c342bcdc542b2c3ab6d939743d1e0ca
SHA256 8d9eec82b9ba2f844e760b1db4b98fb87e2674f055172715e66ca644c6fcf0d0
SHA512 8ae77ea4f5133cbdbcccb60a01aea57a6f7f2f7e8318a2f45ae68c3c924348d6e0bdbbfa68abdca02a647ad954fc9d70f2cff9a83d3dad39cce6499687fdec1e

C:\ProgramData\mozglue.dll

MD5 5774d90abbf8f6e15b148341fa056d65
SHA1 91c9b6fde49f37d32e7a45475f1c61fa721aa06c
SHA256 f941283b6eafaf800cbee2d594cbdaa4ac825acf365a75f47a4c4d69628b45b2
SHA512 dd02012bbe3b166d514ec5309c9408eaf85e2f49506c777b5b82a32c9a0846e9417e93aa843782e2bc31e95d96ce125f41973753009cb3de1fd48c0d654ba3e7

C:\ProgramData\nss3.dll

MD5 0f8de67351de134df32e3db4c1be000d
SHA1 aa3752c31a1470c5581058d7395ed1ec8ae7bce7
SHA256 ebbdf6a1721a088d656dbe9360284fea37c5b517776fe16cf37cc769eefd92f7
SHA512 3e2386ccc9286f8d7415bdccc492960a53ba1e9776798b606fff7886a708c1aa87d0b807de3b8f6b942c8fb00306888eaa93384118a5cf55793d6d1d034a1765

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 2e7fddab5ebfbbd2930630b8d3170969
SHA1 913e92fdc4ed75d814277d8c32dbcf6b6897adca
SHA256 da9c7fcfa4a117f9fad4bfdb305df5be286e4c7b831b720b9360d9d344976b4c
SHA512 50566e96b8aa1abd56eba9038008e5976e17e7b47f056aff44bc6a2d013b5caadf4ac5cadc18e8c304c70582ba8dd1a609233202e7ed1f86c4ec9dfba242654e

memory/3908-537-0x0000000000400000-0x00000000008E2000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 ddb46e3bdf46b07ef4d893eb24c48054
SHA1 eaa539652fc64702fe75a337ccc56d627f5d2d36
SHA256 d2a00ca282721f64a1c796981ca7b58df376b01cd29f93565466cafac0490c55
SHA512 e74bf65db88a1064df8dbb5f00acf9d9c8d52cad8f62049d9caf24ff728c618f33678a8257f96f1b0e369da758aef0fdac5e200c0b0eafb41d84194487a9770e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 02cb8b44dede5567b9e769c6b05ce0ad
SHA1 8f3e3e5637c19f6b7356e260f18fc4a8521231b1
SHA256 3e3ecf87215f2859780b27293bfd9cf1fec4c58a20764a83f576f8763a99e4b6
SHA512 e700566ae58fc443ae592ec09d6b7800e1167bd6ca1ff52ebb278801831f77c160cae6780fd1bc4a869c048da0dbad498af6da50cfb7b1a23972ecc98b059362

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1dfbfa155719f83b510b162d53402188
SHA1 5b77bb156fff78643da4c559ca920f760075906c
SHA256 b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831
SHA512 be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

C:\Windows\rss\csrss.exe

MD5 7cdceec38cf0cdb401a80501497adc13
SHA1 ed8e0ccc5dd2c0d5bf53c1777eda8c18c45093e4
SHA256 6e2049bf6efd09fb8ecc214b127bbe715cb09dd359bb0eafab936a28e60ac42c
SHA512 036fa64c29578914387b740a7f2a81e59b4ffb2a279ecde6a91849f10924185afc092ba602618a4a84b0a0cb531f18d3180bbad5010f91a93c3d44350365f694

C:\Windows\rss\csrss.exe

MD5 cacdced92d590d975989d2132591336b
SHA1 1a6000982e63a59fed0f1975ef3be5ab2ba3ccca
SHA256 e233b0b7010485371a2c99859cc04c632f93b268440436ca2a927b1137c5e1a9
SHA512 53133c002bac474cc05849b87b4a262765011289f01be98d8d45ad242b3cbf91c17858a4490658d4abd857a383a33c61107327fc984254942f732d13265bae65

memory/3004-635-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 b2b0023c7bdd793227a95cf4c5214ba9
SHA1 40b1623364433bdea9ad5db2d0be2da7b3976944
SHA256 1c8254152cf1aa0e3a13f9e86c4e1ef23e7422e8276a47cc92a91d3597c15c0e
SHA512 ea19450e93621562b237cfe9d41a8ac74124e9ca9cf00c836993c14d8b6b770f6819253246a07453e50083151f2dfd386513ae4c5150cf8fe78505a24e834a0a

memory/2636-670-0x0000000000630000-0x0000000000AF3000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 0203ce1b99ba5427e46653e43529ca3f
SHA1 849d1e89125c8a747d62f498f24b570becc0b74c
SHA256 a9f5a893655f5b448a8398cc30ae5f6fd05cd90b2d5fedeb20f8c3e5eb7eb19c
SHA512 846fb88d236fa5e79bddffd2aeef75260af2834d6592850af183c011ec0d0286c59605e8e0d1b6f0838b10bc53c66ffd18103d3f7b486537453e8deef1b37f96

memory/3884-697-0x0000000000400000-0x0000000000647000-memory.dmp

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 30b3de7f075828fbdb2fc2ab2a85cfef
SHA1 9847db784779800e2aaccf649d92d317920d29c5
SHA256 31b5271283585bd1487907b57d6165e90b67325ef0eaae2b0119e829047f7d47
SHA512 ec665373690233cc4839f6de253c503242c1e16b1f6faed8e3bcbdc73af960970c76842028c5444cc7b88f1cf757aa8f6474e5876eecea42fe495e69bda5016a

memory/4740-718-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\995D.exe

MD5 88d758be6f5d43337e22f026abf3170f
SHA1 35437a2ad650484dde7a6ccf67fd76428ff4ada3
SHA256 bdbd0ee82dc7acfb5fafe10561dddd6b6b11c1d55f2f96bc6a1c8eb5dce167e1
SHA512 1bce2be76d97c9fa6d9af0d4b937a302ab61f45dd72d30c64cb6af1d551095ae225133de517fc642864aeaf88d56429ab5242be598c35b3ac63756f9b23aa3ad

memory/3672-758-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2636-765-0x0000000000630000-0x0000000000AF3000-memory.dmp

memory/3884-776-0x0000000000400000-0x0000000000647000-memory.dmp

C:\Windows\windefender.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\windefender.exe

MD5 9a68db800dc6ea15754ac242222809e0
SHA1 0d6f6bf49854c77d7c715c2e9a7e0c13c52b9289
SHA256 76f8bb1f2f9a620768661bbb36f275dcc8defdf3e6a99177c572ef22e32b8c6a
SHA512 ef797080f3385be0cb1af06bba57f47521ca0efcdc95a3cda7e748a12a6f0b842cbfb56b1552fc6aaaa05d60b23c78551a2a98e8b696fcedffc9a3d38ab42c04

memory/4772-793-0x0000000000400000-0x00000000008DF000-memory.dmp

C:\Windows\windefender.exe

MD5 2144afa03fed3a49def3dd7ce8c2244c
SHA1 0f8272b7e2a0cd2ed80ea9074fa6baf6974862cf
SHA256 f90d5c824afe2780aecf598b851110464242a120debc0db316b23875be828385
SHA512 afbd5066db6a77c82c0bb217559667391364d436f3f3ea788a4e42852b7ad62a9e4573ca5da1aee3fb6cfb5f2babcf51635743225a6bdc4e8b034b166f622d20

C:\Users\Admin\AppData\Local\Temp\AD72.exe

MD5 c4efa123de7bfa523d9a5ecae7c3c5b8
SHA1 2b480426f7da97b0fb783265bacff35451c28447
SHA256 10b006ba1f551f12dec183a59c7c83c8ad4454f64bdf1827942b4329cc36bde6
SHA512 9dffc48113c1188176aae70f5a9412eeb2e3366f22da749c06518ad1e873059bd5e50b1ba69a8bb1f6db4269ebd90e9cdcfc4dd5da5ce2f279ca74a5d953156a

C:\Users\Admin\AppData\Local\Temp\AD72.exe

MD5 df7fcb2417af7077cc040ed524c733a0
SHA1 7813a1e4a1f2caad3deb6765cc132ae79c7e7a52
SHA256 8429e46f01de959101ea58bb5139d64247579721523c045c3eb1f693f5095d93
SHA512 d6431cce26b89de98f630724adfecf416a3c75fb9f26165e4ccab6b99385048f2e9a716780c355c93c1aadcbf1a363077c19ab108bb75834c6f74e49f843f9a0

memory/212-800-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AD72.exe

MD5 849126d69b0e20d2653325e3addca8f0
SHA1 92d7328facc97b96aa6f5b4a6794e340ec4f8615
SHA256 2b4275a2f89f58bbd3ff0419dec113304bc53e5ce7a89c025a58514d4553f812
SHA512 d738be99ba31a5ba1de1d30cfaf7ff3e80c7b03c798e74331730c67de04c1f7f48c6d8ef25e9ad65ee654d918822768d6924c40d2a1ecada2e67233c230fb9a4

C:\Users\Admin\AppData\Local\Temp\AD72.exe

MD5 b4fdbd7ac0690b600cc8e63da34b0065
SHA1 a2a4bff4b2055b805e2857deff08bcd5e9b087e1
SHA256 2be7f251204a4c227e7c47f7afae5fa958133cac02003f07c46f31ad236a5bc7
SHA512 aa7ddddea692ebdb35c93c66d24498737fc33bb65f47de1f5ffe5b652d58245755f48e456e05802102f0cc04c57a49af6739b4d83f86686b87de067b3c95d023

C:\Users\Admin\AppData\Local\13359d0b-2800-4dbc-a476-609512dd810e\AD72.exe

MD5 6ae6fc94b6297f288b2eeec07ea96ad1
SHA1 9690c5c7ca01aa361e13fd080a29bbe2008f6d94
SHA256 6ff5e200cb15eebea55c13511cf1ad49b8287afd952c75fa807a7dc3c010e739
SHA512 4de9c4f2a755d8004d4d03b872a0e2b5f51a9df2a786d2643d837041f1c9bda82577958115e7b2d9acc8957cdbcc8b7dfd5d072a629e801bccbaad6613e0d5c4

C:\Users\Admin\AppData\Local\Temp\D7BF.exe

MD5 fd78c49ea2deb586f17b25193121dbd3
SHA1 b1d611005880904a2eb1bfdfbd336746c751d291
SHA256 538b427a627992be8eb46a30d7f74b4bb8ec9899bacad07321b4800158075fd6
SHA512 27c3b611e0fcefce944436b7239a341614fed8fa7a1fec659c78359985ce2879d8552fa615d4ddced93ef509db30389e4207a25ba2e1f77aeaeb074efeb88333

C:\Users\Admin\AppData\Local\Temp\D7BF.exe

MD5 15d6b5d3acd9e6d81224f5e38676de16
SHA1 b1811e3a1f258605a8530229a2cdd6613b03ac45
SHA256 87b030e069327dd91bf2453e55c9f553b20503d81823124dac93e8656855593d
SHA512 1c989c750d0e92f8ba8558403e759b16f29cee3ab56a7f3ae58088c2fc8b44e6182bb2ae410f9b3474f78a6136cc82f39f5b3a6d19946e868a32c4792d78245b