Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-rp47mshac2
Target SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe
SHA256 d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da
Tags
amadey evasion trojan redline zgrat @oleh_ps @oni912 livetraffic infostealer rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d5069a5fed89b8e60a2c92d5d26b533e339ca2001a6148c04b8183f9ae8e34da

Threat Level: Known bad

The file SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan redline zgrat @oleh_ps @oni912 livetraffic infostealer rat upx

Detect ZGRat V1

Amadey

ZGRat

RedLine

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Modifies Windows Firewall

Checks BIOS information in registry

Executes dropped EXE

.NET Reactor proctector

UPX packed file

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 14:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 14:23

Reported

2024-02-06 14:25

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe"

Network

N/A

Files

memory/2040-0-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2040-1-0x0000000077C40000-0x0000000077C42000-memory.dmp

memory/2040-2-0x00000000008C0000-0x0000000000D7A000-memory.dmp

memory/2040-3-0x0000000002900000-0x0000000002901000-memory.dmp

memory/2040-4-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/2040-5-0x0000000002620000-0x0000000002621000-memory.dmp

memory/2040-6-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/2040-7-0x00000000028F0000-0x00000000028F1000-memory.dmp

memory/2040-8-0x0000000000E90000-0x0000000000E91000-memory.dmp

memory/2040-9-0x0000000002600000-0x0000000002601000-memory.dmp

memory/2040-10-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2040-12-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/2040-11-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/2040-13-0x0000000000F60000-0x0000000000F61000-memory.dmp

memory/2040-14-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/2040-15-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2040-16-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/2040-18-0x0000000000E20000-0x0000000000E21000-memory.dmp

memory/2040-19-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/2040-23-0x00000000008C0000-0x0000000000D7A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 14:23

Reported

2024-02-06 14:25

Platform

win10v2004-20231215-en

Max time kernel

50s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.17762.9680.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

"C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe"

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1388 -ip 1388

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1244

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\497073144238_Desktop.zip' -CompressionLevel Optimal

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4576 -ip 4576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe

"C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe"

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe"

C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe

"C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4332 -ip 4332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1968

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 16.234.44.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 95.30.79.20.in-addr.arpa udp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
DE 144.76.1.85:18574 tcp
DE 185.172.128.19:80 tcp
US 8.8.8.8:53 udp
US 172.67.182.52:443 liabilityarrangemenyit.shop tcp
DE 185.172.128.79:80 185.172.128.79 tcp
DE 185.172.128.109:80 tcp
NL 45.15.156.209:40481 tcp
HK 154.92.15.189:443 tcp
US 8.8.8.8:53 stun3.l.google.com udp
US 8.8.8.8:53 server16.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
FI 64.233.164.127:19302 stun3.l.google.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 138.91.171.81:80 tcp
HK 154.92.15.189:80 tcp
BG 185.82.216.104:443 tcp
US 188.114.96.2:443 tcp
RU 185.215.113.32:80 tcp
RU 185.215.113.32:80 tcp

Files

memory/4984-0-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4984-1-0x0000000076F64000-0x0000000076F66000-memory.dmp

memory/4984-2-0x00000000009C0000-0x0000000000E7A000-memory.dmp

memory/4984-9-0x0000000004B10000-0x0000000004B11000-memory.dmp

memory/4984-8-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

memory/4984-7-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

memory/4984-6-0x0000000004B20000-0x0000000004B21000-memory.dmp

memory/4984-5-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

memory/4984-4-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

memory/4984-3-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

memory/4984-11-0x0000000004B30000-0x0000000004B31000-memory.dmp

memory/4984-10-0x0000000004B40000-0x0000000004B41000-memory.dmp

memory/4984-16-0x00000000009C0000-0x0000000000E7A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 8373f810700ac28ce4d2e059739e2c44
SHA1 7e5f5ff248978a0b8bf8a1f973d49de34d73a5fb
SHA256 691383c82a72ef8b1052ffefc46d54d69017ebe0ec4c060eb3dbad9a09574b86
SHA512 a684dfb8ef2aeb6109f3095f3240b24428f8f79fcbf5ca2236ab3beb41d9dfe8601a0da4aeceeb070957bf56dbeb1c331cabca79ff7fe1301dbe920b6b8167da

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 7d5dc6bb8237dc9d002dde007ed3d7e5
SHA1 4e146939cdcba7622fd2dd58d6d7af18f00aca53
SHA256 2ef0440534574b0c2a84a78fa06bdb51cd618b22033d7eb2966feb6126e2730f
SHA512 9c2ced408acd3a781ffe7c27d43364ee9a5836ddfcc2582413793fb0cc723de866eac6eb0f1553885b375b1138c7aaa2dd7c0903fb3c790fd879971bb4c2a611

memory/4776-19-0x0000000000B30000-0x0000000000FEA000-memory.dmp

memory/4776-20-0x0000000000B30000-0x0000000000FEA000-memory.dmp

memory/4776-27-0x0000000005490000-0x0000000005491000-memory.dmp

memory/4776-26-0x0000000005460000-0x0000000005461000-memory.dmp

memory/4776-25-0x0000000005440000-0x0000000005441000-memory.dmp

memory/4776-24-0x0000000005430000-0x0000000005431000-memory.dmp

memory/4776-23-0x00000000054A0000-0x00000000054A1000-memory.dmp

memory/4776-22-0x0000000005450000-0x0000000005451000-memory.dmp

memory/4776-21-0x0000000005470000-0x0000000005471000-memory.dmp

memory/4776-29-0x00000000054B0000-0x00000000054B1000-memory.dmp

memory/4776-28-0x00000000054C0000-0x00000000054C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

MD5 a47fe9c5ed618defdfc7a6e5e4c4bb96
SHA1 36c092d56cdb6a330951317c90b56b6976371cf2
SHA256 07bc93a97d22129cb486eec1039f6617b7be443fb2ba52d07d67c3d58b987beb
SHA512 394235ab2233b8d9cb717672b998c739fe63a81fb2af73c91f79281ebf218f7c48c100acdb538a7975dbb6f9db707a4ff9e77f4d8b23f33a4a5bc90e92832f51

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

MD5 cac03f1c7fca3e4fbc29892af5aaee9d
SHA1 bda1e00e5da9f25ad5ef83ff4fd1df6f55440808
SHA256 2edae42c4cca1d50fb577fa029fb9b8b5049209b73ff484dac859f73c520e206
SHA512 47b024ea35244619ab0748afbef7365bbc3eb5d2a11a23b1c89e023a56468b432fe74b558e8de8346910ea4120db0c638876e8f52c2fa34b829571311a1dbb87

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

MD5 134d05907ced53891807c11433db27c1
SHA1 09f549e012752d6fda442f80fbf8db931ca5bc4a
SHA256 ac377e461c728e83782a584de547619ba25e610114e88835d4d59717e692920d
SHA512 16348ba76a7bd6617a5cf449d52b38e36c338a911ca175bd17e624dd452066e3d94bba74969b4b9c06ce91d718cbf34b5f9042663a421fda3ed56897861adcdb

memory/3472-50-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/3472-49-0x0000000000BD0000-0x0000000000C2A000-memory.dmp

memory/3472-51-0x00000000055B0000-0x00000000055C0000-memory.dmp

memory/1292-54-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3472-57-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/3472-59-0x0000000002F90000-0x0000000004F90000-memory.dmp

memory/1292-61-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/1292-60-0x0000000005000000-0x0000000005092000-memory.dmp

memory/1292-62-0x0000000005170000-0x0000000005180000-memory.dmp

memory/1292-63-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

memory/1292-58-0x0000000005510000-0x0000000005AB4000-memory.dmp

memory/1292-66-0x0000000006470000-0x0000000006482000-memory.dmp

memory/1292-67-0x00000000064D0000-0x000000000650C000-memory.dmp

memory/1292-65-0x0000000007DE0000-0x0000000007EEA000-memory.dmp

memory/1292-64-0x0000000006560000-0x0000000006B78000-memory.dmp

memory/1292-68-0x0000000007EF0000-0x0000000007F3C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

MD5 15f3623e4c83ccab70ec771613f49633
SHA1 b602c2a228d3789c03c391a1663b65c3b3164ca5
SHA256 2579e060ae1f5c9bcf1804fa3b04ea6281176011d821f6fe16dfecaacbe25097
SHA512 1bf9ef592fda49916ecf2828b1de225a5597d4be70c62973941e7e3963d9b3ef0fe70fada77a0e09f8e11e1e5afb7e68cdfc0fedc9e59ba2e5e831391e3730eb

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

MD5 3139d960a8c309347ac09eb310981646
SHA1 036ebcdceeca3c60ede45f36de2e837d9370249c
SHA256 10f210f6ca9bdb45e56e9c3e0e1ba2ab9e362779322e2e897eb7bb8193847dea
SHA512 846c77299235328284782a5ca72d47f5eac33f6c8738df4e7cef85ceb62b0d544bbb9b9538d6a913414a8bbb279d269b25e657df47a315265f5a08a5e727e1a4

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

MD5 a602fdd075fd2f25a7b805d5b1290927
SHA1 8dfcdd3b7b2e1ba7b28b6652c2505b565523b181
SHA256 0c9a1479b6939aee90a9f55e661407ecd058f1f37d4abcc681e430e5a7b13120
SHA512 b36bf59ab39d8a22335b1bea2aa2bbe80df5698738f2db49cb28397ec8e27c7ae73b84a756c1236df765b6109adb34326aff03d2f27a3209fc51daac99ff7e0e

memory/4072-91-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4072-92-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4072-94-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4072-93-0x00000000049F0000-0x0000000004A2E000-memory.dmp

memory/4072-90-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/4776-89-0x0000000000B30000-0x0000000000FEA000-memory.dmp

memory/4072-88-0x00000000024B0000-0x00000000024F2000-memory.dmp

memory/4072-96-0x0000000004AE0000-0x0000000004AF0000-memory.dmp

memory/4776-95-0x0000000000B30000-0x0000000000FEA000-memory.dmp

memory/4072-97-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4072-98-0x0000000006170000-0x00000000061E6000-memory.dmp

memory/4072-99-0x0000000006470000-0x000000000648E000-memory.dmp

memory/4072-100-0x00000000068C0000-0x0000000006910000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

MD5 5665c5fadd3a75dbb423cf6787a0bdb0
SHA1 a5a69c5e8f1b10b76ebc38fc559d5823d69e33cf
SHA256 e21be4c9fd0d53c437c1665e1a7a768e666c15746b117fd5605ccd0c7eafed70
SHA512 3158a982aa2fbf86ebfba25898074008580f24142b1e2c8fef59cc7d4d63e1e28108d9fa1e9664b1948087478bb6391b086e48d8eb46a2920988234d7831fe4d

memory/4072-119-0x0000000008670000-0x0000000008832000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

MD5 9b9ee2e1757b2e8d37eb54a8af7a7579
SHA1 0361f81084e6a45ba69b96d6255d9e53f2402b9d
SHA256 9dd23740368175d7138e6f701494ef3afc4c670828a19b27eb18a4e21c2e7c7c
SHA512 09954db7ab552c779e6bd69508f9ba9d197b781f104546bca477af0810aaa99098b4dca957a7bdba2ace3ef84be05814a3f26337a775e94447a46de428c1d473

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

MD5 dbbc291dd19164092153a4fae1017da9
SHA1 8dbd99816ff2909a28bde8ceee543694fc61e848
SHA256 f6c4a8d7e5c366aa94479ddd7f5b0e28034b3110df47407a223164a8d2a02ecc
SHA512 98fcad422ca8462a7ad1ea1d8b8df411875fad5d4ff2f4802e9d65dd3e6f3a3d8b70339be4976652a28a287c1eb3739b546eb0bed71828d4941f507b8371d71e

memory/4072-121-0x0000000008D90000-0x00000000092BC000-memory.dmp

memory/2148-125-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/2148-126-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/2148-127-0x00000000049F0000-0x0000000004A42000-memory.dmp

memory/2148-124-0x0000000004B10000-0x0000000004B20000-memory.dmp

memory/1244-130-0x0000000000400000-0x0000000000442000-memory.dmp

memory/2148-123-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/3472-132-0x0000000002F90000-0x0000000004F90000-memory.dmp

memory/2148-134-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/2148-122-0x0000000004920000-0x0000000004974000-memory.dmp

memory/1244-136-0x0000000005560000-0x0000000005570000-memory.dmp

memory/1244-137-0x0000000072B70000-0x0000000073320000-memory.dmp

memory/2148-135-0x00000000024E0000-0x00000000044E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

MD5 03c272e3ad3eff2c920b45162bfd5498
SHA1 cc210cff08574d3c883cf7fbfb916cf2efb93573
SHA256 2949824aa4ac6cc4b744c39dbba00c338d6e4b19a06e65bc8fac715ccf79eae0
SHA512 4f9d84a1309da72da157614a4ac07b6f7717d6c4fd40a369ba914e34716b99c00bfc6fac3bf738ea4f61bbc3aa44af584634140395d9994be5a6679426229cc9

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

MD5 98620b2a973a87c4a013d1471fe2efdf
SHA1 94450966759a0bc6b998ab782e741040b959af41
SHA256 940d08c8103bec5b94b484331ebec78efae365dbe83eece80d76a9c8b1b3dd06
SHA512 66f03b55bceabcc64431ec5c2b25735ed894c8d93d22caa4055daf044fdd960c7bef6866e1fffaed9b42dc099487819aa3b37721b4994438f5ead59841d89b9c

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

MD5 101bc947da5294690f91ec4b998b74a2
SHA1 facd8c61e982f06d3b798829f9bcc41b8b9a9c2d
SHA256 0331ca8cfc6b640a6da689d3f75d0a6bdbbd0db98b9ae1ad9e6d4377bffd888f
SHA512 1f7974115b2c7e3e0e7c5c01a6606c9cdfbb93eab7dcb765057218d6f9ca29e8e3a143485e798e61398b938112b6ba5e9318923cb41906bfe592aaa7717c3332

memory/1388-169-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1388-173-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4776-181-0x0000000000B30000-0x0000000000FEA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

MD5 3f08fb57336294194c2a2639c7085e74
SHA1 5877b0c69435ff6b7486f7e3a832f2192675e4e3
SHA256 4942fa2ab2150d57cd4e19e08f0a4688417bd8ea65c4cf403b899b472175b1dd
SHA512 1f7cc5070fffdb51a5c442ff26f146cb7a15c22292d9f9d78f198e29fb725db70a35b08beb082efb57aa24e1b80247c649e5d3a795ee2ad1e2b4903f91a3e805

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

MD5 95b64ef9ee1a5b4ea0cca8ef618a1891
SHA1 d06e8ab5971d5e139713dcc6fc3fc4adaeb1e138
SHA256 3f6763f9b72d2733651e814a4b8bca14ede65b218898d26729e9cf535b56f13b
SHA512 6aad87f55d085689058ab4d3ed940c65e630a1e59d9d80c0888b15dee3b733939d976bf31c6bd18d21408ae133c74b69678a8266094dd69884ae107815a6f821

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

MD5 5d7fba70ec83c78fec5ae17d3d331778
SHA1 2e8b8d4cdbb47b45039312e03545c1f1e3e9a90b
SHA256 ffd55b47e66d7c1de888755e4f26fa6b5ea04c2902f130fdd80559b989de6fd6
SHA512 78033e33cfc6e118fe1b1f654100e01f3d5f304d12edfc4e903e43b984c4d16119abdc8e31c358aebcc56f3f9885017a60dafdb8546267146458b9ecd87d5124

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 6d8d6a792d3169666d6dd4104bb8deed
SHA1 3a067999161c455f3c6a2953acf04e6b1c54b7ef
SHA256 7d7a1bc40c313327fa012e7a348f448700103adf6bbfb446bbe415fc7dbd6aad
SHA512 462973495f6e3579204628cdca67f5ce292051a4d911180b7ecab7b39a63597ce200d14e591bf8a5592c054ef7cf4e61379bacf238c84a83911279c44e44953c

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 36ce8681d98a088aa7ddd3b1b28b8417
SHA1 a3580b0aa1f7d5610cd5c44c40adf48f31ecad42
SHA256 34c379d5d0d3f86cf9f2922cfe856c0a802a8be63f72670c9f6b6369cf2de2a6
SHA512 9cad803a6fc3ca256d3ef16ce568124e54b9df34177ec57bdc1b8ed41aa469ad603e37cbf78d96ef71d048457c70b15dcc54246fe6755bde4ad02e992da74777

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 7c2badb4a646b06e90bdb328a3691ef0
SHA1 75c0e58197b692d159ab6f619317c74a1c8ce8be
SHA256 5b07e5b68a31e5b643fca1a428f3172a28d0217562e6629f49c8a6925aa035bf
SHA512 53d953cc70c06d5032400a7c2eb91b4aa60509e113ef3fdc608d54fdbe649f3617873d25147f8ed36cbdfa0d2f303c27bb725791a8a48e8fc7f176f3bf2b5ddb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 8a7f4a239b993aecf8b9bd713d0f6219
SHA1 7593656ad7b97034aa163f9c6edfde8f3e6a6314
SHA256 ef5dfa83f683ebe7f20509bf484bec54b457c74b91befe16ae0c38d55358fb1d
SHA512 1788a260acdd5b2a25fbee1f74ee65014ad5a71509f48e78a29df45a2cb14da78854c4bf01c01c739c4a0d428a5c0d4ce70f5014e0e4564fbd34a466ceaab243

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

MD5 578ffa5a62268e441152d83326ae5df5
SHA1 66c9548e315e6f59c6ff2e2c95d0106c98631107
SHA256 defaca2bb6f46ca89a3b89bd8766a43505dd4a2c613a6118e183d4150bd3a637
SHA512 ca1a4eb2d209f8c5b124d2b4d87c9b53ce84e3a55021b284fd842ed3d4fe7571a0a9af585ddab6019ed9cbd51b7171b4aca6d12323469ca68a0856a64da22e40

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qkcffvam.anc.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

MD5 c3fab00832c92f6dc191c8636c000125
SHA1 09ca5e1815d6444f1b7ad3bff6d99ca1a4bcb106
SHA256 88605729842fed5adb003d251de8a280094206a95d26c9e18dc6e0004dc2243a
SHA512 004706d8e505c59e86dba4cb8dfacc7694ca6f18096a9168fa00a5173741368b816c5b96d4d926f6f5abc8b4e2c8c7239abe0c0f3e138ded3b858a9d57853bbd

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

MD5 b029322765e776901878aafd701ffaeb
SHA1 2c870cf997487b1861d31d769e9039923bec0edf
SHA256 5fd7ded8187baa2903e55af02c0961a194ffa0248cb9f3ac27f6694c94e1a3a2
SHA512 52d4290b12295dd159311aedad1a87350c7f4088105dda5809afa93e2c79cb30bce7b93b52fbf64f67c405a03edced918412c4db44da9c1b6b3c9406ebcd75d7

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 d747a5eb162bd72f049018072315a257
SHA1 5034e999e8e685ad9a2c5b0de51a5dd9d500f862
SHA256 d4771a48214dbbcaf189eae86820e60c4834e7d5137e8b98bd9fe373aee3e996
SHA512 3bfcdd045cba3b05bdcd1b48b4fe0f2bdd9443d063dbabec6d9691fe0766d786bc90befcef3240dc7db83b3f446f4064c03faaf77d1bec545caa52787ec90949

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 a2106149c787b9facebad6f209b4cf2e
SHA1 36db1f01827b701dc909591d4a687326e05f0562
SHA256 a112885df4ce85118da9ccf23455b98a412513800663c7c4019f76670d73ad3f
SHA512 2660be94e2d30453504fc9917498a6bd859680e5666dc65a9dcd3dcb28230d4dbe638808a26e83ef99a71c3b577bf7244d5d3ebcbc031c81f15983531ff50c5a

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 a4dc099e12b0a53d3cb92f1d59a45679
SHA1 8d0cafacc541f9a4e05561916e37abf904d68542
SHA256 8d044ff810363258f64c7872eec6154f0e52229e2d547221c3ff768e84d54517
SHA512 2136bf7e6a4348e4c0d5bf787cec9abfa4f6f84bb258776bbaf1b9f88bf3989dc6dc03c3977f503e6471e27f479ee5b8078ae1cc217e1f22cb8527af2f57efd8

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 4f89b1c7bafb5560e0d5802d2f06f179
SHA1 df904b98aef5185b9b76dbcaac85d1b0f0683edd
SHA256 36202c046775dffcc31fd1ca97839c5f0169328cee225a54a4f2427a2260d830
SHA512 baf5b44244ec3999f8f1df14231ed649531a82c39f3c66f8bbc1bd56eb7b9d79f705255bb0f648e4dbc805c728cc866a6ce33cb6a4028721d91ee15658a7614e

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 d46a268d25a106061a1f751bcb67ef51
SHA1 ed4ed68a199244679bcab1e78f01f1ac31996c72
SHA256 1099ef9decfc71a585f632261c22af5dbc1762f71d53db32a78a045db2e09a6e
SHA512 2a7cffcfeddadc0ea936233071802ec4a0a4da324cc1255d3c1a98903a61b81a8200493ff47933da96c4ce626777e839097860a2f8490d3f9324d603546f3358

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 2c5d819e3a3eb1c895e81acb12881c68
SHA1 1d85a9779e9aff8dac51e554e6fbf2b5940fa594
SHA256 de62897255af8d764d54d8e22450440f4292b58830f35d29e39b324ece92a4be
SHA512 fe4f05cf317e82adaaca556142299ede45352388845008485911226aca01f013094d7aa6c811e2d016c4a846e61eb1aebb968e22139eceff7e58535043ca34e2

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 fa35ff8c52b9246761b7c026ec38fd64
SHA1 da2a27c9daa3dc6e9e73cddcf09d1b38957d41c2
SHA256 4e145aff361095b5f7db9908f49a71e76a7da98da1b7970e90f1e583f58259a7
SHA512 9217186fa43dc4348113006262ffcba7bf9764741497f801db761937016afea1c41836039394dc6670f728bf6dfa85a0819a0ee1cab4aa0a8531f8c2f328d801

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 5fd0701056b0f770287957927a03eef8
SHA1 756ec995f0fbd62c11fcdaea3e0fb043f24de22d
SHA256 12de2741df4d015204a40d33545230ccc9ad0339395a3aca117f8b506b7e742c
SHA512 a6fd94e9ccdaae85720ed288d0781f1245ca146a6e7c475c181c94589a5c44d47d50a831d9f2c6a433e425c8f5f973cb1a8e2dc79446a1b0237defd84da3bce8

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 f8373c10ac0a6018e0ba3c492eea6b43
SHA1 f6eaa10f19fa656202aee581ecc36950d402a320
SHA256 a7eb94ef91c4c4704aa740b9b0050de595e9c38f9cc32e7178cc36a1bcd2b320
SHA512 1dc53057cd3f3da07fad2fa7957ce8832882e5bd4dd1894930d2a7fe337d26f10e21c8e4d7d1934556b49a16ce40d1d094b12b56fe3bc72037cdb9cb87894b63

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 8f11e9a840383b3d181fddb46513ad8f
SHA1 c4cb54001c441fb765af0ef492314ff3adbf63f7
SHA256 daf8b1ebea3adffc183f4c61cf214eeeed91d9abeebab1495237e5529f57053d
SHA512 fb2755b3d9ff1b297efcab6afeb970aad3140fd42b22569654dcff20fb1d0003a04f2b53067ceabfff0d0f87e470da1d2e2a4010100a8767969f014d8a7a495d

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 7c7b07773e2adce3574d13e77b318393
SHA1 2b29ccd3d7fbe22cb697024a60ae06b3dcd91677
SHA256 a66e0f541d8019814ad6623b4b302174584bf08f117984a90ecaba76b2c39fed
SHA512 627a76d9f00c764d40bd89c1b0acc9c27e8e914c5290f46313bce9eace5f3ed4956cb9fca49472008c511f0e95bb5e142e889a218ea6d0ee64681aa4aa76b2bd

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 139a5bc98619a834a9a4f0b6481bdec3
SHA1 c4a34665bec2167100569573a0b48885d262453c
SHA256 19f9cce5bb030eb8e7bb3ebde06009e2b557a7bdfbc49c33f1a0e6ac3ec2012e
SHA512 b9fd1e66de369672781f7b3fa31718616476ecf34e615ee5dcdf00f9e0a3ac57ef2ae042156141f4d7abc14d01e8ee5bcf30b96929cdb22a6215227f0dc0c182

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1dfbfa155719f83b510b162d53402188
SHA1 5b77bb156fff78643da4c559ca920f760075906c
SHA256 b6b12acf9eb1f290b6572cead9166cca3e2714e78058bef0b8b27c93e11f6831
SHA512 be0c4d568988494bdc5b94b455215ec0b6f5c00327c481d25bc8aeef683ca150f011c76f8978b4869608387a0a8b3b803f471511897443e574a8e3bd5f9b38ad

C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe

MD5 637d0a6378302d1bde6a9cefb5f1091e
SHA1 9be940ad3497f35c075da7427ccee03b8b8d0e37
SHA256 cbbf8a994c075d23f93ced8988c4c7fd7e9158baeb2e453e483958119e22d1ee
SHA512 839e8119d1fd53b497cc46c76fe3605a3655f814b9d8b73445ad2fc30a2f6b8551605288abef42dc5f9d5eddfe2486556f9ca8643e4b8a191a4598422f233ac1

C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe

MD5 1d17cef23fba56280a105aabf29aaf9b
SHA1 3354d1448946869e1499157641b88772fa6ef857
SHA256 4fa13d067c07c5be6b5c56ee45b6f3876a6613156d144dd4a0eac6473be070ea
SHA512 95fffecf023f1b3f7bf0ef903b6eb41f203272f43f14b2132077bf5fd0d41c9b18989a4f19d9a59da2db0b2ccdfe880a5073f965807d967848b304a97acb7390

C:\Users\Admin\AppData\Local\Temp\u2gc.0.exe

MD5 ceb23f6320adc313e249dc57c0642de9
SHA1 f9e457e1a410410c011eb4f3afcdc4752067c1ba
SHA256 bac884857365633a66903fc4b20ba58da4760b179f4d2bc83a03e5acabc9a97e
SHA512 d1289e7a91a3ba85661d047f357e4432efadda7552ba903662f4d1ff722719660ad3729ccfc906f3d2917032e94c389f4062099d689c6b81631f9935d97cfce5

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

MD5 d9d84af4d9652e2cc613686567da2723
SHA1 843c2eb7a97a5d473a95718eb05bf6732239b7df
SHA256 866b12a19dcda984342035dc556f63aad4310397fde83be83aa300045de287b8
SHA512 4cc93e33669fa4c6c9c5ac93986f974fdbd3f6ae4a4e0f09995e76938ecb95ae14377a10fdd1df18ce59d5e19c08d83565e7bd4a6c411cb6d1b0e20d0e69d4b6

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

MD5 fa47f93e9d997253a0767a5bd89d31a8
SHA1 b10aff9ab08b784832fcfce1fadbf2fa459e25b6
SHA256 0001a0031dacdb62ca3844c19699e4b91c80528d2f9ba5e7f10bd45e0c69c632
SHA512 3d4814c5960ce33d1127b11be0dc46cec2c59996231f25d499dea48030a64ed83466886028acf14e9f2b8c124202c46cc6bbec437462c43735e4b7eb51bb5cf3

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

MD5 b83ab19f377375e16b40b50f50e422ac
SHA1 5c25ac326c1278cec8b6544d3e42bfeb7993362a
SHA256 0da2227b87434694cc6c6d7cb225fba825d39625611958cc5e2a7a9b3a563a20
SHA512 1f205312a47eee0095716677298cb30eab08b8e8635b8e09f4c7cacf097b146b4e89128f97862fc2445827f83c43c6f8594904988b19132a3153351bac98b1ab

memory/492-423-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-426-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-429-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-432-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-434-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-436-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-440-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-443-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-445-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-450-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-452-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-454-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-459-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/4332-460-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/492-465-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/3180-484-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe

MD5 b416bff7d1df6f0f31e36a488486f7d2
SHA1 193db28625cfdc4172cf6576808959fc18d3891d
SHA256 25fa1c0b1b0c83af61276056a2a1a3a4dd8af647a1fe73d23d29a4a54354ba22
SHA512 93434d2c4e1ee8f6ef4f1d10a38bc9a574ad3d37547aa4673577ad869dec1ba4ca25358e23767470d7652a6297cf651ccdbc45fc7ec6a59fb42f9fcff3ea7f49

C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe

MD5 d77cc5fe88bd48ee536b4d67c37de421
SHA1 5591773767c3e1e661b02e5d06a88018a6831ec6
SHA256 d26c9b79aec495cb3969e8dc191136fadf25011f3a87085eb2e7042a6166deb4
SHA512 1b0ede37c2193805415518d3b2583de7506b982f5e8445c18012c0f8d7d2c1f54848cd15354e838767916abe9b9970bbad935e73d754e9e5ab82c78233248795

memory/492-481-0x00000000057F0000-0x0000000005995000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u2gc.1.exe

MD5 69e2a4145aabafaf64d1408edd838f64
SHA1 e8260eeea0cc8f3e5bce8dd78ae7e07b6dd1eb14
SHA256 35a7e9e917f02b98a5047cddc4348e10546f38a7e86a5a00efb16e03df2d54a1
SHA512 831319334ec7d857c062161106eb81370d9cf210713c8f358774a0da4fa4cbdec325bee6c22f468a1d774bd85544fad0f8e218dd972b11d2ce24dcba0bfcbcdb

memory/492-472-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/1244-497-0x0000000000400000-0x0000000000592000-memory.dmp

memory/492-457-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-448-0x00000000057F0000-0x0000000005995000-memory.dmp

memory/492-438-0x00000000057F0000-0x0000000005995000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 f46505bf1dc7c9e52b27b1d0eb681b27
SHA1 272affce9c30822a540e3346e34c2c53211b74f7
SHA256 82d5f82632af963f27f529d6abd3164f5e4d4ea69267241169153e6791c7b29d
SHA512 34e12521a2092fa0cc2b551ef82c25418d3a7f25a4f3c4aa7929006fcf5582669ed5c131825082c46b099a038831a9f6b32ed4ab08b0d8322f022dc003126528

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 bef8361c217831e6ed24b0b701edb9f1
SHA1 5eb82e74b325f0c4d9ccf09977d3e3e8b01dd8a2
SHA256 75d3335da494adcb13f66a061f1d94444e618c7eff4d4066086c3fe1a07ae516
SHA512 53ded28fbbd3eb95cce38e0b0529f8ac8d9319b82dad902db3f3179d1c1d2ad32f60e52abc1ae863d988e630f9ef7d57e7e055359c1b9ed76bbaddf12e704285

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 b71f57850111323ec9ea2629cfc85ad4
SHA1 f4f8d7faa89f23958c884e4db95071c0fdde15a7
SHA256 8c2aaac5714c5efb43378650ea1cbc92e67c7f38da3e3acd8ad089e6e7406aa0
SHA512 b6e9e16fad1586eb0ff47757d518bbb34e5b0c9c2570772a394ee7af572741f71c49449a8ccfe2c5e2f529a321dd436e17b5bbb1cf8a3667d26af112334bc8ae

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 7c6158126fcaf750413a7930915b308f
SHA1 caa1e195ea7af6169a0e6ac0709223557998792b
SHA256 13f66c22847cfb53f0cbf0c779b5c6ee8d57530ee61cb6703e2804c45d4cbba3
SHA512 d3c01d1e73352020daa07bed56422aecdd335d1e6f622d2d59cd2122f601c2233129eb9e49149712aa0cb9823646016057afa3269210e7e918719923cc2316d0

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 e39ff59b40083f269c5387a3d31cb10c
SHA1 f3def1705b59122885c342fd2e9f0615565c09d1
SHA256 eddd7dcd5fb9b24cba484b6b9a287be4dbc5d353d12fa1c625ce7d4f5332f21d
SHA512 72eaba90683db62f16b7c1d68f4a51654947179e87831dcc81165dcb7e77d7ce2cf8347b80e46130079b7c53426f3e3838c90662f1ac24e85854d13ea176ba50

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 118fc07129f1f3f808ef25de873d260f
SHA1 af6d7ea039e233d07f77f0df9a70cfc1625e2c6a
SHA256 61af3e74b44131b7e3470d5aeb8cb9ff13aac019483e1d83708e117f24df8619
SHA512 44bcef43c9d01cfd3b3e0a802261baffd7f0f82899affdac17fec1aff76bb97c92e52ff4c3650205b1798111185f884e144a421adebf7365a29835d6cf317756

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 90f83927fb5e506585875d2eae9a7cc0
SHA1 82fc7a8a561fa72939ab4944a2166dd5015c0266
SHA256 0db07959531d63fe8359d80604c462e9890347735f610d9fd97eae2ad686f5e5
SHA512 ac7a338f72a1f921c47fefd549dd3f02effe760ed5042d6ea049eac0f5321f07895280eefb925548570fde824b597a33a1cae8563156adacbb82719446c16bd5

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 dc822803e0fc1924b173804b932968eb
SHA1 062991c6fea096b82bd92d3b3e6bbf37fef5a72b
SHA256 19e15d66aa89879182f8231becb49c11244683d277794d58977ddb0a90d23e3c
SHA512 fea3fee9160dba8af91397539c050c05276f6c21724ba599aba98818c4a564ccecaaa1b58f7e36aaf2e88ecd6d0d18150ef2d2152fff537582dd3edf86bbe687

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 965cf2c4e0c92c83a7a3488c02f5c5c4
SHA1 07a75a20cb59c42b774cad466d9802d5a0b8cc7e
SHA256 4510c907cdc30b56ef4217fd109dd5afdbe0830760b8700b2020512fb7766cdc
SHA512 8827954b9404cc8007cbe75ed0aa5c05ff2ca32718e6c1e9247d5c2dfb643ce6a2c416dd839995c34473547aa6675395ec4790d1af4a5501c1998ea081468698

C:\ProgramData\mozglue.dll

MD5 834deb98e49b6db316d906340bf1ecdf
SHA1 84a3879cb230bb9523e41d712c21c21153c1e17d
SHA256 baa4147be661773ecbb9a536175827af11caf6d4f1a0cb5ad53cb968b5f5645b
SHA512 7735b6c0edcd72e60412e9520c7e0db598deb29759c49ea4087e8fbde8c3486dbbf8913d4b7c021d8f558db45c67293c22114480e276c535ab694dda8ea46ed3

C:\ProgramData\mozglue.dll

MD5 2ff24ff439a9bebecabf3f5300ebeb62
SHA1 0d575a2f98aa41a06c4fb63a194585f79994138a
SHA256 a6a12daa91c21ec193abf5392251f230c2eeb9808656f2cca48b45331d21f887
SHA512 43b81b511ecd661c04526735405739af0fbbcc5a315816f491b2bde52f5619a77a69ffeb0a41b7a518da3673c6a736484ca62e9073c154056b95c2504b07817e

C:\ProgramData\nss3.dll

MD5 b72cc454f83c9423d3b5bc9f50bc4fc4
SHA1 abe5c876ff0b680a810cb8e6f8fb0b0adc19d647
SHA256 c2340d6aacfe610435ac5fde3d38c54b2de7099f97d9dca2977a4bb4f3217cdc
SHA512 aa81b6e93c823857061c48757c4d031d6354986e2f3f927c29782a8b5f5ef13ef7cf7e67d923b3e5c9fe40b5ad192db43e2aa6bee1ce4fef96f1c51baef5a4fc

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 4c819dfbba8d8dacf89ff2756ce1b6d7
SHA1 9ea8c564ae84f33190450cfe1debbb795af57b9b
SHA256 b03163779abd0fe2bcd1665dd15bfbfe19b47f5b2ab1aa58830b7cf8f0844c7c
SHA512 4cc56a2656c1aebe007673fb8f445ad5d33731b671f1531f5f6ed9daf2248a558d73f3b47d9bd3a8947b51920027edf6cecb2e5487e2cc194cbe96a3b2fca853

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 59efeed4c3392a34892ec67aa49cd690
SHA1 699d2877b5139eefbfc7036aa2fe770030e9b943
SHA256 9c4be0d093822e093089ba8e315911525a720ba5ea9f00b093a3262dd26d1318
SHA512 4b6a6c63d95ca34fd89c6c885d73a601572e76e167835121dc64107c7398e5b7b88baf76c2f8670b493415cdbe6278b2aac8bd8cba218bda4c8a03e1aaa115f0

C:\Windows\rss\csrss.exe

MD5 9bb90524b4f6db4c0ee295fd1d8c044d
SHA1 dbe5281bd75e47e83dac6ebf053a1674706c3308
SHA256 c53e1c6ec52cc072f4157196c84e1729ffd4ff9de9cdef37670210e016690508
SHA512 e9fd0a6a036603435b299593e71e6d5962da055755ad567fdea20bd6698b1657b96db3c71008b6a063882d3ec3dad67e2f96356da0d6f605a89a5f988b455e66

C:\Windows\rss\csrss.exe

MD5 be35f9eeb45308cf54f8a9448acb6de7
SHA1 e8096e6db97b063ad4c4fa5122ae22e61085cb7a
SHA256 94474e1e84009fe5f3ef14d61c478e05fdcf27a70ed652e8fb97d16102e5d78c
SHA512 0b729f0f70c100462a3d5d1df20f2727ab25b2c0807b3b9b6a50fd0e49378f70da200450148f7d329a1ce08f78cd45ac7c64ec673077fbf8636fb9af752656df

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 216ea25cafa3ec8e1c9506dadcbfdf9e
SHA1 2cf6d017f1384fdc6d0e8760b0908b13de53d04c
SHA256 847d33c688c1a5bcb8d02f7fbf952684527afa4301785de97d7df461564ff389
SHA512 9c580d6fa8dbc1ebf860cd309652c3ba661c7e28467436fb5552318371d2185013d81c1c9ce7955b19ef02bb26e0561ff5f926cfd5d9e3b72ee178a8a45108ea

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 6283a7979d69df49bb4652f091cebeb9
SHA1 3b1e78ce48de5d31263ff1ada1940f0caca4860f
SHA256 1538dda46072dbfae9d1a272e496a46129e3e790be643dde2578f23c5cf9bd55
SHA512 a6efb1b3bcf3d3149481ebbeb8a93c6c409de5ac21c47cd706dd10e8364fb2283233f80645b15549b63102b057e4ed07339dff4c5ec6fce04eb842ebd6013096

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 bca781d027d7b32969f08c25cc024ffd
SHA1 a6a86ccf6b08311d422cf18a2479b1bff644f835
SHA256 d4d20554d800f8b11698015f099e418629e136b50f9dad09fc28811f439e83b1
SHA512 89de01da20ca22ba6f183abc055f8f78f652ffc3ab5c454334609efd2c7b602e2510d320739113e26b6c59abf319192d54346be90e302bcd95bf3585324b9652

C:\ProgramData\Are.docx

MD5 f9b9453cc3ea3474517f7f618d5130a3
SHA1 2ffa1e5b72d757f4d6c6515092feb1e50a4a7f54
SHA256 d3b571349851fd4045981e282c8f2b2dfcb299f73ca19a667e843bcd0b17f916
SHA512 daf00c8e1e075fa965bb852db5af7a5516480fe537984fefaf3710f94f6d39a3e51eee00d6e84057193105043b82605dca00ae48eb71cb9357f40e5f3470a23b

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 097b8d112664d00c1883785c1e4d59b9
SHA1 ef8e1e2dffe09fe9daf9bfff26a8496b4fa04075
SHA256 a61dcb5df9d4451c0a979b43b0d9fde67a96291723489dc032ad4849beb4197f
SHA512 8ab68600286c11ec257b625c26139763398a0419a11c3e2e1a01c7e966c95ec8552f4fffaf24f688cc99c613e454be86153a0f7086859c3f5c5f1a82147e0ef3

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d1a36ca63d5e27528d401f046f5faa41
SHA1 096d8db3ad914cd5288c40425bb6fe9ca0bb1789
SHA256 9088b98779d64f149b426ec4de3f35296035fa21d5a59c1dd729fe4532ff224e
SHA512 14bfd0f90d46d08826fedb0754970183b598c0f8ff802098dcfa21b50da4f2c2fde271968c54981f24b92b97ded86f43c110d22e7b5086641c523189a31c4ab4

C:\Windows\windefender.exe

MD5 ff167c3cc3c693305565a4c010626aeb
SHA1 66924fd31916ac84df7d39202ecdcd8c0d48df62
SHA256 9d0131ab3be6cb0d5ef8fe52222d2e8c91608ba155bf17b1fa016b15d9b767ff
SHA512 953cacf1871588ea413cdc20850c2a3a9eaabfcae394e2719af9e3eb64e3adca663bd8c6493ef221f070730334d7a8735aeccc765535068c961a8d2fc75f54ff

C:\Windows\windefender.exe

MD5 56f1136f1969bb686fbddbea168503d9
SHA1 2e0be8a9eaa5e2f5fff1e4daafb004f93822268e
SHA256 393624cf2f1f9ef3918be9dcf03bb9c29baedbd744603786aada0dc45fec0f8b
SHA512 3d2c908e056e37f520ce105df341f5543309b779856775bc6ef33169ff67b3e3a3cb1303ad5e3674243e74e616b0689883f3e2577cff558cbdd24af30709391a