Malware Analysis Report

2025-01-22 10:25

Sample ID 240206-st7n1aaag2
Target SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe
SHA256 e74d2e8450efee54296b28688ffba16e493410ab9e1be68aea289a066b12b40a
Tags
amadey evasion trojan glupteba redline xmrig zgrat @oleh_ps @oni912 livetraffic discovery dropper infostealer loader miner persistence rat rootkit spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e74d2e8450efee54296b28688ffba16e493410ab9e1be68aea289a066b12b40a

Threat Level: Known bad

The file SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe was found to be: Known bad.

Malicious Activity Summary

amadey evasion trojan glupteba redline xmrig zgrat @oleh_ps @oni912 livetraffic discovery dropper infostealer loader miner persistence rat rootkit spyware stealer upx

RedLine

ZGRat

RedLine payload

Glupteba

Detect ZGRat V1

Amadey

xmrig

XMRig Miner payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Blocklisted process makes network request

Reads data files stored by FTP clients

.NET Reactor proctector

Drops startup file

UPX packed file

Loads dropped DLL

Reads local data of messenger clients

Checks computer location settings

Identifies Wine through registry keys

Executes dropped EXE

Reads user/profile data of web browsers

Checks BIOS information in registry

Checks installed software on the system

Manipulates WinMonFS driver.

Adds Run key to start application

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Drops file in System32 directory

Launches sc.exe

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Unsigned PE

Program crash

Enumerates physical storage devices

Uses Task Scheduler COM API

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of SetWindowsHookEx

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-06 15:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-06 15:26

Reported

2024-02-06 15:31

Platform

win7-20231129-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe"

Signatures

Amadey

trojan amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe"

Network

N/A

Files

memory/2244-0-0x00000000003A0000-0x0000000000855000-memory.dmp

memory/2244-1-0x0000000077890000-0x0000000077892000-memory.dmp

memory/2244-2-0x00000000003A0000-0x0000000000855000-memory.dmp

memory/2244-12-0x0000000000950000-0x0000000000951000-memory.dmp

memory/2244-11-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/2244-13-0x0000000000970000-0x0000000000971000-memory.dmp

memory/2244-10-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/2244-9-0x0000000000990000-0x0000000000991000-memory.dmp

memory/2244-8-0x0000000000960000-0x0000000000961000-memory.dmp

memory/2244-7-0x0000000000860000-0x0000000000861000-memory.dmp

memory/2244-6-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/2244-5-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/2244-4-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/2244-3-0x0000000000A50000-0x0000000000A52000-memory.dmp

memory/2244-16-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/2244-15-0x0000000000980000-0x0000000000981000-memory.dmp

memory/2244-17-0x0000000000870000-0x0000000000871000-memory.dmp

memory/2244-18-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2244-22-0x00000000003A0000-0x0000000000855000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-06 15:26

Reported

2024-02-06 15:31

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

xmrig

miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe N/A
N/A N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rty25.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe N/A
N/A N/A C:\Windows\windefender.exe N/A
N/A N/A C:\Windows\windefender.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Windows\rss\csrss.exe N/A

Checks installed software on the system

discovery

Manipulates WinMonFS driver.

rootkit evasion
Description Indicator Process Target
File opened for modification \??\WinMonFS C:\Windows\rss\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorgu.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
File created C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A
File opened for modification C:\Windows\windefender.exe C:\Windows\rss\csrss.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" C:\Windows\windefender.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" C:\Windows\windefender.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe N/A
N/A N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\system32\rundll32.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toolspub1.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Conhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\sc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2676 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
PID 2676 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
PID 2676 wrote to memory of 1000 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1000 wrote to memory of 3828 N/A C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
PID 2676 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
PID 2676 wrote to memory of 904 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
PID 3728 wrote to memory of 4684 N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe C:\Windows\explorer.exe
PID 3728 wrote to memory of 4684 N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe C:\Windows\explorer.exe
PID 3728 wrote to memory of 4684 N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe C:\Windows\explorer.exe
PID 3728 wrote to memory of 4684 N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe C:\Windows\explorer.exe
PID 3728 wrote to memory of 4684 N/A C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe C:\Windows\explorer.exe
PID 2676 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 3316 wrote to memory of 4016 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 4016 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 4016 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 3932 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 3932 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 3932 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 3136 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 3136 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 3136 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
PID 2676 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
PID 2676 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3316 wrote to memory of 1276 N/A C:\Windows\System32\Conhost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2232 wrote to memory of 452 N/A C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2676 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 4384 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\System32\Conhost.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 2676 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe C:\Windows\SysWOW64\rundll32.exe
PID 1736 wrote to memory of 4284 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 1736 wrote to memory of 4284 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\rundll32.exe
PID 4284 wrote to memory of 3944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 4284 wrote to memory of 3944 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\netsh.exe
PID 904 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe"

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe

"C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe"

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

"C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "XGRXZRAP"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

"C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

"C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

"C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "XGRXZRAP"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 452 -ip 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1200

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

"C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3764 -ip 3764

C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe

"C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 352

C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe

"C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3892 -ip 3892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1972

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Windows\SYSTEM32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
RU 185.215.113.32:80 185.215.113.32 tcp
RU 193.233.132.167:80 193.233.132.167 tcp
US 8.8.8.8:53 32.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 167.132.233.193.in-addr.arpa udp
FI 109.107.182.3:80 109.107.182.3 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
DE 20.79.30.95:33223 tcp
NL 80.79.4.61:18236 tcp
US 8.8.8.8:53 gemcreedarticulateod.shop udp
DE 185.172.128.19:80 tcp
NL 45.15.156.209:40481 tcp
HK 154.92.15.189:443 tcp
DE 185.172.128.90:80 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 95.179.241.203:80 tcp
US 104.21.58.31:443 tcp
US 172.67.149.126:443 tcp
US 188.114.96.2:443 gemcreedarticulateod.shop tcp
US 188.114.97.2:443 gemcreedarticulateod.shop tcp
US 188.114.96.2:443 gemcreedarticulateod.shop tcp
RU 185.215.113.32:80 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.79:80 tcp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
RU 185.215.113.32:80 tcp
US 8.8.8.8:53 7df9cce2-533b-43f8-ab9a-80dc1ea595b7.uuid.statstraffic.org udp
US 8.8.8.8:53 stun.stunprotocol.org udp
US 8.8.8.8:53 server3.statstraffic.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.130.233:443 cdn.discordapp.com tcp
BG 185.82.216.104:443 server3.statstraffic.org tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.96.2:443 walkinglate.com tcp
US 8.8.8.8:53 233.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.216.82.185.in-addr.arpa udp
N/A 144.76.1.85:18574 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 185.172.128.109:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 96.17.179.193:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
BG 185.82.216.104:443 server3.statstraffic.org tcp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 stun.ipfire.org udp
DE 81.3.27.44:3478 stun.ipfire.org udp
US 8.8.8.8:53 44.27.3.81.in-addr.arpa udp
N/A 127.0.0.1:3478 udp

Files

memory/4676-0-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4676-1-0x0000000077664000-0x0000000077666000-memory.dmp

memory/4676-2-0x0000000000610000-0x0000000000AC5000-memory.dmp

memory/4676-9-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

memory/4676-8-0x0000000004F80000-0x0000000004F81000-memory.dmp

memory/4676-7-0x0000000004F70000-0x0000000004F71000-memory.dmp

memory/4676-6-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

memory/4676-5-0x0000000004F90000-0x0000000004F91000-memory.dmp

memory/4676-4-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

memory/4676-3-0x0000000004FA0000-0x0000000004FA1000-memory.dmp

memory/4676-11-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

memory/4676-10-0x0000000005000000-0x0000000005001000-memory.dmp

memory/4676-16-0x0000000000610000-0x0000000000AC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 12b449903198d4290744859a26b3809a
SHA1 73f2df3156fff69ff795861573a6a9647ce74375
SHA256 f80114cba2b387d58f6e14c43a378749147994fcae2282ea11f6440862a94406
SHA512 6d4915180263676d1edd6ab20a41d675d2227fbc131f830eb649a2edc02cbb7526937e0ef9ed644009440c9cf30542d4e7f2bd65f684812b09733399af05b361

memory/2676-19-0x0000000000F40000-0x00000000013F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe

MD5 111a8ca2be619063d350361ef8919bd3
SHA1 4ed18aa1db634a76ba4cb9266d8f7d401f0e8cd4
SHA256 813deaa45791f155b2dc3288e7a3d9a79f882df4d82881bc12e3d479760ed1ec
SHA512 5b3137f4b6c5895b878249af47eea1c68fd4e0ba837e4b9aed36b5e39a0a8dc8f8127f849c44e5e0b7378d1f0b37b4c4b09387ea2ac3d256b14c7c88c4b91879

memory/2676-20-0x0000000000F40000-0x00000000013F5000-memory.dmp

memory/2676-27-0x0000000005790000-0x0000000005791000-memory.dmp

memory/2676-26-0x0000000005740000-0x0000000005741000-memory.dmp

memory/2676-25-0x0000000005730000-0x0000000005731000-memory.dmp

memory/2676-24-0x00000000057A0000-0x00000000057A1000-memory.dmp

memory/2676-23-0x0000000005750000-0x0000000005751000-memory.dmp

memory/2676-22-0x0000000005770000-0x0000000005771000-memory.dmp

memory/2676-21-0x0000000005760000-0x0000000005761000-memory.dmp

memory/2676-29-0x00000000057B0000-0x00000000057B1000-memory.dmp

memory/2676-28-0x00000000057C0000-0x00000000057C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe

MD5 ca262a67a58da2835ddd689fea8e9b9c
SHA1 17b5f8f681431c3aeaf8e36481f5e632a6b2039d
SHA256 7200ced9a206d0dea028abcbdc26fa3793df8173a949649e5cf428c88ffd76ab
SHA512 635975011fe8cb11e722f2915703f6eafb92d4ab3204e6a55f948cd46c1d1a593c34e51bdf3fd9b37675ad2e17af850b7e909920f592e8265e6e5d6f94630fb9

C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe

MD5 b174123dd9a76e45e70625e17e26e4d3
SHA1 c5d3431b29ed1440647a470341ff804bda263571
SHA256 e20a89dc7dced50e76eb8fb9a22bffe336b94143c637ee5b044198caf2d46958
SHA512 94fc401247fa2f86f5d7f273e0046e642479581a68413f8589c127652a5341614d9f9fa6ec9660c504c17dfd36e27bf0b86488f3e1d79bd3709209421fe77c33

C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe

MD5 dabac2fa9cdc505795a97020df9c5962
SHA1 b1b82d2e5b9fe72b7eb9584b2d2c39e2f1f09f12
SHA256 40d8dae9e73ee9603106d67b6a86c363869299e1ea1350b176c3587a1704b35a
SHA512 6aebb00d9041de434d81cc103e1eb4e55086ef8922b56177e00471110014351576c463295ea7b7b41a1e3e0bdeb4279b082382ad23777d1a9ad0390dba42d0da

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

MD5 177d47eab15e5cb86e8a684d71549f4a
SHA1 8548453073548a2bd11b9bb25572dfe2a590ee17
SHA256 c4f4816a6fff7e00bcf16861591135d4475f4c05cf69b8cb59a27fef0e20afa0
SHA512 b1f8f375bf18f3f19039349b84ded88fd193b860ee76f052c77c9320bb21982d5e74ba52f1b5e71e4d394c8542ac9184b337f78c95621405b2d0693eaf2f2c13

C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe

MD5 7e9e39a623a04307eb499ff6617b9746
SHA1 8d96a7b6464765f32a86e9103955ec74b9b87da9
SHA256 88cb62dfdf42ef1b6c083b8c25df0a383476a274ae1e1f0043585d4bdfd1217a
SHA512 bae1719b17d910ae001e0e81f9b5af535d844243ff9974da4794e73e73db115f46cc6d9053cedd4dab1b04416ec444774490cbab9b5dac8310aad43fde7c32a1

memory/1000-66-0x0000000073270000-0x0000000073A20000-memory.dmp

memory/1000-67-0x0000000004C10000-0x0000000004C20000-memory.dmp

memory/1000-65-0x0000000000130000-0x000000000018A000-memory.dmp

memory/3828-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/3828-74-0x0000000005290000-0x0000000005834000-memory.dmp

memory/1000-75-0x0000000002500000-0x0000000004500000-memory.dmp

memory/3828-77-0x0000000073270000-0x0000000073A20000-memory.dmp

memory/3828-76-0x0000000004DC0000-0x0000000004E52000-memory.dmp

memory/1000-73-0x0000000073270000-0x0000000073A20000-memory.dmp

memory/3828-78-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/3828-79-0x0000000004F50000-0x0000000004F5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

MD5 7dfbe2ff473dcdaf8440bdeefb6c1ba7
SHA1 c3c1b7eb3bc45ee94d0008eba1a4c9966fbdef6c
SHA256 eabc310b7c7ab201dbe2bd597f62c4a5526c0119a734e0d5904df5e0776b6809
SHA512 cea375ce1dcce0082ef7c567aefca076c5761e4618ee6ea3ea79cdb62db90187009db065a42324abe3d4185f5f20c8683ce0fb3b16fdbf3410ca64b1b6f9cb04

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

MD5 0cecd64d77f5b1d54677226430d63d78
SHA1 60929bd41a9905a2005610b59449ffa4e2a31d3e
SHA256 c6bee04223f60097a934bc1a9bf75c4c86ba9c1d6ba2111a013a8c802804cfb3
SHA512 235b73c3e8687526c57ee57aaade5e6ff57bb64212ea34e70b41a64397d1df108c34acff98d81a3802af612b01d2e405160aaf1ff870f37df0f4e5de031109f1

memory/3828-100-0x0000000007D40000-0x0000000007E4A000-memory.dmp

memory/3828-103-0x0000000007C50000-0x0000000007C62000-memory.dmp

memory/3828-104-0x0000000007CB0000-0x0000000007CEC000-memory.dmp

memory/2676-102-0x0000000000F40000-0x00000000013F5000-memory.dmp

memory/3828-106-0x0000000007CF0000-0x0000000007D3C000-memory.dmp

memory/904-105-0x00000000049C0000-0x00000000049FE000-memory.dmp

memory/904-101-0x0000000002360000-0x00000000023A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe

MD5 60a5acd3267464c7dc6c405f6faff30b
SHA1 035c74d67f0d36727454066f3e66d96551684f65
SHA256 99a9a3502974cddde49de5132f4f603e28d30d341ff39603147c4289e7bd9994
SHA512 13e280fe309d293c241136e425d6e207971f4b178b60da8f5023645743d4924ef2feadef6737b38ffdda6be16bd50c0370eabaa2debe1b985fc7c371e0479bba

memory/904-107-0x0000000073270000-0x0000000073A20000-memory.dmp

memory/3828-96-0x00000000063B0000-0x00000000069C8000-memory.dmp

memory/904-111-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/2676-112-0x0000000000F40000-0x00000000013F5000-memory.dmp

memory/4684-117-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4684-118-0x0000000140000000-0x0000000140848000-memory.dmp

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe

MD5 a743bceb3fb4903f1eb9a6d30c89b134
SHA1 37ad06ad6d55d39a9f7e26e4af4f63d34090367d
SHA256 3f4cf0455e88d823d4242c53559f4d45a51efca485090abccb2acba52458001b
SHA512 de2843c0d230048b4ac8793cb09c9fc30eb56e9fa98edd52986f170f9ba888a33b7c84d038731430d06ba319002ec0a35ecd6b32a0d483435b9ba8cad98fb45f

memory/904-120-0x0000000005AC0000-0x0000000005B26000-memory.dmp

memory/4684-119-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4684-122-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4684-124-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

MD5 f0c8c69383e2fed6e92ac2aa92fa0850
SHA1 c59ba5157277955b935ff1f4c03f9665943c8a98
SHA256 11af218ab7f28a67af5d929e0a1137849555a1d1c0387fd489b329c08fd5aba6
SHA512 5948a0c09c9dc199312f0e504c157d807729ddb15f7b465d6f0dbd369723a66b78167e4f4cc21371dfe576f3609c491ecbe79b50eda07d1b589b8e1fb05ad8ce

memory/4684-125-0x0000000001550000-0x0000000001570000-memory.dmp

memory/4684-136-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4684-139-0x0000000140000000-0x0000000140848000-memory.dmp

memory/904-147-0x0000000006370000-0x00000000063E6000-memory.dmp

memory/4684-148-0x0000000140000000-0x0000000140848000-memory.dmp

memory/904-149-0x00000000065B0000-0x00000000065CE000-memory.dmp

memory/4684-150-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

MD5 89bb028a035a1784b7f2351a6c9c5ee8
SHA1 26c736d4f074edfd46e7440c06211c4f0c20b832
SHA256 d37197fe532b58543124a1f4e06ef804741b2bbdb54c084c92b4b4af2c735b22
SHA512 bb0612a1774bacb4de3230eb264deb24d9d5ad6b4c180f89ef081c8d00738bdec7bcc5962ed5c7ee9b63a18030a3dc4558bdefee8246983704340b77d9b4e73f

memory/3316-152-0x0000000002430000-0x0000000002484000-memory.dmp

memory/3316-154-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/3316-153-0x0000000073270000-0x0000000073A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe

MD5 215bd6c416cfb213c5503b28853ed4e4
SHA1 5ab94b074ee568d80902a3c5167df8ea7eab074e
SHA256 9b09c1df94a8f40b1c975e1e1d869f231bf19d6f22e4cfc98d22b35e026263db
SHA512 70f9aa9a47e47c64e4183f7899f985f67460edc5d95d2a165eb7390f99030a4c3e4e4104b66d6f729f134da5b55f55cd8d0346061dae8e6a4040eb8b3beab517

memory/3316-157-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/3316-156-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/904-159-0x0000000006750000-0x00000000067A0000-memory.dmp

memory/3316-158-0x00000000025A0000-0x00000000025B0000-memory.dmp

memory/3316-155-0x0000000005010000-0x0000000005062000-memory.dmp

memory/4684-135-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4684-123-0x0000000140000000-0x0000000140848000-memory.dmp

memory/4684-121-0x0000000140000000-0x0000000140848000-memory.dmp

memory/904-161-0x00000000069C0000-0x0000000006B82000-memory.dmp

memory/904-163-0x00000000080B0000-0x00000000085DC000-memory.dmp

memory/2676-173-0x0000000000F40000-0x00000000013F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

MD5 d750d8f760e4aefde4adfc2bbac0ca0c
SHA1 355c88fa15cda299d5ba83603f74fd49d290d964
SHA256 baae925e5f1034b3e70da5b5467508f40f5408f61482e9a091eb69b2efb72de3
SHA512 71f58e8d90b42171cb464949b206d0a138ffd65de4dc8522ff592a65936359f3ae0a4f1abd79f18bbbf79a81207fcc9d938ad3fa01406d3c8cfeed857b7fd35d

memory/3316-187-0x0000000002620000-0x0000000004620000-memory.dmp

memory/1276-188-0x00000000052A0000-0x00000000052B0000-memory.dmp

memory/2232-189-0x0000000004BE0000-0x0000000004C78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

MD5 0d81dee481cdd0801dd3ebe363ad0d3a
SHA1 1cc6ce2e50d58287889018924981427f2cc0734f
SHA256 c4bd8bb241ede993f5d174ab3ce82afb6393c7825ea750a00de59ef7897b953d
SHA512 1ceb77fc8aec068a4056171205e27cc931cbed13689f0d623b2de9b2d3b1e50e82a90c9fe12a809ba52b747b20972d46427d3b4106a7b891d59a62186ea6302f

memory/1276-183-0x0000000000400000-0x0000000000442000-memory.dmp

memory/3828-174-0x0000000073270000-0x0000000073A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe

MD5 db9367def7beca9b6493b2e0d56f3cfd
SHA1 fd0c02ca2d747561daed2cf1ed615eb662044390
SHA256 1ae235521e002f3a54f94d9fd56020ea2074d23fb7ae4df94b07d5e3feb3980c
SHA512 dfaa4968b4bb7865d0d397dffd02338bc550a5c2946b4590f2f53d040ef348325a1c09dc65ba477e47395a355d4c4c9543c5d5703e3e7936478479bc69d4a40d

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

MD5 fb7578b217b2831015280724840a1bef
SHA1 f6dd760c3f34f4becc79778050bdd77629e53f0e
SHA256 10e74036768e0e33d30430bfbf6aaa4f2ac2e01c720edf61c2c4f6113b8e5695
SHA512 4abb1957ee045f9035fe54cb79fb0170ae2518241dd49bd904d54f6ce7030faaa7510110e78d52b1cafa330e9458349e46005c72df22c57b376b5ee3fcecd82d

memory/452-210-0x0000000000400000-0x000000000048A000-memory.dmp

C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe

MD5 855bb66fc5395e229288b2ab1c90f7c3
SHA1 b21459bcbbce4a7a9a2478d1ac82e9f57bf2cc17
SHA256 5053ae9ed7851b6c9b2ffb6e8c44ad0904e5ba4fced2e5ffdf3c5a0656f83f87
SHA512 542210ddd46096f662d09f56f35ed4695b76cc4bdc218e02a21ad7aa16693f08fd5fe9a95fe4c161d0f7d4f6ba291ba26a3b5390c3c56f2c6f4ae734a76c6d58

memory/452-220-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

MD5 50fceb04fb57426fdd89bda52d43f733
SHA1 5e24e31b3798ede5697ae252bb4613d7bf39ade2
SHA256 a9d5b6cb20769293b36bd98619d2fd37b0a031ed795a0b73819fc94e84613888
SHA512 5cd7b304d3e7f72ba6b75ea9d27f3f1de3f6cb1644a37e5f92742e71c59ad2ee5fe16fb122769a1a0689072587c6b674f597375aa53c4db151128635b0737004

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a21ba51320e246460cd10fd9d940ca1f
SHA1 253437834f3537debd72664218c2bb077f07b3a8
SHA256 85f872e7dc95829e4fb98c1932b1f704124ab476278e2c665978859236209a98
SHA512 02cc643f962517da3694e2e523eb7a552b18fcad9865cafa64ac6de6af55cf14cacc75d35caca5539a0405a4ca23cde662c56fa990e5b7adf096355a788025bb

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 cea169467e285e4e2d8bc053eaa69c10
SHA1 4cb0eb4d02276979171aef612afca64e5b92cca3
SHA256 871b13fbe79283d71de75cbc7b75f3b63ace52160693d8341b9c7e323f734a0b
SHA512 ce4fcca38f0adcd15de50e578e35b30aa8e0471c6a7ebbbdd422eb7b6fd17ba0e5f0d3b2370fd8860c0a1008f44c3f135e950456d72571113f68e7db8e606f86

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 8df594ea6e3eacb1be511da3f2e2a193
SHA1 5746875039a228d24ca461bb65845c9c45ab6630
SHA256 d86fee76477d96c2378261b5b04d4af266cd044684a1407aae4da14618194889
SHA512 8a5c4f14505e9c3b5e0f31d61553c06a322c5ec169155ae5c24a4322bda21a36e5140b66e383df806933b8cb86b46543e842a4f36a3b00beea6ab7fcb4a43c52

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 dca5ecd574ddbf9eaf6de8d570189256
SHA1 4e1c0141601f6f6611fc57a3005178b95a8a1063
SHA256 f14c15127cce5a913ccea14f8946243cc7c7548d65f682a303c2f2b6528ec818
SHA512 16211f4e6f5a95a81cf3259fca6bc69aae11fef4fcb8b2a9881c3d8cf4185b34d8bd80fef403e0a508e6710e9c8ed87821384384266f4f2584cffc72fd6f4f74

C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe

MD5 9f89f9ff34d01607501c8690790ef478
SHA1 82d289c272094edaa3352be2af7197abf6dc2f8e
SHA256 e3019dd25be7098f4d97ef7cc7cf8c96bcac0ea4fa30e8fabafafc46803428d5
SHA512 0d53ee8e46e3f80aa79bc4b4214dd239c8ef4ff1140aaaf44f42963b6fd63cb6fd88933331008a3e9fdb86ee6dbe63fc0eb46a9c40fd2f619f1a5f0877b581fb

memory/904-110-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/4684-250-0x0000000140000000-0x0000000140848000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/4684-259-0x0000000140000000-0x0000000140848000-memory.dmp

memory/904-109-0x0000000004B70000-0x0000000004B80000-memory.dmp

memory/904-108-0x0000000004B70000-0x0000000004B80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

MD5 793e4498448b43015e94b32dc3da292d
SHA1 ab267772a569e24d518c40f4ca0c1b3c28383f20
SHA256 45f97557ec21f0f4b616635c68f06bb459851d431ebb215f0b46baaa3bf4969e
SHA512 30d50e033582de97cf0b0b44ef547cc8510cd2e5fd2a0cd68864d3ca9be5e28ec3c25dafe8c0a5dea107821364059f315624cbaf2c66369863913b8533f2242c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndrsc402.nna.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

MD5 cef5748284e3654eae91287d62c2c635
SHA1 ee942cd601ebb48dcdb0b86a05bb811a38fac049
SHA256 6f7bba879ef54609edb51b8fec31cc204b79b4bdba06eaf8d3d774c7a977462e
SHA512 f768160c2a7aa434a605b8ff616585f89fd55e67f484e70c3ad7c4e13d483c3baaa1b48909a5a92c56616dc15414f63db7c09368b02cb3f675cf6906239ce269

C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe

MD5 8cd775b166a22cfbafacc5eeadc7e220
SHA1 417e4c0f11f121dcefb2fe93aa972cdc825370d9
SHA256 7b16c15f7e176be4faacac1d8c43998957e030cd8684981b59104510be8cd736
SHA512 e5acefd74d81c7b0e8f30e8cdbf712055222a12692cf3503c1be2d77ad6b762c3449db0cff44a7456959fbd530b7a8213431844e5a0507ec3cf71d4ecbfd8fb8

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 293f7fa2419acac9e16a8e262bae004b
SHA1 e76249a321c8dbef1dc3740b12e206a481eea9e8
SHA256 5569085a4dcbe206cc77cc20bec413379fb245975b82bfaa1a93a3d19bbf6e33
SHA512 c55fa10f2648e0411d2577679788aca1da35e35863175fbc14e1eab7455e9e5a18e8b9b43b9547165a760e48b300c89d38d9250bc72bd800c7a0f95e220e8de7

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 627c6b6a022a64d6565ec2293cebd1a5
SHA1 c69f99f99e9979d1c397b659f02f6ab97d007aa5
SHA256 9527a7906d74b8c249e0c8b29787d54c9460cd703c64f54686f1e495a2f28fed
SHA512 61acc68159579c09c267e9548f5298f73cce128b528b873549451969b1b4c01cc1a413c89176dc7c115f9779d4585d2a758035ae7390bb8d7dea4c8673a79c0b

C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe

MD5 8de05266de7fefbe0cd0840683df2e3e
SHA1 5b6531e76c0096904c7405b13d89652074d33a05
SHA256 d5032303db15ba7e032126fdc1340e459ee19aa1c6d5e45176c4e084fca107c5
SHA512 fd16a38410583129d2f1a9b8617df775d7ecf5f0262699cc6bac07747b0431d3393ff99e3738958619e2162bb4d184199db58f9776ddb0bc201ae26584dfa157

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 6bbb9b65b3eecb67a24cd8b239d25e8f
SHA1 e1aebf9de1909c7aef45e595279d14fa74942e2e
SHA256 c3f5251cff499c940041633d9b0b4dcc04511dd9181b919172410f2e048416a8
SHA512 ef8935867c66548f278ddcee5be93ff20d2d9445df18bca10e88e8a44a4a54c9cd9fbc8a2a5f94a3d3be20d9bd442c12d28dfe5f1ae059fd57308975a4fcff0d

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 b177874f2d00907b185257d91718050a
SHA1 d891cb44821ff719bab6f67356c219ed65ae9615
SHA256 0a4f47a924a7e2b17a007f680b62f4a3108d5f6d5b9a4c4a98d9d9f3f8297b54
SHA512 17baa213253f1c3016b19974a900e423b3e4b4ab618b587d476df8bfaa21cae97bf6f2b61f2ecb30b3bcb741a51d585197f48adf2dd08516e7620cf37c2bb32c

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 dd370fda334d182b97aa6012453c8d97
SHA1 76f353516472459703c186471706973d0a73983b
SHA256 b7d33bffec01c8b89699528bfa995fcb882a8a46afb7c5985f2d3d7c5e4ffe23
SHA512 7f3d832a44c19e053f6b8bef6b474df25ab7c8c042888d247412683bde016193da554ed878ce7321d1df53cad6ef5757bde8848308e6b239a6bb886e57df3adb

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 1faab612c8b1b9f9c5df7c5e884afd8c
SHA1 cc8e749b63dcbd737e3bbc0adc571d8c933d6cbd
SHA256 e7b0a75a21908c205e747435eaae87f10ff2167d18e8b1ea7603e66d7591214f
SHA512 03b9c8dc0d0e3c9d73a1270a7b49995cfe8127686befec49ba017cc20191ba8f98b4e06ccc3830c8530a0872e0fc407c0356fc13855a9d9d19a0cf91a070768a

memory/2676-342-0x0000000000F40000-0x00000000013F5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 49e59c0f80b2514f7fbc68fa4b316b93
SHA1 866dd04c72bb0110cc428603684a07b690dd6ac5
SHA256 d5862273216a0ed3dd0bcd5afac18e2b591a61e13ffbe2d11f84316c66124e0a
SHA512 26410bdf926d2c06fe6c2252c8927f67748a61d39317a54e6b9158a8c67b937b88913f86d3cbd3ea42e5effc4f1a299395262be8c7281cc3595b6baa4c465f62

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

MD5 b9f94f59d553a3454cc6b8a13e9b6e74
SHA1 8d26544405ae1a0c4386e2af6215b9ab19f2ea09
SHA256 7dd18188fd3329bfda07a718b1deb07723c7348bce86ba6f58f6761c741b91c1
SHA512 d7dd634d3cf57ea74c37e30f0c8a2b3437bd3c759e51dd3825b26d5bd480a4d8f499bafc78ebeedafddebbcba2e1c9208e67b4c27d02ac95b63f15aada258be8

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 8c20d9745afb54a1b59131314c15d61c
SHA1 1975f997e2db1e487c1caf570263a6a3ba135958
SHA256 a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1
SHA512 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

MD5 c7251d23b61aa72e1780136b2691a34a
SHA1 e536e51118abd80e481c4bed08781fcd796ee87a
SHA256 9d3293bd9072c437d0e051b110ae3b6e80ec5c95339739630ded3d7ebcc77d2d
SHA512 d2be7bbf7150c1434e435fdac9a993bae62c9a068887bc83393c9a8e211900a339832e5f072c184c937c47eddc9d5c748d3bcf9bca972aa3537378f4c0b62307

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 5c1667a67e6d45b0b1b6d831f02be9fa
SHA1 6f972485db42aec8fbf4d1715cadac77225dbfd3
SHA256 e60bb8b68d519692fb71fe15db661044c04a91a0d389e18dbd7a8633079cd5db
SHA512 141982c249fe058a1da4310b11823e8391554660e118e48ebf4a519cd9eb09047a3dc953b7f89a6051f002af775be7c6a79683e5c7fce3ddec3095f262bb0be8

C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe

MD5 1ada6330f25a1005a42fbef99c821be3
SHA1 85b14e49fa65e65dd55c69f4d89249428ae0134a
SHA256 7a493670cde45d2d67f12d8296b6a3fea065b92fb4bf1ac9389f5878e39e67db
SHA512 2db3a8abd420dd89d752ca8f523c4bab889a5c7038eb94810303c897976a3c2ff7b57544b335dced561854976b40e588ac78574c34326edd2c26286d7b77ece3

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 b701a7f5501f3111cbabb8c0842735b5
SHA1 7de95370b3d73928beed3ece49dac340af18e48b
SHA256 5b643d8d3743b866762e85edb62e45e8a4e19fea5850136df2a4609663e4dad5
SHA512 fbc8ecf885bf5d3ddfb4a623f691fe05e44755506356f2d62de44accd38e3f9ad69bf867fe591cafcdd065448080924ecda1238edc7cf75706c7b6cef361844d

memory/3552-377-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-379-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-384-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-388-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-391-0x0000000005760000-0x0000000005905000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 2afdbe3b99a4736083066a13e4b5d11a
SHA1 4d4856cf02b3123ac16e63d4a448cdbcb1633546
SHA256 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee
SHA512 d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f

memory/3552-403-0x0000000005760000-0x0000000005905000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e74d9616c987f3918936baae57016abd
SHA1 c2af0eb0e717d1202428f0567e7cac4a9b7d2f97
SHA256 c3de806165bcd8a9579600c1816cbeb93d2d4cf9306f740e35902d126d2deebe
SHA512 4a650724784bc2983940d32868407caf4c652b0b73bf22cbfe08419e017bdb0cace7aa3adf640043778b83ccd861606c3d762bd5ae23b088315a14e57d2ef2b1

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 fba368acbf6c15da569074f96b5f6eda
SHA1 35bc70758de207ba8a0f360ed5924bafd5b3bbac
SHA256 65790847d47b930fe4378a0f0f8e4daa44accf66cfc192d6dc643d64afa93084
SHA512 4061e4b3757a2fb886915a9369c4591029c05e2a174292687268f26849b31fc4e0d1e94a9dbb3588db65b237cfca1f27de54776bc0464700d968aef21932e924

memory/3552-406-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-423-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-428-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-431-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-435-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-419-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-440-0x0000000005760000-0x0000000005905000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe

MD5 ba5a6161d6bf5d1745cd479540a0aea3
SHA1 89cf5f37f8d0de6bcba1731cd06127e3f78fa178
SHA256 052aa0e272ce3b1a707f94a95f0d55edd02a5451a537fea6328c43fa2fe8a2d6
SHA512 9fe0c44db48e2acfc4560669b35ecd1dbb19401d5639c1f2e27e88d2c84f92263c35618c36e18c2792da14f1ce0d7276db24eb4ce9bc77dc8f4405d6e707c7da

memory/3552-444-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-448-0x0000000005760000-0x0000000005905000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe

MD5 6917496041b85f57ce7f60f4e5c660df
SHA1 6f80dc6ae5b1515a706e6f766a5c5f49c1477312
SHA256 885f2f0009fd837f4eb050188e2fdf1f27686710a97efbd11d5d980fe79a589d
SHA512 eb288ba3d1771c8fa30e032aebcd6bbcde3e5b8dbd486eb0ef398a11fe9835a2c222cc161a9f5ee290341f1882f31387face32e365584cfc95aca5ec59267d15

memory/3552-451-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-454-0x0000000005760000-0x0000000005905000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe

MD5 4e31cf39ac1d534a161f157ea359e5e2
SHA1 010b8071262fe9b2a27411b179dbb804cbfe5e8b
SHA256 c9fcde810267a442f79168775a69c4ddcfbc827d22769429dca5ccd55f952665
SHA512 b2c395a685fde6200fed8622dee7a8fadb0b7aee2b299bcdfeae1ccafb4712240de8a4eee4cd2d3d9e22fd19505be576fe1aabaf967e15b3d732a4220c2082bc

memory/3552-456-0x0000000005760000-0x0000000005905000-memory.dmp

memory/3552-461-0x0000000005760000-0x0000000005905000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe

MD5 e6b2a010c75562654b476f3d4a61559d
SHA1 4d4ca4f9bbace0cf60945bcb42158ae1b6775bf1
SHA256 c45bdf620fd754778383aecccafc9f0b896d2efa04586edfc1b1ff2ab68fe30a
SHA512 663339000fec0c245047ab79d010459ddc0f4a5262c6805328a041953f5d992bc75c68641ac9e6b4b5001c4c97f5630b0198fcf472959152a16bd751648ef0e1

C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe

MD5 c60d59f0334d9f7befecdab7acb965c2
SHA1 8b735d9c4e34a2dfa1d206b58e241b269ac8f925
SHA256 2d6b949a86badaa3451bc63cfc67f1291437b8495b75df3991a8d6621b9a23b4
SHA512 a0ad2d23283fcb2965ad2a43c377e95091e97f4124ae3dc9a18cd1dc14b250ded7693e0b722ce395a2669df724b95b5800922ad7dcaf02986f2eec0ff6cef78e

memory/2692-477-0x0000000000400000-0x0000000000592000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe

MD5 a3f1c1f05197948141167056fa863860
SHA1 f0c6e0bce0a1644f52fc7cf53159f678ebce9af5
SHA256 302b3605a8036aeea305ed5be3976df6b8ab50dc614144f75b7fd70df4ee31fd
SHA512 2139c17fb4c12b4dd8b8237d7e3f128cbd8f6b76017065e8ba9bb417ba76d1882dc45fddf9567d724ef6edc0c6b32d484502dd130536a0023a3a1ff7fde5a28d

memory/5000-474-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5 1305705ab4eb7a8ff5a73874670d91f4
SHA1 a118cf0ba2d4ac47473b9140c0aa7745efc6aac7
SHA256 d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b
SHA512 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 4a753e2dfc1b5fe1c65cd7efc0a2be85
SHA1 9ebea4e0a486018e3f3b23aabe8f9ad9083f730a
SHA256 0b75ce0d0bfc58269d7ef7b1839c9f478c550836867be83f8a5d4da54927736a
SHA512 53985ecf9038beaa276f51149c77dfdfda42db516674dc7b28f18976d04a0c7f1bd3caa2bbb7a7c21f66b4099ce3f8867daf7466ff2f21bb0a116b293e93f4f1

memory/3892-509-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 e9e2496f2422c810b145e723f57716a5
SHA1 e4f4e20323127b5123e0b2c6027dd08579dccc90
SHA256 4a36b438f67995e9e46876e10f2f6484dc396315362ddf37407c6d5705ec1532
SHA512 01bea6a7a352c90e037122f579450b9b3596f3f83a8fc7b1eca4316e13c1c9c26aa4995f074b935fd27dcef7679c2acabca549e8679d3c8a485287fe8c37c606

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 99424f7da3fc2e5571a2852c10c33728
SHA1 7d492767e49c138945d960666a9d6d5301f2d39f
SHA256 df468279842175652eb336b6858243208b01d8308b211e12cfa6aa1fff50dbf1
SHA512 afbefe4959897122b5103814b51b54194b44a7e080bf1efcd59295c5b76a4d0981523569b7ef15a71cb17d7bff9d8970f658fda741087d47f0bf7471ac606ff2

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 ad6cd54be37a4a7aad0536a9383daeea
SHA1 941f83c17c90d4c365bb438989e0248059721ae1
SHA256 4384a3f45e0845897a9b73d430fcf4484f7717497f36ab104bcb37d116e9be4f
SHA512 de58794792532a677b4cadea0dcf2ac16794118612ae33f9de4aff188ad3a401578d4ca415fec674f6b905fc9d9bf08679a71d5aa96c224c12caaf9f183a9ba6

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 10d3d5e2a86663da2847513dce9c3dbf
SHA1 f6781ac1326f569900ba4af7cd440a1ff3981fd1
SHA256 b4414b6c2e72b7e797980a6b59a26af8a17304c5684553e7498a33073ae36cce
SHA512 1f55ed96bfc2bb7e6efc2d097847e4d352e9338b00d410f6502b548ce5ff785ce794c40cd200ca84f4d6de510ce104352ccf29e9d53f06f33ea7fa3d86ce6ea6

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 a60bba45b88638157e7588ff3df44dba
SHA1 25443b5e043743d084b7994b029ec8991360d77f
SHA256 9d4a371585f58fcb99acdb81f68dbfcd25b24696c68f70dc59b179292ae86962
SHA512 ec1132c4978c873a92ac2dfb1b08389d8a95991ddc523c712d9a01cc62d294dd9b7ed4ff1db8f1aff07b1ef83e54b571289cb31ae2f4b7be3948fc0d6d21a6d6

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\ProgramData\mozglue.dll

MD5 260fedb490811b2298902e15b6706790
SHA1 8faeae4d83c5e8fe171ef5f4808bbcb38c3caeaa
SHA256 8f604799a7e69c721d630926145e4a71127e7171b24c6f80c5101a7f382a163d
SHA512 49cace4f0836d8a28bf8161fd20824feab6243c229e31969051c5db843e1ce97aa51e01e16f0e2c6eb0648f5585707794c60bc8874606c01a621013a60a74aa4

C:\ProgramData\mozglue.dll

MD5 62d20cbe49274db455f0f08878834f3f
SHA1 4965c0e50d29031852476420e8498efdf04193d0
SHA256 18a4034d2410436c04b5e960ebe9dfb16c6278864d7aed4c6b19c885d14e9397
SHA512 1edc2f63eeddcd008d083b8622cb585bf2bc2e6ea988956ce22091390e035e97774ed2080ed0052bef6f9fef7980061b2de63359ff58e2ae1e44074026bd446e

C:\ProgramData\nss3.dll

MD5 1ba9ebd610f47104bbfa25d479e6ef99
SHA1 09dea6cf7d3b0de0df3e3650bc08520a417fc34e
SHA256 3e9cd9a267091b02efd370c3168fb72e94c9f36b3dfc5d85ae95f1287183ee11
SHA512 69ac7f34ab0967461b695cc5b09f97d7b26c369b1d48db2a7b120c085d8283186634ab9da73ca2a0a6f77008978cfff70495470683673ae131f856e14d2a9a36

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe

MD5 99bcd121f1a69f95b54054658ea0c385
SHA1 f59ddd8f0e45e7391202ee916c7fa8f110d824f2
SHA256 1eb111b9af0547f42fbefafd4f7b9b2e5397cb840c69fbb88066c521a6d9761b
SHA512 b07bbe22b3bba39acd55f0b7613228fe05da0fe48315285972d71a699c7e8cf1fff1ccef0e0ada2273f084e39485b6fdfb51acb941ed7eaf72fd6e2d7b38631e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 07d67bebb189f40ffed616fb48646b27
SHA1 ff536dc7859f40de613827a419f29c47d21d0f71
SHA256 1a821f2542099656dfbf9b81631621f0f884ea37833a1eeb390e5a5f133de69b
SHA512 6302ad34b659a9ea6aa3c05ced4ae6734803acc38beb2d16f3826461dec49a27d0be8dde77713e7f26917881fbbc9ef99affe7762c1e750c588822a4f5c125fa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 63976a44bc9e49ce0f0d7c596144e57d
SHA1 cb7d80b0e57e6c00aaa7488edeb5c7e9e1160e99
SHA256 98626ad2c871ab19d246f1824ec0f0e3761e359c10a7de8c739294711ac82eb2
SHA512 f49c8fdccc4203c2a638f14ab07c31067cea986147e18f327d09d29a3bafcbdc08b8956072ff72f6f6ee3e9d0b1fd20951a2fa4842ee676b5d1bbbfa6f0fc1aa

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 c4f25cb3490e39994d388911cffc36b3
SHA1 db5d3d7c19ceddf2f5da5e55430ad1d528c75946
SHA256 5ee735c4f92a634e8fbc52f418b4e09b90331abc4063d53b791b400f39680421
SHA512 c7019b419ec026f33b010e28fca5773f2b64c855491aec260bc76223590a698594b37b86cc81de666ea0716d6a3d810f4ab924f30f6e52dcce4e0461f4e54450

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 1d7aea1e3f0cb09c1cbcc4e3e1335134
SHA1 284e08856b27a574f2ebf37689b2fe7871b9dcc3
SHA256 1e55e31a07e9e762a53291518dc4cc609046193b14e2a62f39d238168e844c91
SHA512 6ada17a9259036371f53742e2ade4234c4e5eb0fe8473d8d79e3251da311ad5f826bd2211a04c28d84bc2ecd6b12ccd36361a5566c3dd483a6af5ca7304ce18d

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 048df2538cbe9339aab9070dbfb86690
SHA1 5412f6830da92613670ed1b775733452f6feef26
SHA256 01b0a676a6fa719840ee73a5dd4505f8e818ef5c04a1d3eb15fb531e3e879a72
SHA512 165dde730074474544bd0e18467f260949d4cfb5d699424a22d5ac2ccfee2f8c3ecd9c6aa6c3c989579dd8ec33bbcab24760ca0e19a7ef15566d5908789c1d5c

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 e279f4a75e7e0207e6a717bfd6782ca1
SHA1 fa2389c3c37968da850a08ca19c73b541aa2fb1b
SHA256 f11c3b3953e4d53170c67f25c2bedf307e990e01ea1a9a1eafeea4d4c5814cf5
SHA512 e85e5344dc5c1e9c103e9d045cbd0f0b1f91ae3d967f3c92fcd86c53535d4be68a54152befc634efd506087f70b73f42d11c2d7d24d9b2940f3f65d52a52f439

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 fe606b8e0b185bf7a862e12c12e0c937
SHA1 09dded3e8fb620abd5df7288cb312ae1d5e85e81
SHA256 44445dfa216c0003e19a2b69d16625b0f8915f7fe8b4c930dc63a6360fb94749
SHA512 6225d0f2a64f49c11aa2283a02e8a8effcc1f8a5d854f960d288992dfe9996047291e0012392738064f0677290e63f7e73ad10d84078c76ce188bf001fb79130

C:\Windows\windefender.exe

MD5 8e67f58837092385dcf01e8a2b4f5783
SHA1 012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA512 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec