Analysis Overview
SHA256
e74d2e8450efee54296b28688ffba16e493410ab9e1be68aea289a066b12b40a
Threat Level: Known bad
The file SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe was found to be: Known bad.
Malicious Activity Summary
RedLine
ZGRat
RedLine payload
Glupteba
Detect ZGRat V1
Amadey
xmrig
XMRig Miner payload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Creates new service(s)
Downloads MZ/PE file
Stops running service(s)
Modifies Windows Firewall
Blocklisted process makes network request
Reads data files stored by FTP clients
.NET Reactor proctector
Drops startup file
UPX packed file
Loads dropped DLL
Reads local data of messenger clients
Checks computer location settings
Identifies Wine through registry keys
Executes dropped EXE
Reads user/profile data of web browsers
Checks BIOS information in registry
Checks installed software on the system
Manipulates WinMonFS driver.
Adds Run key to start application
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Unsigned PE
Program crash
Enumerates physical storage devices
Uses Task Scheduler COM API
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-06 15:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-06 15:26
Reported
2024-02-06 15:31
Platform
win7-20231129-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Amadey
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe"
Network
Files
memory/2244-0-0x00000000003A0000-0x0000000000855000-memory.dmp
memory/2244-1-0x0000000077890000-0x0000000077892000-memory.dmp
memory/2244-2-0x00000000003A0000-0x0000000000855000-memory.dmp
memory/2244-12-0x0000000000950000-0x0000000000951000-memory.dmp
memory/2244-11-0x00000000023C0000-0x00000000023C1000-memory.dmp
memory/2244-13-0x0000000000970000-0x0000000000971000-memory.dmp
memory/2244-10-0x0000000000A40000-0x0000000000A41000-memory.dmp
memory/2244-9-0x0000000000990000-0x0000000000991000-memory.dmp
memory/2244-8-0x0000000000960000-0x0000000000961000-memory.dmp
memory/2244-7-0x0000000000860000-0x0000000000861000-memory.dmp
memory/2244-6-0x00000000023D0000-0x00000000023D1000-memory.dmp
memory/2244-5-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/2244-4-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/2244-3-0x0000000000A50000-0x0000000000A52000-memory.dmp
memory/2244-16-0x00000000023E0000-0x00000000023E1000-memory.dmp
memory/2244-15-0x0000000000980000-0x0000000000981000-memory.dmp
memory/2244-17-0x0000000000870000-0x0000000000871000-memory.dmp
memory/2244-18-0x0000000002480000-0x0000000002481000-memory.dmp
memory/2244-22-0x00000000003A0000-0x0000000000855000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-06 15:26
Reported
2024-02-06 15:31
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Amadey
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
ZGRat
xmrig
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Creates new service(s)
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Stops running service(s)
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe | N/A |
Reads data files stored by FTP clients
Reads local data of messenger clients
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks installed software on the system
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1000 set thread context of 3828 | N/A | C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3728 set thread context of 4684 | N/A | C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe | C:\Windows\explorer.exe |
| PID 3316 set thread context of 1276 | N/A | C:\Windows\System32\Conhost.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 2232 set thread context of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3552 set thread context of 2692 | N/A | C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\explorgu.job | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\toolspub1.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-911 = "Mauritius Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-261 = "GMT Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1871 = "Russia TZ 7 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1661 = "Bahia Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2002 = "Cabo Verde Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-91 = "Pacific SA Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-215 = "Pacific Standard Time (Mexico)" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-792 = "SA Western Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-592 = "Malay Peninsula Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-3051 = "Qyzylorda Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2941 = "Sao Tome Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-435 = "Georgian Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2771 = "Omsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1892 = "Russia TZ 3 Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-682 = "E. Australia Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-682 = "E. Australia Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-352 = "FLE Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-791 = "SA Western Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1932 = "Russia TZ 11 Standard Time" | C:\Windows\windefender.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11523.32087.exe"
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe
"C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe"
C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
"C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
"C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "XGRXZRAP"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "XGRXZRAP" binpath= "C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe" start= "auto"
C:\Windows\explorer.exe
explorer.exe
C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe
"C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
"C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe
"C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "XGRXZRAP"
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Compress-Archive -Path 'C:\Users\Admin\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\Admin\AppData\Local\Temp\803511929133_Desktop.zip' -CompressionLevel Optimal
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 452 -ip 452
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 1200
C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe
"C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe"
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe"
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Users\Admin\AppData\Local\Temp\rty25.exe
"C:\Users\Admin\AppData\Local\Temp\rty25.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"
C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe
"C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3764 -ip 3764
C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
"C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 352
C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
"C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"
C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 3
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 3892 -ip 3892
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 1972
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
"C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| RU | 185.215.113.32:80 | 185.215.113.32 | tcp |
| RU | 193.233.132.167:80 | 193.233.132.167 | tcp |
| US | 8.8.8.8:53 | 32.113.215.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 167.132.233.193.in-addr.arpa | udp |
| FI | 109.107.182.3:80 | 109.107.182.3 | tcp |
| US | 8.8.8.8:53 | 3.182.107.109.in-addr.arpa | udp |
| DE | 20.79.30.95:33223 | tcp | |
| NL | 80.79.4.61:18236 | tcp | |
| US | 8.8.8.8:53 | gemcreedarticulateod.shop | udp |
| DE | 185.172.128.19:80 | tcp | |
| NL | 45.15.156.209:40481 | tcp | |
| HK | 154.92.15.189:443 | tcp | |
| DE | 185.172.128.90:80 | tcp | |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| DE | 95.179.241.203:80 | tcp | |
| US | 104.21.58.31:443 | tcp | |
| US | 172.67.149.126:443 | tcp | |
| US | 188.114.96.2:443 | gemcreedarticulateod.shop | tcp |
| US | 188.114.97.2:443 | gemcreedarticulateod.shop | tcp |
| US | 188.114.96.2:443 | gemcreedarticulateod.shop | tcp |
| RU | 185.215.113.32:80 | tcp | |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.79:80 | tcp | |
| RU | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | app.alie3ksgaa.com | udp |
| HK | 154.92.15.189:80 | app.alie3ksgaa.com | tcp |
| RU | 185.215.113.32:80 | tcp | |
| US | 8.8.8.8:53 | 7df9cce2-533b-43f8-ab9a-80dc1ea595b7.uuid.statstraffic.org | udp |
| US | 8.8.8.8:53 | stun.stunprotocol.org | udp |
| US | 8.8.8.8:53 | server3.statstraffic.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| BG | 185.82.216.104:443 | server3.statstraffic.org | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.96.2:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.216.82.185.in-addr.arpa | udp |
| N/A | 144.76.1.85:18574 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 185.172.128.109:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 96.17.179.193:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| BG | 185.82.216.104:443 | server3.statstraffic.org | tcp |
| PL | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | stun.ipfire.org | udp |
| DE | 81.3.27.44:3478 | stun.ipfire.org | udp |
| US | 8.8.8.8:53 | 44.27.3.81.in-addr.arpa | udp |
| N/A | 127.0.0.1:3478 | udp |
Files
memory/4676-0-0x0000000000610000-0x0000000000AC5000-memory.dmp
memory/4676-1-0x0000000077664000-0x0000000077666000-memory.dmp
memory/4676-2-0x0000000000610000-0x0000000000AC5000-memory.dmp
memory/4676-9-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
memory/4676-8-0x0000000004F80000-0x0000000004F81000-memory.dmp
memory/4676-7-0x0000000004F70000-0x0000000004F71000-memory.dmp
memory/4676-6-0x0000000004FE0000-0x0000000004FE1000-memory.dmp
memory/4676-5-0x0000000004F90000-0x0000000004F91000-memory.dmp
memory/4676-4-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
memory/4676-3-0x0000000004FA0000-0x0000000004FA1000-memory.dmp
memory/4676-11-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
memory/4676-10-0x0000000005000000-0x0000000005001000-memory.dmp
memory/4676-16-0x0000000000610000-0x0000000000AC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 12b449903198d4290744859a26b3809a |
| SHA1 | 73f2df3156fff69ff795861573a6a9647ce74375 |
| SHA256 | f80114cba2b387d58f6e14c43a378749147994fcae2282ea11f6440862a94406 |
| SHA512 | 6d4915180263676d1edd6ab20a41d675d2227fbc131f830eb649a2edc02cbb7526937e0ef9ed644009440c9cf30542d4e7f2bd65f684812b09733399af05b361 |
memory/2676-19-0x0000000000F40000-0x00000000013F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
| MD5 | 111a8ca2be619063d350361ef8919bd3 |
| SHA1 | 4ed18aa1db634a76ba4cb9266d8f7d401f0e8cd4 |
| SHA256 | 813deaa45791f155b2dc3288e7a3d9a79f882df4d82881bc12e3d479760ed1ec |
| SHA512 | 5b3137f4b6c5895b878249af47eea1c68fd4e0ba837e4b9aed36b5e39a0a8dc8f8127f849c44e5e0b7378d1f0b37b4c4b09387ea2ac3d256b14c7c88c4b91879 |
memory/2676-20-0x0000000000F40000-0x00000000013F5000-memory.dmp
memory/2676-27-0x0000000005790000-0x0000000005791000-memory.dmp
memory/2676-26-0x0000000005740000-0x0000000005741000-memory.dmp
memory/2676-25-0x0000000005730000-0x0000000005731000-memory.dmp
memory/2676-24-0x00000000057A0000-0x00000000057A1000-memory.dmp
memory/2676-23-0x0000000005750000-0x0000000005751000-memory.dmp
memory/2676-22-0x0000000005770000-0x0000000005771000-memory.dmp
memory/2676-21-0x0000000005760000-0x0000000005761000-memory.dmp
memory/2676-29-0x00000000057B0000-0x00000000057B1000-memory.dmp
memory/2676-28-0x00000000057C0000-0x00000000057C1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe
| MD5 | ca262a67a58da2835ddd689fea8e9b9c |
| SHA1 | 17b5f8f681431c3aeaf8e36481f5e632a6b2039d |
| SHA256 | 7200ced9a206d0dea028abcbdc26fa3793df8173a949649e5cf428c88ffd76ab |
| SHA512 | 635975011fe8cb11e722f2915703f6eafb92d4ab3204e6a55f948cd46c1d1a593c34e51bdf3fd9b37675ad2e17af850b7e909920f592e8265e6e5d6f94630fb9 |
C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe
| MD5 | b174123dd9a76e45e70625e17e26e4d3 |
| SHA1 | c5d3431b29ed1440647a470341ff804bda263571 |
| SHA256 | e20a89dc7dced50e76eb8fb9a22bffe336b94143c637ee5b044198caf2d46958 |
| SHA512 | 94fc401247fa2f86f5d7f273e0046e642479581a68413f8589c127652a5341614d9f9fa6ec9660c504c17dfd36e27bf0b86488f3e1d79bd3709209421fe77c33 |
C:\Users\Admin\AppData\Local\Temp\1000080001\art22.exe
| MD5 | dabac2fa9cdc505795a97020df9c5962 |
| SHA1 | b1b82d2e5b9fe72b7eb9584b2d2c39e2f1f09f12 |
| SHA256 | 40d8dae9e73ee9603106d67b6a86c363869299e1ea1350b176c3587a1704b35a |
| SHA512 | 6aebb00d9041de434d81cc103e1eb4e55086ef8922b56177e00471110014351576c463295ea7b7b41a1e3e0bdeb4279b082382ad23777d1a9ad0390dba42d0da |
C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
| MD5 | 177d47eab15e5cb86e8a684d71549f4a |
| SHA1 | 8548453073548a2bd11b9bb25572dfe2a590ee17 |
| SHA256 | c4f4816a6fff7e00bcf16861591135d4475f4c05cf69b8cb59a27fef0e20afa0 |
| SHA512 | b1f8f375bf18f3f19039349b84ded88fd193b860ee76f052c77c9320bb21982d5e74ba52f1b5e71e4d394c8542ac9184b337f78c95621405b2d0693eaf2f2c13 |
C:\Users\Admin\AppData\Local\Temp\1000081001\Goldprime.exe
| MD5 | 7e9e39a623a04307eb499ff6617b9746 |
| SHA1 | 8d96a7b6464765f32a86e9103955ec74b9b87da9 |
| SHA256 | 88cb62dfdf42ef1b6c083b8c25df0a383476a274ae1e1f0043585d4bdfd1217a |
| SHA512 | bae1719b17d910ae001e0e81f9b5af535d844243ff9974da4794e73e73db115f46cc6d9053cedd4dab1b04416ec444774490cbab9b5dac8310aad43fde7c32a1 |
memory/1000-66-0x0000000073270000-0x0000000073A20000-memory.dmp
memory/1000-67-0x0000000004C10000-0x0000000004C20000-memory.dmp
memory/1000-65-0x0000000000130000-0x000000000018A000-memory.dmp
memory/3828-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3828-74-0x0000000005290000-0x0000000005834000-memory.dmp
memory/1000-75-0x0000000002500000-0x0000000004500000-memory.dmp
memory/3828-77-0x0000000073270000-0x0000000073A20000-memory.dmp
memory/3828-76-0x0000000004DC0000-0x0000000004E52000-memory.dmp
memory/1000-73-0x0000000073270000-0x0000000073A20000-memory.dmp
memory/3828-78-0x0000000004D50000-0x0000000004D60000-memory.dmp
memory/3828-79-0x0000000004F50000-0x0000000004F5A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
| MD5 | 7dfbe2ff473dcdaf8440bdeefb6c1ba7 |
| SHA1 | c3c1b7eb3bc45ee94d0008eba1a4c9966fbdef6c |
| SHA256 | eabc310b7c7ab201dbe2bd597f62c4a5526c0119a734e0d5904df5e0776b6809 |
| SHA512 | cea375ce1dcce0082ef7c567aefca076c5761e4618ee6ea3ea79cdb62db90187009db065a42324abe3d4185f5f20c8683ce0fb3b16fdbf3410ca64b1b6f9cb04 |
C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
| MD5 | 0cecd64d77f5b1d54677226430d63d78 |
| SHA1 | 60929bd41a9905a2005610b59449ffa4e2a31d3e |
| SHA256 | c6bee04223f60097a934bc1a9bf75c4c86ba9c1d6ba2111a013a8c802804cfb3 |
| SHA512 | 235b73c3e8687526c57ee57aaade5e6ff57bb64212ea34e70b41a64397d1df108c34acff98d81a3802af612b01d2e405160aaf1ff870f37df0f4e5de031109f1 |
memory/3828-100-0x0000000007D40000-0x0000000007E4A000-memory.dmp
memory/3828-103-0x0000000007C50000-0x0000000007C62000-memory.dmp
memory/3828-104-0x0000000007CB0000-0x0000000007CEC000-memory.dmp
memory/2676-102-0x0000000000F40000-0x00000000013F5000-memory.dmp
memory/3828-106-0x0000000007CF0000-0x0000000007D3C000-memory.dmp
memory/904-105-0x00000000049C0000-0x00000000049FE000-memory.dmp
memory/904-101-0x0000000002360000-0x00000000023A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000082001\leg221.exe
| MD5 | 60a5acd3267464c7dc6c405f6faff30b |
| SHA1 | 035c74d67f0d36727454066f3e66d96551684f65 |
| SHA256 | 99a9a3502974cddde49de5132f4f603e28d30d341ff39603147c4289e7bd9994 |
| SHA512 | 13e280fe309d293c241136e425d6e207971f4b178b60da8f5023645743d4924ef2feadef6737b38ffdda6be16bd50c0370eabaa2debe1b985fc7c371e0479bba |
memory/904-107-0x0000000073270000-0x0000000073A20000-memory.dmp
memory/3828-96-0x00000000063B0000-0x00000000069C8000-memory.dmp
memory/904-111-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/2676-112-0x0000000000F40000-0x00000000013F5000-memory.dmp
memory/4684-117-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4684-118-0x0000000140000000-0x0000000140848000-memory.dmp
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
| MD5 | a743bceb3fb4903f1eb9a6d30c89b134 |
| SHA1 | 37ad06ad6d55d39a9f7e26e4af4f63d34090367d |
| SHA256 | 3f4cf0455e88d823d4242c53559f4d45a51efca485090abccb2acba52458001b |
| SHA512 | de2843c0d230048b4ac8793cb09c9fc30eb56e9fa98edd52986f170f9ba888a33b7c84d038731430d06ba319002ec0a35ecd6b32a0d483435b9ba8cad98fb45f |
memory/904-120-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/4684-119-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4684-122-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4684-124-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe
| MD5 | f0c8c69383e2fed6e92ac2aa92fa0850 |
| SHA1 | c59ba5157277955b935ff1f4c03f9665943c8a98 |
| SHA256 | 11af218ab7f28a67af5d929e0a1137849555a1d1c0387fd489b329c08fd5aba6 |
| SHA512 | 5948a0c09c9dc199312f0e504c157d807729ddb15f7b465d6f0dbd369723a66b78167e4f4cc21371dfe576f3609c491ecbe79b50eda07d1b589b8e1fb05ad8ce |
memory/4684-125-0x0000000001550000-0x0000000001570000-memory.dmp
memory/4684-136-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4684-139-0x0000000140000000-0x0000000140848000-memory.dmp
memory/904-147-0x0000000006370000-0x00000000063E6000-memory.dmp
memory/4684-148-0x0000000140000000-0x0000000140848000-memory.dmp
memory/904-149-0x00000000065B0000-0x00000000065CE000-memory.dmp
memory/4684-150-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe
| MD5 | 89bb028a035a1784b7f2351a6c9c5ee8 |
| SHA1 | 26c736d4f074edfd46e7440c06211c4f0c20b832 |
| SHA256 | d37197fe532b58543124a1f4e06ef804741b2bbdb54c084c92b4b4af2c735b22 |
| SHA512 | bb0612a1774bacb4de3230eb264deb24d9d5ad6b4c180f89ef081c8d00738bdec7bcc5962ed5c7ee9b63a18030a3dc4558bdefee8246983704340b77d9b4e73f |
memory/3316-152-0x0000000002430000-0x0000000002484000-memory.dmp
memory/3316-154-0x00000000025A0000-0x00000000025B0000-memory.dmp
memory/3316-153-0x0000000073270000-0x0000000073A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000083001\daissss.exe
| MD5 | 215bd6c416cfb213c5503b28853ed4e4 |
| SHA1 | 5ab94b074ee568d80902a3c5167df8ea7eab074e |
| SHA256 | 9b09c1df94a8f40b1c975e1e1d869f231bf19d6f22e4cfc98d22b35e026263db |
| SHA512 | 70f9aa9a47e47c64e4183f7899f985f67460edc5d95d2a165eb7390f99030a4c3e4e4104b66d6f729f134da5b55f55cd8d0346061dae8e6a4040eb8b3beab517 |
memory/3316-157-0x00000000025A0000-0x00000000025B0000-memory.dmp
memory/3316-156-0x00000000025A0000-0x00000000025B0000-memory.dmp
memory/904-159-0x0000000006750000-0x00000000067A0000-memory.dmp
memory/3316-158-0x00000000025A0000-0x00000000025B0000-memory.dmp
memory/3316-155-0x0000000005010000-0x0000000005062000-memory.dmp
memory/4684-135-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4684-123-0x0000000140000000-0x0000000140848000-memory.dmp
memory/4684-121-0x0000000140000000-0x0000000140848000-memory.dmp
memory/904-161-0x00000000069C0000-0x0000000006B82000-memory.dmp
memory/904-163-0x00000000080B0000-0x00000000085DC000-memory.dmp
memory/2676-173-0x0000000000F40000-0x00000000013F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
| MD5 | d750d8f760e4aefde4adfc2bbac0ca0c |
| SHA1 | 355c88fa15cda299d5ba83603f74fd49d290d964 |
| SHA256 | baae925e5f1034b3e70da5b5467508f40f5408f61482e9a091eb69b2efb72de3 |
| SHA512 | 71f58e8d90b42171cb464949b206d0a138ffd65de4dc8522ff592a65936359f3ae0a4f1abd79f18bbbf79a81207fcc9d938ad3fa01406d3c8cfeed857b7fd35d |
memory/3316-187-0x0000000002620000-0x0000000004620000-memory.dmp
memory/1276-188-0x00000000052A0000-0x00000000052B0000-memory.dmp
memory/2232-189-0x0000000004BE0000-0x0000000004C78000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
| MD5 | 0d81dee481cdd0801dd3ebe363ad0d3a |
| SHA1 | 1cc6ce2e50d58287889018924981427f2cc0734f |
| SHA256 | c4bd8bb241ede993f5d174ab3ce82afb6393c7825ea750a00de59ef7897b953d |
| SHA512 | 1ceb77fc8aec068a4056171205e27cc931cbed13689f0d623b2de9b2d3b1e50e82a90c9fe12a809ba52b747b20972d46427d3b4106a7b891d59a62186ea6302f |
memory/1276-183-0x0000000000400000-0x0000000000442000-memory.dmp
memory/3828-174-0x0000000073270000-0x0000000073A20000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000084001\mrk1234.exe
| MD5 | db9367def7beca9b6493b2e0d56f3cfd |
| SHA1 | fd0c02ca2d747561daed2cf1ed615eb662044390 |
| SHA256 | 1ae235521e002f3a54f94d9fd56020ea2074d23fb7ae4df94b07d5e3feb3980c |
| SHA512 | dfaa4968b4bb7865d0d397dffd02338bc550a5c2946b4590f2f53d040ef348325a1c09dc65ba477e47395a355d4c4c9543c5d5703e3e7936478479bc69d4a40d |
C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe
| MD5 | fb7578b217b2831015280724840a1bef |
| SHA1 | f6dd760c3f34f4becc79778050bdd77629e53f0e |
| SHA256 | 10e74036768e0e33d30430bfbf6aaa4f2ac2e01c720edf61c2c4f6113b8e5695 |
| SHA512 | 4abb1957ee045f9035fe54cb79fb0170ae2518241dd49bd904d54f6ce7030faaa7510110e78d52b1cafa330e9458349e46005c72df22c57b376b5ee3fcecd82d |
memory/452-210-0x0000000000400000-0x000000000048A000-memory.dmp
C:\ProgramData\wdkmvkocxuib\smazgcisoglo.exe
| MD5 | 855bb66fc5395e229288b2ab1c90f7c3 |
| SHA1 | b21459bcbbce4a7a9a2478d1ac82e9f57bf2cc17 |
| SHA256 | 5053ae9ed7851b6c9b2ffb6e8c44ad0904e5ba4fced2e5ffdf3c5a0656f83f87 |
| SHA512 | 542210ddd46096f662d09f56f35ed4695b76cc4bdc218e02a21ad7aa16693f08fd5fe9a95fe4c161d0f7d4f6ba291ba26a3b5390c3c56f2c6f4ae734a76c6d58 |
memory/452-220-0x0000000000400000-0x000000000048A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe
| MD5 | 50fceb04fb57426fdd89bda52d43f733 |
| SHA1 | 5e24e31b3798ede5697ae252bb4613d7bf39ade2 |
| SHA256 | a9d5b6cb20769293b36bd98619d2fd37b0a031ed795a0b73819fc94e84613888 |
| SHA512 | 5cd7b304d3e7f72ba6b75ea9d27f3f1de3f6cb1644a37e5f92742e71c59ad2ee5fe16fb122769a1a0689072587c6b674f597375aa53c4db151128635b0737004 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a21ba51320e246460cd10fd9d940ca1f |
| SHA1 | 253437834f3537debd72664218c2bb077f07b3a8 |
| SHA256 | 85f872e7dc95829e4fb98c1932b1f704124ab476278e2c665978859236209a98 |
| SHA512 | 02cc643f962517da3694e2e523eb7a552b18fcad9865cafa64ac6de6af55cf14cacc75d35caca5539a0405a4ca23cde662c56fa990e5b7adf096355a788025bb |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | cea169467e285e4e2d8bc053eaa69c10 |
| SHA1 | 4cb0eb4d02276979171aef612afca64e5b92cca3 |
| SHA256 | 871b13fbe79283d71de75cbc7b75f3b63ace52160693d8341b9c7e323f734a0b |
| SHA512 | ce4fcca38f0adcd15de50e578e35b30aa8e0471c6a7ebbbdd422eb7b6fd17ba0e5f0d3b2370fd8860c0a1008f44c3f135e950456d72571113f68e7db8e606f86 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | 8df594ea6e3eacb1be511da3f2e2a193 |
| SHA1 | 5746875039a228d24ca461bb65845c9c45ab6630 |
| SHA256 | d86fee76477d96c2378261b5b04d4af266cd044684a1407aae4da14618194889 |
| SHA512 | 8a5c4f14505e9c3b5e0f31d61553c06a322c5ec169155ae5c24a4322bda21a36e5140b66e383df806933b8cb86b46543e842a4f36a3b00beea6ab7fcb4a43c52 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | dca5ecd574ddbf9eaf6de8d570189256 |
| SHA1 | 4e1c0141601f6f6611fc57a3005178b95a8a1063 |
| SHA256 | f14c15127cce5a913ccea14f8946243cc7c7548d65f682a303c2f2b6528ec818 |
| SHA512 | 16211f4e6f5a95a81cf3259fca6bc69aae11fef4fcb8b2a9881c3d8cf4185b34d8bd80fef403e0a508e6710e9c8ed87821384384266f4f2584cffc72fd6f4f74 |
C:\Users\Admin\AppData\Local\Temp\1000085001\RDX.exe
| MD5 | 9f89f9ff34d01607501c8690790ef478 |
| SHA1 | 82d289c272094edaa3352be2af7197abf6dc2f8e |
| SHA256 | e3019dd25be7098f4d97ef7cc7cf8c96bcac0ea4fa30e8fabafafc46803428d5 |
| SHA512 | 0d53ee8e46e3f80aa79bc4b4214dd239c8ef4ff1140aaaf44f42963b6fd63cb6fd88933331008a3e9fdb86ee6dbe63fc0eb46a9c40fd2f619f1a5f0877b581fb |
memory/904-110-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/4684-250-0x0000000140000000-0x0000000140848000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
memory/4684-259-0x0000000140000000-0x0000000140848000-memory.dmp
memory/904-109-0x0000000004B70000-0x0000000004B80000-memory.dmp
memory/904-108-0x0000000004B70000-0x0000000004B80000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe
| MD5 | 793e4498448b43015e94b32dc3da292d |
| SHA1 | ab267772a569e24d518c40f4ca0c1b3c28383f20 |
| SHA256 | 45f97557ec21f0f4b616635c68f06bb459851d431ebb215f0b46baaa3bf4969e |
| SHA512 | 30d50e033582de97cf0b0b44ef547cc8510cd2e5fd2a0cd68864d3ca9be5e28ec3c25dafe8c0a5dea107821364059f315624cbaf2c66369863913b8533f2242c |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ndrsc402.nna.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe
| MD5 | cef5748284e3654eae91287d62c2c635 |
| SHA1 | ee942cd601ebb48dcdb0b86a05bb811a38fac049 |
| SHA256 | 6f7bba879ef54609edb51b8fec31cc204b79b4bdba06eaf8d3d774c7a977462e |
| SHA512 | f768160c2a7aa434a605b8ff616585f89fd55e67f484e70c3ad7c4e13d483c3baaa1b48909a5a92c56616dc15414f63db7c09368b02cb3f675cf6906239ce269 |
C:\Users\Admin\AppData\Local\Temp\1000086001\dayroc.exe
| MD5 | 8cd775b166a22cfbafacc5eeadc7e220 |
| SHA1 | 417e4c0f11f121dcefb2fe93aa972cdc825370d9 |
| SHA256 | 7b16c15f7e176be4faacac1d8c43998957e030cd8684981b59104510be8cd736 |
| SHA512 | e5acefd74d81c7b0e8f30e8cdbf712055222a12692cf3503c1be2d77ad6b762c3449db0cff44a7456959fbd530b7a8213431844e5a0507ec3cf71d4ecbfd8fb8 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
| MD5 | 293f7fa2419acac9e16a8e262bae004b |
| SHA1 | e76249a321c8dbef1dc3740b12e206a481eea9e8 |
| SHA256 | 5569085a4dcbe206cc77cc20bec413379fb245975b82bfaa1a93a3d19bbf6e33 |
| SHA512 | c55fa10f2648e0411d2577679788aca1da35e35863175fbc14e1eab7455e9e5a18e8b9b43b9547165a760e48b300c89d38d9250bc72bd800c7a0f95e220e8de7 |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
| MD5 | 627c6b6a022a64d6565ec2293cebd1a5 |
| SHA1 | c69f99f99e9979d1c397b659f02f6ab97d007aa5 |
| SHA256 | 9527a7906d74b8c249e0c8b29787d54c9460cd703c64f54686f1e495a2f28fed |
| SHA512 | 61acc68159579c09c267e9548f5298f73cce128b528b873549451969b1b4c01cc1a413c89176dc7c115f9779d4585d2a758035ae7390bb8d7dea4c8673a79c0b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup_nine.exe
| MD5 | 8de05266de7fefbe0cd0840683df2e3e |
| SHA1 | 5b6531e76c0096904c7405b13d89652074d33a05 |
| SHA256 | d5032303db15ba7e032126fdc1340e459ee19aa1c6d5e45176c4e084fca107c5 |
| SHA512 | fd16a38410583129d2f1a9b8617df775d7ecf5f0262699cc6bac07747b0431d3393ff99e3738958619e2162bb4d184199db58f9776ddb0bc201ae26584dfa157 |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 6bbb9b65b3eecb67a24cd8b239d25e8f |
| SHA1 | e1aebf9de1909c7aef45e595279d14fa74942e2e |
| SHA256 | c3f5251cff499c940041633d9b0b4dcc04511dd9181b919172410f2e048416a8 |
| SHA512 | ef8935867c66548f278ddcee5be93ff20d2d9445df18bca10e88e8a44a4a54c9cd9fbc8a2a5f94a3d3be20d9bd442c12d28dfe5f1ae059fd57308975a4fcff0d |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | b177874f2d00907b185257d91718050a |
| SHA1 | d891cb44821ff719bab6f67356c219ed65ae9615 |
| SHA256 | 0a4f47a924a7e2b17a007f680b62f4a3108d5f6d5b9a4c4a98d9d9f3f8297b54 |
| SHA512 | 17baa213253f1c3016b19974a900e423b3e4b4ab618b587d476df8bfaa21cae97bf6f2b61f2ecb30b3bcb741a51d585197f48adf2dd08516e7620cf37c2bb32c |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | dd370fda334d182b97aa6012453c8d97 |
| SHA1 | 76f353516472459703c186471706973d0a73983b |
| SHA256 | b7d33bffec01c8b89699528bfa995fcb882a8a46afb7c5985f2d3d7c5e4ffe23 |
| SHA512 | 7f3d832a44c19e053f6b8bef6b474df25ab7c8c042888d247412683bde016193da554ed878ce7321d1df53cad6ef5757bde8848308e6b239a6bb886e57df3adb |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 1faab612c8b1b9f9c5df7c5e884afd8c |
| SHA1 | cc8e749b63dcbd737e3bbc0adc571d8c933d6cbd |
| SHA256 | e7b0a75a21908c205e747435eaae87f10ff2167d18e8b1ea7603e66d7591214f |
| SHA512 | 03b9c8dc0d0e3c9d73a1270a7b49995cfe8127686befec49ba017cc20191ba8f98b4e06ccc3830c8530a0872e0fc407c0356fc13855a9d9d19a0cf91a070768a |
memory/2676-342-0x0000000000F40000-0x00000000013F5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 49e59c0f80b2514f7fbc68fa4b316b93 |
| SHA1 | 866dd04c72bb0110cc428603684a07b690dd6ac5 |
| SHA256 | d5862273216a0ed3dd0bcd5afac18e2b591a61e13ffbe2d11f84316c66124e0a |
| SHA512 | 26410bdf926d2c06fe6c2252c8927f67748a61d39317a54e6b9158a8c67b937b88913f86d3cbd3ea42e5effc4f1a299395262be8c7281cc3595b6baa4c465f62 |
C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe
| MD5 | b9f94f59d553a3454cc6b8a13e9b6e74 |
| SHA1 | 8d26544405ae1a0c4386e2af6215b9ab19f2ea09 |
| SHA256 | 7dd18188fd3329bfda07a718b1deb07723c7348bce86ba6f58f6761c741b91c1 |
| SHA512 | d7dd634d3cf57ea74c37e30f0c8a2b3437bd3c759e51dd3825b26d5bd480a4d8f499bafc78ebeedafddebbcba2e1c9208e67b4c27d02ac95b63f15aada258be8 |
C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
| MD5 | 8c20d9745afb54a1b59131314c15d61c |
| SHA1 | 1975f997e2db1e487c1caf570263a6a3ba135958 |
| SHA256 | a613b6598e0d4c2e52e6ff91538aca8d92c66ef7c13a9baadcba0039570a69d1 |
| SHA512 | 580021850dfc90647854dd9f8124418abffbe261e3d7f2e1d355dd3a40f31be24f1b9df77ad52f7fa63503a5ee857e270c156e5575e3a32387335018296128d7 |
C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe
| MD5 | c7251d23b61aa72e1780136b2691a34a |
| SHA1 | e536e51118abd80e481c4bed08781fcd796ee87a |
| SHA256 | 9d3293bd9072c437d0e051b110ae3b6e80ec5c95339739630ded3d7ebcc77d2d |
| SHA512 | d2be7bbf7150c1434e435fdac9a993bae62c9a068887bc83393c9a8e211900a339832e5f072c184c937c47eddc9d5c748d3bcf9bca972aa3537378f4c0b62307 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | 5c1667a67e6d45b0b1b6d831f02be9fa |
| SHA1 | 6f972485db42aec8fbf4d1715cadac77225dbfd3 |
| SHA256 | e60bb8b68d519692fb71fe15db661044c04a91a0d389e18dbd7a8633079cd5db |
| SHA512 | 141982c249fe058a1da4310b11823e8391554660e118e48ebf4a519cd9eb09047a3dc953b7f89a6051f002af775be7c6a79683e5c7fce3ddec3095f262bb0be8 |
C:\Users\Admin\AppData\Local\Temp\1000087001\alex.exe
| MD5 | 1ada6330f25a1005a42fbef99c821be3 |
| SHA1 | 85b14e49fa65e65dd55c69f4d89249428ae0134a |
| SHA256 | 7a493670cde45d2d67f12d8296b6a3fea065b92fb4bf1ac9389f5878e39e67db |
| SHA512 | 2db3a8abd420dd89d752ca8f523c4bab889a5c7038eb94810303c897976a3c2ff7b57544b335dced561854976b40e588ac78574c34326edd2c26286d7b77ece3 |
C:\Users\Admin\AppData\Local\Temp\rty25.exe
| MD5 | b701a7f5501f3111cbabb8c0842735b5 |
| SHA1 | 7de95370b3d73928beed3ece49dac340af18e48b |
| SHA256 | 5b643d8d3743b866762e85edb62e45e8a4e19fea5850136df2a4609663e4dad5 |
| SHA512 | fbc8ecf885bf5d3ddfb4a623f691fe05e44755506356f2d62de44accd38e3f9ad69bf867fe591cafcdd065448080924ecda1238edc7cf75706c7b6cef361844d |
memory/3552-377-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-379-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-384-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-388-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-391-0x0000000005760000-0x0000000005905000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | 2afdbe3b99a4736083066a13e4b5d11a |
| SHA1 | 4d4856cf02b3123ac16e63d4a448cdbcb1633546 |
| SHA256 | 8d31b39170909595b518b1a03e9ec950540fabd545ed14817cac5c84b91599ee |
| SHA512 | d89b3c46854153e60e3fa825b394344eee33936d7dbf186af9d95c9adae54428609e3bf21a18d38fce3d96f3e0b8e4e0ed25cb5004fbe288de3aef3a85b1d93f |
memory/3552-403-0x0000000005760000-0x0000000005905000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e74d9616c987f3918936baae57016abd |
| SHA1 | c2af0eb0e717d1202428f0567e7cac4a9b7d2f97 |
| SHA256 | c3de806165bcd8a9579600c1816cbeb93d2d4cf9306f740e35902d126d2deebe |
| SHA512 | 4a650724784bc2983940d32868407caf4c652b0b73bf22cbfe08419e017bdb0cace7aa3adf640043778b83ccd861606c3d762bd5ae23b088315a14e57d2ef2b1 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | fba368acbf6c15da569074f96b5f6eda |
| SHA1 | 35bc70758de207ba8a0f360ed5924bafd5b3bbac |
| SHA256 | 65790847d47b930fe4378a0f0f8e4daa44accf66cfc192d6dc643d64afa93084 |
| SHA512 | 4061e4b3757a2fb886915a9369c4591029c05e2a174292687268f26849b31fc4e0d1e94a9dbb3588db65b237cfca1f27de54776bc0464700d968aef21932e924 |
memory/3552-406-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-423-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-428-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-431-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-435-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-419-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-440-0x0000000005760000-0x0000000005905000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
| MD5 | ba5a6161d6bf5d1745cd479540a0aea3 |
| SHA1 | 89cf5f37f8d0de6bcba1731cd06127e3f78fa178 |
| SHA256 | 052aa0e272ce3b1a707f94a95f0d55edd02a5451a537fea6328c43fa2fe8a2d6 |
| SHA512 | 9fe0c44db48e2acfc4560669b35ecd1dbb19401d5639c1f2e27e88d2c84f92263c35618c36e18c2792da14f1ce0d7276db24eb4ce9bc77dc8f4405d6e707c7da |
memory/3552-444-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-448-0x0000000005760000-0x0000000005905000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
| MD5 | 6917496041b85f57ce7f60f4e5c660df |
| SHA1 | 6f80dc6ae5b1515a706e6f766a5c5f49c1477312 |
| SHA256 | 885f2f0009fd837f4eb050188e2fdf1f27686710a97efbd11d5d980fe79a589d |
| SHA512 | eb288ba3d1771c8fa30e032aebcd6bbcde3e5b8dbd486eb0ef398a11fe9835a2c222cc161a9f5ee290341f1882f31387face32e365584cfc95aca5ec59267d15 |
memory/3552-451-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-454-0x0000000005760000-0x0000000005905000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3uw.0.exe
| MD5 | 4e31cf39ac1d534a161f157ea359e5e2 |
| SHA1 | 010b8071262fe9b2a27411b179dbb804cbfe5e8b |
| SHA256 | c9fcde810267a442f79168775a69c4ddcfbc827d22769429dca5ccd55f952665 |
| SHA512 | b2c395a685fde6200fed8622dee7a8fadb0b7aee2b299bcdfeae1ccafb4712240de8a4eee4cd2d3d9e22fd19505be576fe1aabaf967e15b3d732a4220c2082bc |
memory/3552-456-0x0000000005760000-0x0000000005905000-memory.dmp
memory/3552-461-0x0000000005760000-0x0000000005905000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
| MD5 | e6b2a010c75562654b476f3d4a61559d |
| SHA1 | 4d4ca4f9bbace0cf60945bcb42158ae1b6775bf1 |
| SHA256 | c45bdf620fd754778383aecccafc9f0b896d2efa04586edfc1b1ff2ab68fe30a |
| SHA512 | 663339000fec0c245047ab79d010459ddc0f4a5262c6805328a041953f5d992bc75c68641ac9e6b4b5001c4c97f5630b0198fcf472959152a16bd751648ef0e1 |
C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
| MD5 | c60d59f0334d9f7befecdab7acb965c2 |
| SHA1 | 8b735d9c4e34a2dfa1d206b58e241b269ac8f925 |
| SHA256 | 2d6b949a86badaa3451bc63cfc67f1291437b8495b75df3991a8d6621b9a23b4 |
| SHA512 | a0ad2d23283fcb2965ad2a43c377e95091e97f4124ae3dc9a18cd1dc14b250ded7693e0b722ce395a2669df724b95b5800922ad7dcaf02986f2eec0ff6cef78e |
memory/2692-477-0x0000000000400000-0x0000000000592000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\u3uw.1.exe
| MD5 | a3f1c1f05197948141167056fa863860 |
| SHA1 | f0c6e0bce0a1644f52fc7cf53159f678ebce9af5 |
| SHA256 | 302b3605a8036aeea305ed5be3976df6b8ab50dc614144f75b7fd70df4ee31fd |
| SHA512 | 2139c17fb4c12b4dd8b8237d7e3f128cbd8f6b76017065e8ba9bb417ba76d1882dc45fddf9567d724ef6edc0c6b32d484502dd130536a0023a3a1ff7fde5a28d |
memory/5000-474-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log
| MD5 | 1305705ab4eb7a8ff5a73874670d91f4 |
| SHA1 | a118cf0ba2d4ac47473b9140c0aa7745efc6aac7 |
| SHA256 | d6af172e36aa43249144b77b3fb2dfe65f511baf3b2e7747851e47eaceb8f99b |
| SHA512 | 27ecc05e3c91ae669799ead19ef0d89397cd51f3221c1e35d30a8fe229b80a7efdc1e9b6c10bb544442c47a263c077cd912727b5a2388ad1f71af45a17ef4b64 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 4a753e2dfc1b5fe1c65cd7efc0a2be85 |
| SHA1 | 9ebea4e0a486018e3f3b23aabe8f9ad9083f730a |
| SHA256 | 0b75ce0d0bfc58269d7ef7b1839c9f478c550836867be83f8a5d4da54927736a |
| SHA512 | 53985ecf9038beaa276f51149c77dfdfda42db516674dc7b28f18976d04a0c7f1bd3caa2bbb7a7c21f66b4099ce3f8867daf7466ff2f21bb0a116b293e93f4f1 |
memory/3892-509-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | e9e2496f2422c810b145e723f57716a5 |
| SHA1 | e4f4e20323127b5123e0b2c6027dd08579dccc90 |
| SHA256 | 4a36b438f67995e9e46876e10f2f6484dc396315362ddf37407c6d5705ec1532 |
| SHA512 | 01bea6a7a352c90e037122f579450b9b3596f3f83a8fc7b1eca4316e13c1c9c26aa4995f074b935fd27dcef7679c2acabca549e8679d3c8a485287fe8c37c606 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | 99424f7da3fc2e5571a2852c10c33728 |
| SHA1 | 7d492767e49c138945d960666a9d6d5301f2d39f |
| SHA256 | df468279842175652eb336b6858243208b01d8308b211e12cfa6aa1fff50dbf1 |
| SHA512 | afbefe4959897122b5103814b51b54194b44a7e080bf1efcd59295c5b76a4d0981523569b7ef15a71cb17d7bff9d8970f658fda741087d47f0bf7471ac606ff2 |
C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe
| MD5 | ad6cd54be37a4a7aad0536a9383daeea |
| SHA1 | 941f83c17c90d4c365bb438989e0248059721ae1 |
| SHA256 | 4384a3f45e0845897a9b73d430fcf4484f7717497f36ab104bcb37d116e9be4f |
| SHA512 | de58794792532a677b4cadea0dcf2ac16794118612ae33f9de4aff188ad3a401578d4ca415fec674f6b905fc9d9bf08679a71d5aa96c224c12caaf9f183a9ba6 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | 10d3d5e2a86663da2847513dce9c3dbf |
| SHA1 | f6781ac1326f569900ba4af7cd440a1ff3981fd1 |
| SHA256 | b4414b6c2e72b7e797980a6b59a26af8a17304c5684553e7498a33073ae36cce |
| SHA512 | 1f55ed96bfc2bb7e6efc2d097847e4d352e9338b00d410f6502b548ce5ff785ce794c40cd200ca84f4d6de510ce104352ccf29e9d53f06f33ea7fa3d86ce6ea6 |
C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe
| MD5 | a60bba45b88638157e7588ff3df44dba |
| SHA1 | 25443b5e043743d084b7994b029ec8991360d77f |
| SHA256 | 9d4a371585f58fcb99acdb81f68dbfcd25b24696c68f70dc59b179292ae86962 |
| SHA512 | ec1132c4978c873a92ac2dfb1b08389d8a95991ddc523c712d9a01cc62d294dd9b7ed4ff1db8f1aff07b1ef83e54b571289cb31ae2f4b7be3948fc0d6d21a6d6 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\ProgramData\mozglue.dll
| MD5 | 260fedb490811b2298902e15b6706790 |
| SHA1 | 8faeae4d83c5e8fe171ef5f4808bbcb38c3caeaa |
| SHA256 | 8f604799a7e69c721d630926145e4a71127e7171b24c6f80c5101a7f382a163d |
| SHA512 | 49cace4f0836d8a28bf8161fd20824feab6243c229e31969051c5db843e1ce97aa51e01e16f0e2c6eb0648f5585707794c60bc8874606c01a621013a60a74aa4 |
C:\ProgramData\mozglue.dll
| MD5 | 62d20cbe49274db455f0f08878834f3f |
| SHA1 | 4965c0e50d29031852476420e8498efdf04193d0 |
| SHA256 | 18a4034d2410436c04b5e960ebe9dfb16c6278864d7aed4c6b19c885d14e9397 |
| SHA512 | 1edc2f63eeddcd008d083b8622cb585bf2bc2e6ea988956ce22091390e035e97774ed2080ed0052bef6f9fef7980061b2de63359ff58e2ae1e44074026bd446e |
C:\ProgramData\nss3.dll
| MD5 | 1ba9ebd610f47104bbfa25d479e6ef99 |
| SHA1 | 09dea6cf7d3b0de0df3e3650bc08520a417fc34e |
| SHA256 | 3e9cd9a267091b02efd370c3168fb72e94c9f36b3dfc5d85ae95f1287183ee11 |
| SHA512 | 69ac7f34ab0967461b695cc5b09f97d7b26c369b1d48db2a7b120c085d8283186634ab9da73ca2a0a6f77008978cfff70495470683673ae131f856e14d2a9a36 |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\d21cbe21e38b385a41a68c5e6dd32f4c.exe
| MD5 | 99bcd121f1a69f95b54054658ea0c385 |
| SHA1 | f59ddd8f0e45e7391202ee916c7fa8f110d824f2 |
| SHA256 | 1eb111b9af0547f42fbefafd4f7b9b2e5397cb840c69fbb88066c521a6d9761b |
| SHA512 | b07bbe22b3bba39acd55f0b7613228fe05da0fe48315285972d71a699c7e8cf1fff1ccef0e0ada2273f084e39485b6fdfb51acb941ed7eaf72fd6e2d7b38631e |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 3d086a433708053f9bf9523e1d87a4e8 |
| SHA1 | b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28 |
| SHA256 | 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69 |
| SHA512 | 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 07d67bebb189f40ffed616fb48646b27 |
| SHA1 | ff536dc7859f40de613827a419f29c47d21d0f71 |
| SHA256 | 1a821f2542099656dfbf9b81631621f0f884ea37833a1eeb390e5a5f133de69b |
| SHA512 | 6302ad34b659a9ea6aa3c05ced4ae6734803acc38beb2d16f3826461dec49a27d0be8dde77713e7f26917881fbbc9ef99affe7762c1e750c588822a4f5c125fa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 63976a44bc9e49ce0f0d7c596144e57d |
| SHA1 | cb7d80b0e57e6c00aaa7488edeb5c7e9e1160e99 |
| SHA256 | 98626ad2c871ab19d246f1824ec0f0e3761e359c10a7de8c739294711ac82eb2 |
| SHA512 | f49c8fdccc4203c2a638f14ab07c31067cea986147e18f327d09d29a3bafcbdc08b8956072ff72f6f6ee3e9d0b1fd20951a2fa4842ee676b5d1bbbfa6f0fc1aa |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | c4f25cb3490e39994d388911cffc36b3 |
| SHA1 | db5d3d7c19ceddf2f5da5e55430ad1d528c75946 |
| SHA256 | 5ee735c4f92a634e8fbc52f418b4e09b90331abc4063d53b791b400f39680421 |
| SHA512 | c7019b419ec026f33b010e28fca5773f2b64c855491aec260bc76223590a698594b37b86cc81de666ea0716d6a3d810f4ab924f30f6e52dcce4e0461f4e54450 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 1d7aea1e3f0cb09c1cbcc4e3e1335134 |
| SHA1 | 284e08856b27a574f2ebf37689b2fe7871b9dcc3 |
| SHA256 | 1e55e31a07e9e762a53291518dc4cc609046193b14e2a62f39d238168e844c91 |
| SHA512 | 6ada17a9259036371f53742e2ade4234c4e5eb0fe8473d8d79e3251da311ad5f826bd2211a04c28d84bc2ecd6b12ccd36361a5566c3dd483a6af5ca7304ce18d |
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
| MD5 | 048df2538cbe9339aab9070dbfb86690 |
| SHA1 | 5412f6830da92613670ed1b775733452f6feef26 |
| SHA256 | 01b0a676a6fa719840ee73a5dd4505f8e818ef5c04a1d3eb15fb531e3e879a72 |
| SHA512 | 165dde730074474544bd0e18467f260949d4cfb5d699424a22d5ac2ccfee2f8c3ecd9c6aa6c3c989579dd8ec33bbcab24760ca0e19a7ef15566d5908789c1d5c |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | e279f4a75e7e0207e6a717bfd6782ca1 |
| SHA1 | fa2389c3c37968da850a08ca19c73b541aa2fb1b |
| SHA256 | f11c3b3953e4d53170c67f25c2bedf307e990e01ea1a9a1eafeea4d4c5814cf5 |
| SHA512 | e85e5344dc5c1e9c103e9d045cbd0f0b1f91ae3d967f3c92fcd86c53535d4be68a54152befc634efd506087f70b73f42d11c2d7d24d9b2940f3f65d52a52f439 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | fe606b8e0b185bf7a862e12c12e0c937 |
| SHA1 | 09dded3e8fb620abd5df7288cb312ae1d5e85e81 |
| SHA256 | 44445dfa216c0003e19a2b69d16625b0f8915f7fe8b4c930dc63a6360fb94749 |
| SHA512 | 6225d0f2a64f49c11aa2283a02e8a8effcc1f8a5d854f960d288992dfe9996047291e0012392738064f0677290e63f7e73ad10d84078c76ce188bf001fb79130 |
C:\Windows\windefender.exe
| MD5 | 8e67f58837092385dcf01e8a2b4f5783 |
| SHA1 | 012c49cfd8c5d06795a6f67ea2baf2a082cf8625 |
| SHA256 | 166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa |
| SHA512 | 40d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec |